The Verify() method for FIDO/U2F security key types
(sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com)
did not check the User Presence flag. Signatures generated
without physical touch were accepted, allowing unattended use of
a hardware security key. To restore the previous behavior, return
a "no-touch-required" extension in Permissions.Extensions from
PublicKeyCallback.
Thanks to NCC Group Cryptography Services, sponsored by Teleport for reporting this issue.
This is CVE-2026-39831 and Go issue https://go.dev/issue/79566.
This was a PRIVATE track issue, tracked in http://b/502993938.
The Verify() method for FIDO/U2F security key types
(sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com)
did not check the User Presence flag. Signatures generated
without physical touch were accepted, allowing unattended use of
a hardware security key. To restore the previous behavior, return
a "no-touch-required" extension in Permissions.Extensions from
PublicKeyCallback.
Thanks to NCC Group Cryptography Services, sponsored by Teleport for reporting this issue.
This is CVE-2026-39831 and Go issue https://go.dev/issue/79566.
This was a PRIVATE track issue, tracked in http://b/502993938.