From eef18e32cdfaeaf76a0810c01e00f1c460ca03fe Mon Sep 17 00:00:00 2001
From: Chloe Surett <chloe@surett.me>
Date: Mon, 17 Nov 2025 11:57:09 -0500
Subject: [PATCH 1/4] ssh: T7483: Add fido2 PubkeyAuthOptions

---
 data/templates/ssh/sshd_config.j2        | 12 ++++++++++++
 interface-definitions/service_ssh.xml.in | 12 ++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 1315bf2cbe..9f785654ac 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -72,6 +72,18 @@ HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
 PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }}
 {% endif %}
 
+{% set configured_pubkey_options = [] %}
+{% if verify_required is vyos_defined %}
+{{ configured_pubkey_options.append('verify-required') }}
+{% endif %}
+{% if touch_required is vyos_defined %}
+{{ configured_pubkey_options.append('touch-required') }}
+{% endif %}
+{% if configured_pubkey_options | length > 0 %}
+# Sets one or more public key authentication options.
+PubkeyAuthOptions {{ configured_pubkey_options | join(',') }}
+{% endif %}
+
 {% if mac is vyos_defined %}
 # Specifies the available MAC (message authentication code) algorithms
 MACs {{ mac | join(',') }}
diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in
index c659a7db7e..585c268ff8 100644
--- a/interface-definitions/service_ssh.xml.in
+++ b/interface-definitions/service_ssh.xml.in
@@ -61,6 +61,18 @@
               <valueless/>
             </properties>
           </leafNode>
+          <leafNode name="verify-required">
+            <properties>
+              <help>Require FIDO2 keys to attest that a user has been verified (e.g. via a PIN)</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+          <leafNode name="touch-required">
+            <properties>
+              <help>Require FIDO2 keys to attest that a user is physically present</help>
+              <valueless/>
+            </properties>
+          </leafNode>
           <node name="dynamic-protection">
             <properties>
               <help>Allow dynamic protection</help>

From 0310c836ca6370e0b781c8b6a833ba3c01c38ad4 Mon Sep 17 00:00:00 2001
From: Chloe Surett <chloe@surett.me>
Date: Thu, 20 Nov 2025 12:00:55 -0500
Subject: [PATCH 2/4] ssh: T7483: Update fido2 option names

---
 data/templates/ssh/sshd_config.j2        |  6 ++++--
 interface-definitions/service_ssh.xml.in | 27 +++++++++++++++---------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 9f785654ac..a87a12ba0e 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -72,17 +72,19 @@ HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
 PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }}
 {% endif %}
 
+{% if fido is vyos_defined %}
 {% set configured_pubkey_options = [] %}
-{% if verify_required is vyos_defined %}
+{% if fido.pin_required is vyos_defined %}
 {{ configured_pubkey_options.append('verify-required') }}
 {% endif %}
-{% if touch_required is vyos_defined %}
+{% if fido.touch_required is vyos_defined %}
 {{ configured_pubkey_options.append('touch-required') }}
 {% endif %}
 {% if configured_pubkey_options | length > 0 %}
 # Sets one or more public key authentication options.
 PubkeyAuthOptions {{ configured_pubkey_options | join(',') }}
 {% endif %}
+{% endif %}
 
 {% if mac is vyos_defined %}
 # Specifies the available MAC (message authentication code) algorithms
diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in
index 585c268ff8..13449a259f 100644
--- a/interface-definitions/service_ssh.xml.in
+++ b/interface-definitions/service_ssh.xml.in
@@ -61,18 +61,25 @@
               <valueless/>
             </properties>
           </leafNode>
-          <leafNode name="verify-required">
+          <node name="fido">
             <properties>
-              <help>Require FIDO2 keys to attest that a user has been verified (e.g. via a PIN)</help>
-              <valueless/>
-            </properties>
-          </leafNode>
-          <leafNode name="touch-required">
-            <properties>
-              <help>Require FIDO2 keys to attest that a user is physically present</help>
-              <valueless/>
+              <help>FIDO2 SSH options</help>
             </properties>
-          </leafNode>
+            <children>
+              <leafNode name="pin-required">
+                <properties>
+                  <help>Require FIDO2 keys to attest that a user has been verified (e.g. via a PIN)</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="touch-required">
+                <properties>
+                  <help>Require FIDO2 keys to attest that a user is physically present</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
           <node name="dynamic-protection">
             <properties>
               <help>Allow dynamic protection</help>

From 2e739ed2e39cf4d157fa0be635cdab323462f4cc Mon Sep 17 00:00:00 2001
From: Chloe Surett <chloe@surett.me>
Date: Thu, 20 Nov 2025 12:12:34 -0500
Subject: [PATCH 3/4] ssh: T7483: Fix sshd template indentation

---
 data/templates/ssh/sshd_config.j2 | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index a87a12ba0e..a920f88406 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -73,17 +73,17 @@ PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }}
 {% endif %}
 
 {% if fido is vyos_defined %}
-{% set configured_pubkey_options = [] %}
-{% if fido.pin_required is vyos_defined %}
+{%     set configured_pubkey_options = [] %}
+{%     if fido.pin_required is vyos_defined %}
 {{ configured_pubkey_options.append('verify-required') }}
-{% endif %}
-{% if fido.touch_required is vyos_defined %}
+{%     endif %}
+{%     if fido.touch_required is vyos_defined %}
 {{ configured_pubkey_options.append('touch-required') }}
-{% endif %}
-{% if configured_pubkey_options | length > 0 %}
+{%     endif %}
+{%     if configured_pubkey_options | length > 0 %}
 # Sets one or more public key authentication options.
 PubkeyAuthOptions {{ configured_pubkey_options | join(',') }}
-{% endif %}
+{%     endif %}
 {% endif %}
 
 {% if mac is vyos_defined %}

From bddeabcc68e2c0c73a95b69da50350e1842cede1 Mon Sep 17 00:00:00 2001
From: Chloe Surett <chloe@surett.me>
Date: Mon, 24 Nov 2025 12:41:28 -0500
Subject: [PATCH 4/4] smoketest: T7483: Add fido ssh smoketest

---
 smoketest/scripts/cli/test_service_ssh.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py
index 6935464a74..51a717032d 100755
--- a/smoketest/scripts/cli/test_service_ssh.py
+++ b/smoketest/scripts/cli/test_service_ssh.py
@@ -495,5 +495,22 @@ def test_ssh_trusted_user_ca(self):
         self.assertNotIn('none', authorize_principals_file_config)
         self.assertFalse(os.path.exists(f'/home/{test_user}/.ssh/authorized_principals'))
 
+    def test_ssh_fido(self):
+        # Order does matter for this test because of how the template
+        # collects and maps the options.
+        opt_map = {
+            'pin-required': 'verify-required',
+            'touch-required': 'touch-required',
+        }
+        expected = 'PubkeyAuthOptions '
+        for k, v in opt_map.items():
+            self.cli_set(base_path + ['fido', k])
+            expected = f'{expected}{v},'
+        expected = expected[:-1]
+        self.cli_commit()
+        tmp_sshd_conf = read_file(SSHD_CONF)
+        self.assertIn(expected, tmp_sshd_conf)
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2, failfast=VyOSUnitTestSHIM.TestCase.debug_on())