pki: add security key identities to session options

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
2026-02-10 18:28:10 +09:00 · 2025-08-22 19:23:40 +05:30
parent 37f0e91814
commit d91630308d
3 changed files with 37 additions and 0 deletions
--- a/src/options.c
+++ b/src/options.c
@@ -392,6 +392,8 @@ int ssh_options_set_algo(ssh_session session,
 *                the identity list.\n
 *                \n
 *                By default id_rsa, id_ecdsa and id_ed25519 files are used.\n
+ *                If libssh is built with FIDO2/U2F support, id_ecdsa_sk and\n
+ *                id_ed25519_sk files are also used by default.\n
 *                \n
 *                The identity used to authenticate with public key will be
 *                prepended to the list.
--- a/src/session.c
+++ b/src/session.c
@@ -190,6 +190,29 @@ ssh_session ssh_new(void)
        goto err;
    }

+#ifdef WITH_FIDO2
+    /* Add security key identities */
+    id = strdup("%d/id_ed25519_sk");
+    if (id == NULL) {
+        goto err;
+    }
+    rc = ssh_list_append(session->opts.identity_non_exp, id);
+    if (rc == SSH_ERROR) {
+        goto err;
+    }
+
+#ifdef HAVE_ECC
+    id = strdup("%d/id_ecdsa_sk");
+    if (id == NULL) {
+        goto err;
+    }
+    rc = ssh_list_append(session->opts.identity_non_exp, id);
+    if (rc == SSH_ERROR) {
+        goto err;
+    }
+#endif /* HAVE_ECC */
+#endif /* WITH_FIDO2 */
+
    /* Explicitly initialize states */
    session->session_state = SSH_SESSION_STATE_NONE;
    session->pending_call_state = SSH_PENDING_CALL_NONE;
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -1969,6 +1969,18 @@ static void torture_options_apply (void **state)
    id = ssh_path_expand_escape(session, "%d/id_rsa");
    rc = ssh_list_append(awaited_list, id);
    assert_int_equal(rc, SSH_OK);
+#ifdef WITH_FIDO2
+    /* Add security key identities */
+    id = ssh_path_expand_escape(session, "%d/id_ed25519_sk");
+    rc = ssh_list_append(awaited_list, id);
+    assert_int_equal(rc, SSH_OK);
+
+#ifdef HAVE_ECC
+    id = ssh_path_expand_escape(session, "%d/id_ecdsa_sk");
+    rc = ssh_list_append(awaited_list, id);
+    assert_int_equal(rc, SSH_OK);
+#endif /* HAVE_ECC */
+#endif /* WITH_FIDO2 */

    assert_int_equal(ssh_list_count(awaited_list),
                     ssh_list_count(session->opts.identity));