Good question, I’m also trying to force the PIN query. But just to try it. For a productive FIDO2 U2F OpenSSH authentication, the OnlyKey PIN + one-time FIDO2 PIN entry at ssh-add -K to ssh-agent + touching an OnlyKey button at each SSH login is enough for me.
As suggested here, I tried both options on the server (remote system).
- Appended:
verify-requiredin ~/.ssh/authorized_keys
sk-ssh-ed25519@openssh.com <EntryID> verify-required - and added
PubkeyAuthOptions verify-required
in sshd_config file on the remote system + reload sshd afterwards.
The FIDO2 PIN is only required once if the key is added to the ssh-agent with ssh-add -K. After that, touching the OnlyKey is all that is required for each SSH login on the servers.
Hint: If I have an OnlyKey and YubiKey in the laptop at the same time, I can’t use cli. (onlykey-cli and ykman)
By the way: YubiKey sucks!
Doesn’t belong here but shows the advantages of open source OnlyKeys and NitroKeys. The firmware on my Yubi 5 can’t generate non-discoverable ed25519-sk keys and discoverable (resident) ed25519-sk or ecdsa-sk keys. Because Yubikey can’t upgrade the firmware, I would have to buy new ones again 
YubiKey NEO couldn’t do FIDO2, then bought a Yubi 5 that can’t do FIDO2 SSH-auth now. I’ll never buy a YubiKey again.