ssh: T7483: Add fido2 PubkeyAuthOptions #4852
Open
+50
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
👍 |
scj643
force-pushed
the
ssh-fido2-options
branch
from
90e587d to
eef18e3
Compare
1 task
dmbaturin
approved these changes
Nov 20, 2025
Member
dmbaturin
left a comment
dmbaturin
left a comment
There was a problem hiding this comment.
This is certainly a useful addition. I'm not a big fan of the name verify-required and might prefer that syntax to be require <verification|touch>.
The current syntax mirrors OpenSSH options from https://man.openbsd.org/sshd_config#PubkeyAuthOptions that might be familiar to OpenSSH users. This is a purely aesthetic considerations and I don't consider it a blocker for merging this PR.
c-po
reviewed
Nov 20, 2025
Member
There was a problem hiding this comment.
Hi @scj643,
thanks for the contribution - as @dmbaturin already outline the CLI could be improved. Let me throw in another idea:
set service ssh fido pin-required
set service ssh fido touch-required
Contributor
Author
That sounds great. I'll change that later today. |
Contributor
Author
|
Changes made and updated the documentation. |
Member
|
The documentation could use an example on how to set this up and get it working. Please also extend the SSH Smoketests to verify the CLI nodes actually males it into the sshd_config |
Contributor
Author
So an example of setting up the SSH server to only accept fido keys? |
dmbaturin
approved these changes
Nov 24, 2025
Member
dmbaturin
left a comment
dmbaturin
left a comment
There was a problem hiding this comment.
The new syntax looks fine to me, I'm happy to approve it.
scj643
force-pushed
the
ssh-fido2-options
branch
from
d2023f1 to
26bf287
Compare
scj643
force-pushed
the
ssh-fido2-options
branch
from
26bf287 to
bddeabc
Compare
|
CI integration ❌ failed! Details
|
sever-sever
requested changes
Nov 25, 2025
Member
sever-sever
left a comment
sever-sever
left a comment
There was a problem hiding this comment.
Smoketests fails
DEBUG - Running Testcase: /usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py
DEBUG - test_ssh_default (__main__.TestServiceSSH.test_ssh_default) ... ok
DEBUG - test_ssh_dynamic_protection (__main__.TestServiceSSH.test_ssh_dynamic_protection) ... ok
DEBUG - test_ssh_fido (__main__.TestServiceSSH.test_ssh_fido) ... FAIL
DEBUG - test_ssh_login (__main__.TestServiceSSH.test_ssh_login) ... ERROR
DEBUG - test_ssh_login (__main__.TestServiceSSH.test_ssh_login) ... FAIL
DEBUG - test_ssh_multiple_listen_addresses (__main__.TestServiceSSH.test_ssh_multiple_listen_addresses) ... FAIL
DEBUG - test_ssh_ndcpp (__main__.TestServiceSSH.test_ssh_ndcpp) ... FAIL
DEBUG - test_ssh_pubkey_accepted_algorithm (__main__.TestServiceSSH.test_ssh_pubkey_accepted_algorithm) ... FAIL
DEBUG - test_ssh_single_listen_address (__main__.TestServiceSSH.test_ssh_single_listen_address) ... FAIL
DEBUG - test_ssh_single_listen_address (__main__.TestServiceSSH.test_ssh_single_listen_address) ... FAIL
DEBUG - test_ssh_trusted_user_ca (__main__.TestServiceSSH.test_ssh_trusted_user_ca) ... ERROR
DEBUG - test_ssh_trusted_user_ca (__main__.TestServiceSSH.test_ssh_trusted_user_ca) ... FAIL
DEBUG - test_ssh_vrf_multi (__main__.TestServiceSSH.test_ssh_vrf_multi) ... FAIL
DEBUG - test_ssh_vrf_multi (__main__.TestServiceSSH.test_ssh_vrf_multi) ... FAIL
DEBUG - test_ssh_vrf_single (__main__.TestServiceSSH.test_ssh_vrf_single) ... FAIL
DEBUG - test_ssh_vrf_single (__main__.TestServiceSSH.test_ssh_vrf_single) ... FAIL
DEBUG -
DEBUG - ======================================================================
DEBUG - ERROR: test_ssh_login (__main__.TestServiceSSH.test_ssh_login)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py", line 300, in test_ssh_login
DEBUG - output, error = self.ssh_send_cmd(test_command, test_user, test_pass)
DEBUG - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 201, in ssh_send_cmd
DEBUG - ssh_client.connect(hostname=hostname, username=username,
DEBUG - File "/usr/lib/python3/dist-packages/paramiko/client.py", line 381, in connect
DEBUG - raise NoValidConnectionsError(errors)
DEBUG - paramiko.ssh_exception.NoValidConnectionsError: [Errno None] Unable to connect to port 22 on 127.0.0.1 or ::1
DEBUG -
DEBUG - ======================================================================
DEBUG - ERROR: test_ssh_trusted_user_ca (__main__.TestServiceSSH.test_ssh_trusted_user_ca)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py", line 461, in test_ssh_trusted_user_ca
DEBUG - output, error = self.ssh_send_cmd(test_command, test_user, ***
