Skip to content

ssh: T7483: Add fido2 PubkeyAuthOptions #4852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: current
Choose a base branch
from
Open

ssh: T7483: Add fido2 PubkeyAuthOptions #4852

wants to merge 3 commits into from
+33 −0

Conversation

@scj643
Copy link
Contributor

@scj643 scj643 commented Nov 17, 2025
edited by c-po
Loading

Change summary

Add PubkeyAuthOptions to allow requiring touch and user verification.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related PRs

Related Task(s)

https://vyos.dev/T7483

How to test / Smoketest result

Run ssh with these options enabled and verify that it requires touch and pin verification.

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions
Copy link

github-actions bot commented Nov 17, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@scj643 scj643 mentioned this pull request Nov 17, 2025
Open
1 task
dmbaturin
dmbaturin approved these changes Nov 20, 2025
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is certainly a useful addition. I'm not a big fan of the name verify-required and might prefer that syntax to be require <verification|touch>.

The current syntax mirrors OpenSSH options from https://man.openbsd.org/sshd_config#PubkeyAuthOptions that might be familiar to OpenSSH users. This is a purely aesthetic considerations and I don't consider it a blocker for merging this PR.

c-po
c-po reviewed Nov 20, 2025
View reviewed changes
Copy link
Member

@c-po c-po left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @scj643,

thanks for the contribution - as @dmbaturin already outline the CLI could be improved. Let me throw in another idea:

set service ssh fido pin-required
set service ssh fido touch-required

@scj643
Copy link
Contributor Author

scj643 commented Nov 20, 2025

Hi @scj643,

thanks for the contribution - as @dmbaturin already outline the CLI could be improved. Let me throw in another idea:


set service ssh fido pin-required

set service ssh fido touch-required

That sounds great. I'll change that later today.

@scj643
Copy link
Contributor Author

scj643 commented Nov 20, 2025

Changes made and updated the documentation.

@scj643 scj643 requested a review from c-po November 20, 2025 17:08
@c-po
Copy link
Member

c-po commented Nov 20, 2025

The documentation could use an example on how to set this up and get it working. Please also extend the SSH Smoketests to verify the CLI nodes actually males it into the sshd_config

@github-actions
Copy link

github-actions bot commented Nov 20, 2025

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests VPP 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • Config tests VPP 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@jestabro jestabro Awaiting requested review from jestabro

@sever-sever sever-sever Awaiting requested review from sever-sever

@c-po c-po Awaiting requested review from c-po

At least 2 approving reviews are required to merge this pull request.

Assignees

@scj643 scj643

Labels

current

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@scj643 @c-po @dmbaturin