Mailing List Archive

Fido2 sometimes prompts for PIN
I’m trying to understand why my fido2 configuration only asks for a PIN sometimes…

Is there a way to force it to ask for PIN every time?

jeremy@macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
User presence confirmed
Last login: Thu Aug 25 01:56:34 2022 from 192.168.10.95
[root@test ~]# logout
Connection to test.domain.intra closed.
jeremy@macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
User presence confirmed
Last login: Thu Aug 25 01:56:40 2022 from 192.168.10.95
[root@test ~]# logout
Connection to test.domain.intra closed.
jeremy@macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
User presence confirmed
Last login: Thu Aug 25 01:56:44 2022 from 192.168.10.95
[root@test ~]# logout
Connection to test.domain.intra closed.
jeremy@macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
Enter PIN for ED25519-SK key /Users/jeremy/.ssh/id_ed25519_sk:
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
User presence confirmed
Last login: Thu Aug 25 01:56:47 2022 from 192.168.10.95
[root@test ~]#

and when it does actually ask for PIN, it follows the PIN entry up with another touch request.

Server is 8.8p1, client is 9.0p1.

Distro is CentOS 8.6 on the server and MacOS on the client.

Thanks
-jeremy
Re: Fido2 sometimes prompts for PIN [ In reply to ]
On Thu, Aug 25, 2022, at 7:59 AM, Jeremy Hansen wrote:
> I’m trying to understand why my fido2 configuration only asks for a PIN
> sometimes…
>
> Is there a way to force it to ask for PIN every time?

Hi Jeremy,

Which FIDO2 authenticator are you using?

-p.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Fido2 sometimes prompts for PIN [ In reply to ]
Yubikey BIO.

I’m noticing it consistently prompts me for pin when I use a different fingerprint, so I guess what seemed to be a random prompt for my PIN is just me not touching the key properly. This also explains why it prompts for a touch the section time. I’d like to always prompt for PIN.

I also noticed if I use the wrong fingerprint, as long as my PIN is correct, it allows me to proceed. I guess I expected that a second bad fingerprint after the PIN prompt would kick me out.

Thanks

> On Wednesday, Aug 24, 2022 at 11:26 PM, pedro martelletto <pedro@ambientworks.net (mailto:pedro@ambientworks.net)> wrote:
> On Thu, Aug 25, 2022, at 7:59 AM, Jeremy Hansen wrote:
> > I’m trying to understand why my fido2 configuration only asks for a PIN
> > sometimes…
> >
> > Is there a way to force it to ask for PIN every time?
>
> Hi Jeremy,
>
> Which FIDO2 authenticator are you using?
>
> -p.
Re: Fido2 sometimes prompts for PIN [ In reply to ]
On Thu, Aug 25, 2022, at 8:34 AM, Jeremy Hansen wrote:
> Yubikey BIO.
>
> I’m noticing it consistently prompts me for pin when I use a different
> fingerprint, so I guess what seemed to be a random prompt for my PIN is
> just me not touching the key properly. This also explains why it
> prompts for a touch the section time. I’d like to always prompt for PIN.
>
> I also noticed if I use the wrong fingerprint, as long as my PIN is
> correct, it allows me to proceed. I guess I expected that a second bad
> fingerprint after the PIN prompt would kick me out.

I am afraid that is by design. Fingerprint verification and PIN authentication are codified as equivalent forms of user verification in FIDO2. They satisfy the same criteria from the verifier's perspective, and there is no way for the verifier to know which method was used.

(Apologies in advance if the formatting of this message is skewed; I am typing it from a browser.)

-p.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev