[Question] Is it possible to cache FIDO touch verification?

[loshz]

• YubiKey Manager (ykman) version: 4.0.9
• How was it installed?: pacman
• Operating system and version: Linux 6.1.2-arch1-1
• YubiKey model and version: 5C NFC

Apologies in advance if this is more of an OpenSSH question!

I used this guide to successfully set up Git auth with SSH/FIDO2 - all working with no issues!

However, I need to touch my YubiKey on every auth command. This is fine in most cases, but in the case of running scripts that do multipe git operations it's somewhat tedious. Is is possible to cache this for a short period of time?

[dainnilsson]

The FIDO2 spec does allow for authentication without UP (user presence), but it would have to be explicitly supported both in the OpenSSH server (to allow it) and in the OpenSSH client (to not request it).

[emlun]

Yes, this is supported in the OpenSSH client. See the -O no-touch-required option of ssh-keygen.

But as Dain said, this also needs to be permitted by the server. If you run the server, see the no-touch-required option of the authorized_keys file format.

[loshz]

Awesome - appreciate your help!