joostd
commented
1 week ago Thank you, you are absolutely correct. We have recently updated that page, and it now shows a different option through server configuration.
As for the YubiKey versions: all FIDO2 keys should be able perform user verification, as that is a required FIDO2 feature. You do need to set a PIN before generating keys.
The example shown for adding verify-required keyword to enforce user verification on a per-key basis from an SSH server is not the correct syntax for authorized_keys file entries.
Example shows appending verify-required keyword to the ssh public key. In actuality, this must be prepended to the desired public key line in the authorized_keys file.
See https://man.openbsd.org/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT for correctly formatted options examples in authorized_keys.
Please update documentation to reflect this oversight. In addition, it would be useful to know which Yubikey versions support the verify-required user verification validation in openssh, since this is not a globally supported feature with all devices/key types.