On Tue, 26 Nov 2024, Jason McIntyre wrote:

> On Mon, Nov 25, 2024 at 05:19:19PM -0700, Zack Newman wrote:
> > Currently ssh-keygen(1) states "PIN authentication is the only
> > supported verification method"; however that is no longer true as I am
> > able to use my fingerprint when using a YubiKey Bio. Not sure what
> > would be the best way to "fix" this. I'm leaning towards just removing
> > that sentence entirely; however adding "biometric"/"fingerprint" works
> > too.
> > 
> > [zack@laptop ~]$ diff ssh-keygen.1 ssh-keygen.1.new
> > 1133,1134d1132
> > < Currently PIN authentication is the only supported verification method,
> > < but other methods may be supported in the future.
> > 
> 
> hi!
> 
> maybe someone who knows this stuff better can verify this:
> 
> normally, you can just touch the key and it works. but with
> verify-required you have to enter a pin too.
> 
> with the bio version, isn;t it that it isn;t just a touch but the
> actual fingerprint is read? and that you still then need a pin (if
> you've set verify-required)?

some FIDO tokens now support biometrics (they didn't when that text was
originally written) as an alternate way of verifying the user to PIN.

I think something like this would be fine:

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 06f0555..c44a5ea 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1041,13 +1041,11 @@ format.
 .Pp
 .It Ic verify-required
 Require signatures made using this key indicate that the user was first
-verified.
+verified, e.g. by PIN or on-token biometrics.
 This option only makes sense for the FIDO authenticator algorithms
 .Cm ecdsa-sk
 and
 .Cm ed25519-sk .
-Currently PIN authentication is the only supported verification method,
-but other methods may be supported in the future.
 .El
 .Pp
 At present, no standard options are valid for host keys.