Yes, I did precisely this. This is how I generated my key:
ssh-keygen -t ed25519-sk -O resident -O verify-required -f ~/.ssh/id_yubico
Does the verify-required in this case only function if you?re using resident
keys? I guess that would make sense but this assumes the user is using ssh-add
-K. Basically I don?t want a user to be able to gain access unless they verify
with a fingerprint from the security key. No other options should be available
to get around verifying with a valid fingerprint from the sk. If someone loses a
key and it?s found, I want it to be useless unless someone chops off my finger.
Thanks!
-jeremy
> On Sunday, Oct 10, 2021 at 8:18 PM, Damien Miller <djm at mindrot.org
(mailto:djm at mindrot.org)> wrote:
> On Sun, 10 Oct 2021, Jeremy Hansen wrote:
>
> > I?m evaluating the new Yubikey Bio keys and there?s some issues I
> > don?t quite understand regarding presense touch and actual finger
> > print verification.
> >
> > If I load the resident key (i.e. ssh-add -K), things seem to work
> > as expected and the wrong finger print results in dropping down to
> > another authentication method.
> >
> > If I don?t use ssh-add -K, then it seems ssh only verifies presense.
> > I basically want to enforce proper fingerprint recognition always. Is
> > there a way to do this?
>
> Yes, you need to specify -Overify-required on the ssh-keygen command-
> line when generating the key.
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 852 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20211010/3fb6e25f/attachment.asc>