DEBUG - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 201, in ssh_send_cmd
DEBUG - ssh_client.connect(hostname=hostname, username=username,
DEBUG - File "/usr/lib/python3/dist-packages/paramiko/client.py", line 381, in connect
DEBUG - raise NoValidConnectionsError(errors)
DEBUG - paramiko.ssh_exception.NoValidConnectionsError: [Errno None] Unable to connect to port 22 on 127.0.0.1 or ::1
DEBUG -
DEBUG - ======================================================================
DEBUG - FAIL: test_ssh_fido (__main__.TestServiceSSH.test_ssh_fido)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py", line 151, in tearDown
DEBUG - self.assertTrue(process_named_running(PROCESS_NAME))
DEBUG - ======================================================================
DEBUG - FAIL: test_ssh_trusted_user_ca (__main__.TestServiceSSH.test_ssh_trusted_user_ca)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py", line 151, in tearDown
DEBUG - self.assertTrue(process_named_running(PROCESS_NAME))
DEBUG - AssertionError: None is not true
DEBUG -
DEBUG - ======================================================================
DEBUG - FAIL: test_ssh_vrf_multi (__main__.TestServiceSSH.test_ssh_vrf_multi)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py", line 281, in test_ssh_vrf_multi
DEBUG - self.assertIn(PROCESS_NAME, tmp)
DEBUG - AssertionError: 'sshd' not found in ''
DEBUG -
DEBUG - ======================================================================
DEBUG - FAIL: test_ssh_vrf_multi (__main__.TestServiceSSH.test_ssh_vrf_multi)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py", line 151, in tearDown
DEBUG - self.assertTrue(process_named_running(PROCESS_NAME))
DEBUG - AssertionError: None is not true
DEBUG -
DEBUG - ======================================================================
DEBUG - FAIL: test_ssh_vrf_single (__main__.TestServiceSSH.test_ssh_vrf_single)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py", line 258, in test_ssh_vrf_single
DEBUG - self.assertIn(PROCESS_NAME, tmp)
DEBUG - AssertionError: 'sshd' not found in ''
DEBUG -
DEBUG - ======================================================================
DEBUG - FAIL: test_ssh_vrf_single (__main__.TestServiceSSH.test_ssh_vrf_single)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py", line 151, in tearDown
DEBUG - self.assertTrue(process_named_running(PROCESS_NAME))
DEBUG - AssertionError: None is not true
DEBUG -
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 11 tests in 83.550s
DEBUG -
DEBUG - FAILED (failures=12, errors=2)
Contributor
Author
|
I think there is a deeper issue than what I added that is causing the smoke test to fail. |
Contributor
Author
|
@sever-sever think you could investigate that? |
sever-sever
approved these changes
Nov 28, 2025
Member
sever-sever
left a comment
sever-sever
left a comment
There was a problem hiding this comment.
The local test looks ok
vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py -k test_ssh_fido
test_ssh_fido (__main__.TestServiceSSH.test_ssh_fido) ... ok
----------------------------------------------------------------------
Ran 1 test in 3.944s
OK
vyos@r14:~$
vyos@r14:~$
vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_service_ssh.py
test_ssh_default (__main__.TestServiceSSH.test_ssh_default) ... ok
test_ssh_dynamic_protection (__main__.TestServiceSSH.test_ssh_dynamic_protection) ... ok
test_ssh_fido (__main__.TestServiceSSH.test_ssh_fido) ... ok
test_ssh_login (__main__.TestServiceSSH.test_ssh_login) ... ok
test_ssh_multiple_listen_addresses (__main__.TestServiceSSH.test_ssh_multiple_listen_addresses) ... ok
test_ssh_ndcpp (__main__.TestServiceSSH.test_ssh_ndcpp) ... ok
test_ssh_pubkey_accepted_algorithm (__main__.TestServiceSSH.test_ssh_pubkey_accepted_algorithm) ... ok
test_ssh_single_listen_address (__main__.TestServiceSSH.test_ssh_single_listen_address) ... ok
test_ssh_trusted_user_ca (__main__.TestServiceSSH.test_ssh_trusted_user_ca) ... ok
test_ssh_vrf_multi (__main__.TestServiceSSH.test_ssh_vrf_multi) ... ok
test_ssh_vrf_single (__main__.TestServiceSSH.test_ssh_vrf_single) ... ok
----------------------------------------------------------------------
Ran 11 tests in 52.138s
OK
vyos@r14:~$
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change summary
Add
PubkeyAuthOptionsto allow requiring touch and user verification.Types of changes
Related PRs
Related Task(s)
https://vyos.dev/T7483
How to test / Smoketest result
Run ssh with these options enabled and verify that it requires touch and pin verification.
Checklist: