diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c
index 40f0dc8c0..7a2355c1a 100644
--- a/ssh-ecdsa-sk.c
+++ b/ssh-ecdsa-sk.c
@@ -29,8 +29,6 @@
 
 #include "includes.h"
 
-#ifdef ENABLE_SK
-
 #include <sys/types.h>
 
 #include <openssl/bn.h>
@@ -203,4 +201,3 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 	free(ktype);
 	return ret;
 }
-#endif /* ENABLE_SK */
diff --git a/ssh-keygen.c b/ssh-keygen.c
index e90b85ffa..24e246c0b 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -3303,9 +3303,6 @@ main(int argc, char **argv)
 	switch (type) {
 	case KEY_ECDSA_SK:
 	case KEY_ED25519_SK:
-#ifndef ENABLE_SK
-		fatal("Security key support was disabled at compile time");
-#else /* ENABLE_SK */
 		if (!quiet) {
 			printf("You may need to touch your security key "
 			    "to authorize key generation.\n");
@@ -3316,7 +3313,6 @@ main(int argc, char **argv)
  		    sk_flags, NULL, &private, NULL) != 0)
  			exit(1); /* error message already printed */
 		break;
-#endif /* ENABLE_SK */
 	default:
 		if ((r = sshkey_generate(type, bits, &private)) != 0)
 			fatal("sshkey_generate failed");
diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index 92ac0e7e1..8a7ac97c4 100644
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
@@ -198,6 +198,10 @@ sshsk_sign(const char *provider, struct sshkey *key,
 	*sigp = NULL;
 	*lenp = 0;
 
+#ifndef ENABLE_SK
+	return SSH_ERR_KEY_TYPE_UNKNOWN;
+#endif
+
 	if ((kbuf = sshbuf_new()) == NULL ||
 	    (req = sshbuf_new()) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
@@ -266,6 +270,10 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
 	if (attest != NULL)
 		sshbuf_reset(attest);
 
+#ifndef ENABLE_SK
+	return SSH_ERR_KEY_TYPE_UNKNOWN;
+#endif
+
 	if (type < 0)
 		return SSH_ERR_INVALID_ARGUMENT;
 
diff --git a/sshkey.c b/sshkey.c
index 674303c37..3bab2e893 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -2760,7 +2760,6 @@ sshkey_sign(struct sshkey *key,
 	case KEY_ED25519_CERT:
 		r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
 		break;
-#ifdef ENABLE_SK
 	case KEY_ED25519_SK:
 	case KEY_ED25519_SK_CERT:
 	case KEY_ECDSA_SK_CERT:
@@ -2768,7 +2767,6 @@ sshkey_sign(struct sshkey *key,
 		r = sshsk_sign(sk_provider, key, sigp, lenp, data,
 		    datalen, compat);
 		break;
-#endif /* ENABLE_SK */
 #ifdef WITH_XMSS
 	case KEY_XMSS:
 	case KEY_XMSS_CERT:
@@ -2807,12 +2805,10 @@ sshkey_verify(const struct sshkey *key,
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA:
 		return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
-#  ifdef ENABLE_SK
 	case KEY_ECDSA_SK_CERT:
 	case KEY_ECDSA_SK:
 		return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen,
 		    compat, detailsp);
-#  endif /* ENABLE_SK */
 # endif /* OPENSSL_HAS_ECC */
 	case KEY_RSA_CERT:
 	case KEY_RSA: