From 785e3c9110df8f2d30e42ce8b45969c49700f35b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 27 Nov 2024 13:00:23 +0000
Subject: [PATCH] upstream: mention that biometrics may be used for FIDO key
 user

verification as well as PIN. Prompted by Zack Newman, ok jmc@

OpenBSD-Commit-ID: b774a4438c9be70012661ee278450790d21277b8
---
 ssh-keygen.1 | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 06f0555a4..00246a861 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.233 2024/08/17 08:35:04 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.234 2024/11/27 13:00:23 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 17 2024 $
+.Dd $Mdocdate: November 27 2024 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -1041,13 +1041,11 @@ format.
 .Pp
 .It Ic verify-required
 Require signatures made using this key indicate that the user was first
-verified.
+verified, e.g. by PIN or on-token biometrics.
 This option only makes sense for the FIDO authenticator algorithms
 .Cm ecdsa-sk
 and
 .Cm ed25519-sk .
-Currently PIN authentication is the only supported verification method,
-but other methods may be supported in the future.
 .El
 .Pp
 At present, no standard options are valid for host keys.
-- 
2.47.3