fstuijt
commented
1 year ago When using the ssh command, the option "-o IdentityAgent=none" may be set to circumvent the use of ssh-agent and enabling the query for the FIDO2 PIN when the key is used. However, this does not help when using resident/discoverable keys (where using verify-required makes a lot of sense).
On [1] examples are given for using the "verify-required" option that should result in the system asking for the FIDO2 PIN. The document gives the impression that from 8.2p1 (released on 2020-02-14) this can be used, however the verify-required option apparently has been implemented later in the ssh-agent/ssh-add tools (see [2]).
When using the ssh-agent and ssh-add tool do not support the verify-required option, ssh reports "sign_and_send_pubkey: signing failed for [...] from agent: agent refused operation"
I think it would be good to mention that the verify-required option can be used from OpenSSH 8.9 (released on 2022-10-04) and higher.
[1] https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html [2] https://lists.mindrot.org/pipermail/openssh-commits/2022-January/009756.html