summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2020-05-11 02:11:30 +0000
committerDamien Miller <djm@cvs.openbsd.org>2020-05-11 02:11:30 +0000
commit25ff03497c88f3882f8343c4bb33220d434a8f29 (patch)
tree4063fb531129f8c2a6254695c714cf3b81011d70 /usr.bin/ssh
parent2e918ba696d2a8e6750faaa8c24d13dbb9eeefe3 (diff)
clarify role of FIDO tokens in multi-factor authentictation;
mostly from Pedro Martelletto
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/PROTOCOL.u2f7
1 files changed, 7 insertions, 0 deletions
diff --git a/usr.bin/ssh/PROTOCOL.u2f b/usr.bin/ssh/PROTOCOL.u2f
index 917e669cdda..fd4325b3aba 100644
--- a/usr.bin/ssh/PROTOCOL.u2f
+++ b/usr.bin/ssh/PROTOCOL.u2f
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens
primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
standard specifies additional key types, including one based on Ed25519.
+Use of U2F security keys does not automatically imply multi-factor
+authentication. From sshd’s perspective, a security key constitutes a
+single factor of authentication, even if protected by a PIN or biometric
+authentication. To enable multi-factor authentication in ssh, please
+refer to the AuthenticationMethods option in sshd_config(5).
+
+
SSH U2F Key formats
-------------------