Mailing List Archive

You did not says what method you are using.
https://developers.yubico.com/SSH/
lists 4 different ways to use the Yubikey: PIV, PGP, FIDO U2F and OTP.

In PIV section:
https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html
It says:
"If you have followed these steps to the letter, you will not be asked
for the PIV PIN, but your YubiKey will start blinking, waiting for touch."
Note the "--pin-policy=never --touch-policy=always"


On 7/10/2020 3:38 PM, Frank Sharkey wrote:
> I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> works. However, it does not do PIN enforcement at SSH login. It only
> requests the PIN during the set-up process (when the key is being
> generated). Is that the way it's supposed to work?
>
> Frank
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

--

Douglas E. Engert <DEEngert@gmail.com>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Fri, 10 Jul 2020, Frank Sharkey wrote:

> I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> works. However, it does not do PIN enforcement at SSH login. It only
> requests the PIN during the set-up process (when the key is being
> generated). Is that the way it's supposed to work?

Assuming you are using this device as a FIDO token (and not PKCS#11),
this is expected. OpenSSH doesn't yet support requiring PINs for keys
except for a couple of corner cases (e.g. resident keys).

I hope to add this before OpenSSH 8.4.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev