diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 03:06:18 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 03:28:36 +0200 |
| commit | 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (patch) | |
| tree | d4523956d4623b19bf5904d1b92afeb2307f69d3 /ssh-keygen.1 | |
| parent | upstream: ssh-keyscan(1): simplify conloop() with timercmp(3), (diff) | |
| download | openssh-9b8ad93824c682ce841f53f3b5762cef4e7cc4dc.tar.xz openssh-9b8ad93824c682ce841f53f3b5762cef4e7cc4dc.zip | |
upstream: support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
Diffstat (limited to 'ssh-keygen.1')
| -rw-r--r-- | ssh-keygen.1 | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9198a511f..7e0558fe1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.205 2020/07/15 07:50:46 solene Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.206 2020/08/27 01:06:18 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 15 2020 $ +.Dd $Mdocdate: August 27 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -511,6 +511,12 @@ A username to be associated with a resident key, overriding the empty default username. Specifying a username may be useful when generating multiple resident keys for the same application name. +.It Cm verify-required +Indicate that this private key should require user verification for +each signature. +Not all FIDO tokens support support this option. +Currently PIN authentication is the only supported verification method, +but other methods may be supported in the future. .It Cm write-attestation Ns = Ns Ar path May be used at key generation time to record the attestation certificate returned from FIDO tokens during key generation. @@ -961,7 +967,7 @@ by Allows X11 forwarding. .Pp .It Ic no-touch-required -Do not require signatures made using this key require demonstration +Do not require signatures made using this key include demonstration of user presence (e.g. by having the user touch the authenticator). This option only makes sense for the FIDO authenticator algorithms .Cm ecdsa-sk @@ -974,6 +980,16 @@ The .Ar address_list is a comma-separated list of one or more address/netmask pairs in CIDR format. +.Pp +.It Ic verify-required +Require signatures made using this key indicate that the user was first +verified. +This option only makes sense for the FIDO authenticator algorithms +.Cm ecdsa-sk +and +.Cm ed25519-sk . +Currently PIN authentication is the only supported verification method, +but other methods may be supported in the future. .El .Pp At present, no standard options are valid for host keys. |