ssh: T7483: Add fido2 PubkeyAuthOptions

Author: scj643

data/templates/ssh/sshd_config.j2

@@ -72,6 +72,18 @@ HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
 PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }}
 {% endif %}
 
+{% set configured_pubkey_options = [] %}
+{% if verify_required is vyos_defined %}
+{{ configured_pubkey_options.append('verify-required') }}
+{% endif %}
+{% if touch_required is vyos_defined %}
+{{ configured_pubkey_options.append('touch-required') }}
+{% endif %}
+{% if configured_pubkey_options | length > 0 %}
+# Sets one or more public key authentication options.
+PubkeyAuthOptions {{ configured_pubkey_options | join(',') }}
+{% endif %}
+
 {% if mac is vyos_defined %}
 # Specifies the available MAC (message authentication code) algorithms
 MACs {{ mac | join(',') }}

interface-definitions/service_ssh.xml.in

@@ -61,6 +61,18 @@
               <valueless/>
             </properties>
           </leafNode>
+          <leafNode name="verify-required">
+            <properties>
+              <help>Require FIDO2 keys to attest that a user has been verified (e.g. via a PIN)</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+          <leafNode name="touch-required">
+            <properties>
+              <help>Require FIDO2 keys to attest that a user is physically present</help>
+              <valueless/>
+            </properties>
+          </leafNode>
           <node name="dynamic-protection">
             <properties>
               <help>Allow dynamic protection</help>