On Wed, Nov 27, 2024 at 09:40:12PM +1100, Damien Miller wrote:
> On Tue, 26 Nov 2024, Jason McIntyre wrote:
> 
> > On Mon, Nov 25, 2024 at 05:19:19PM -0700, Zack Newman wrote:
> > > Currently ssh-keygen(1) states "PIN authentication is the only
> > > supported verification method"; however that is no longer true as I am
> > > able to use my fingerprint when using a YubiKey Bio. Not sure what
> > > would be the best way to "fix" this. I'm leaning towards just removing
> > > that sentence entirely; however adding "biometric"/"fingerprint" works
> > > too.
> > > 
> > > [zack@laptop ~]$ diff ssh-keygen.1 ssh-keygen.1.new
> > > 1133,1134d1132
> > > < Currently PIN authentication is the only supported verification method,
> > > < but other methods may be supported in the future.
> > > 
> > 
> > hi!
> > 
> > maybe someone who knows this stuff better can verify this:
> > 
> > normally, you can just touch the key and it works. but with
> > verify-required you have to enter a pin too.
> > 
> > with the bio version, isn;t it that it isn;t just a touch but the
> > actual fingerprint is read? and that you still then need a pin (if
> > you've set verify-required)?
> 
> some FIDO tokens now support biometrics (they didn't when that text was
> originally written) as an alternate way of verifying the user to PIN.
> 
> I think something like this would be fine:
> 
> diff --git a/ssh-keygen.1 b/ssh-keygen.1
> index 06f0555..c44a5ea 100644
> --- a/ssh-keygen.1
> +++ b/ssh-keygen.1
> @@ -1041,13 +1041,11 @@ format.
>  .Pp
>  .It Ic verify-required
>  Require signatures made using this key indicate that the user was first
> -verified.
> +verified, e.g. by PIN or on-token biometrics.
>  This option only makes sense for the FIDO authenticator algorithms
>  .Cm ecdsa-sk
>  and
>  .Cm ed25519-sk .
> -Currently PIN authentication is the only supported verification method,
> -but other methods may be supported in the future.
>  .El
>  .Pp
>  At present, no standard options are valid for host keys.
> 
> 

thanks, i think that's fine (ok).
jmc