PIN re-prompt behavior

[bpfoley45]

I have successfully configured the agent to use my PIV cert on my yubikey for use with win32_openssh, I am prompted for PIN when connecting via:

ssh -A host.fqdn -l certuser

I also found that running sudo -l prompts for PIN as well. However I do not get prompted when disconnecting and reconnecting as well as subsequent sudo attempts (after the timeout).

Is there a way to enforce a timeout or force PIN re-auth everytime?

[buptczq]

You can change the slot you use or modify the PIN policy. A PIV-enabled YubiKey NEO holds 4 distinct slots for certificates and a YubiKey 4 & 5 holds 24, as specified in the PIV standards document. The PIN policy for these slots are based on the PIV standard. They can be changed on the YubiKey 4 & 5.

See also: https://developers.yubico.com/PIV/Introduction/Certificate_slots.html