upstream: mention that biometrics may be used for FIDO key user

verification as well as PIN. Prompted by Zack Newman, ok jmc@ OpenBSD-Commit-ID: b774a4438c9be70012661ee278450790d21277b8
2025-05-01 15:48:24 +00:00 · 2024-11-27 13:00:23 +00:00 · 2024-11-27 13:00:23 +00:00 · 785e3c9110
commit 785e3c9110
parent fd2e64c9ec
1 changed files with 3 additions and 5 deletions
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.233 2024/08/17 08:35:04 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.234 2024/11/27 13:00:23 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 17 2024 $
+.Dd $Mdocdate: November 27 2024 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@ -1041,13 +1041,11 @@ format.
 .Pp
 .It Ic verify-required
 Require signatures made using this key indicate that the user was first
-verified.
+verified, e.g. by PIN or on-token biometrics.
 This option only makes sense for the FIDO authenticator algorithms
 .Cm ecdsa-sk
 and
 .Cm ed25519-sk .
 Currently PIN authentication is the only supported verification method,
 but other methods may be supported in the future.
 .El
 .Pp
 At present, no standard options are valid for host keys.