On Wed, Aug 13, 2025 at 12:00:17AM +0000, Lloyd wrote:
> Reposting this patch in case someone wants to consider merging it.
> 
> login_yubikey(8) writes out secrets from /var/db/yubikey into syslog.
> 
> If you forward syslog messages to a remote server, these could be
> leaked or compromised. Note the cleartext values are encrypted with
> another key to form the complete OTP. It's not hugely terrible but
> writing data from /var/db/yubikey into syslog seems very wrong and
> there is no good reason to do it unless you are doing development.
> 
> The data is considered private by Yubico. 'uid' is a misnomer as
> it's not a username, or UNIX UID, but rather a shared secret.
> 
> /var/db/yubikey is normally 0770 root:auth.

Thanks. I have committed this, but I should point out that
login_yubikey will no longer work due to an earlier commit
to uskbd.c:

https://marc.info/?l=openbsd-cvs&m=175518230509430&w=2