Theo Buehler wrote:

> 
> Thanks. I have committed this, but I should point out that
> login_yubikey will no longer work due to an earlier commit
> to uskbd.c:
> 
> https://marc.info/?l=openbsd-cvs&m=175518230509430&w=2

Thanks for merging this. If I understand correctly this would not impact
the Yubikey OTP BSD auth via login_yubikey over SSH or FTP, only locally
attached keys that act like a USB HID keyboard. In that case, VMs would
not be affected either if the key is attached under another host OS.

That said, I politely appeal to Theo D. to revert this change because it
doesn't make sense. Yes - I fully agree Yubikey tooling is dogshit - but
it is what it is, and to be honest most people provision Yubikeys on other
platforms where they provide GUI tools such as Mac OS. Once provisioned,
the keys work fine.

I also don't buy this argument:

> We make a policy decision to not attach these as keyboards anymore,
> because a majority of users just want the FIDO functionality.  If you
> want to use OTP, buy a different device from a different vendor

If users only want FIDO functionality, they should be buying the Yubikey
Security Key instead which is half the price and doesn't do PIV or OTP.

Or buy another vendor's cheaper product. In essence, they wasted $40 by
not reading the documentation before they clicked 'buy'.

The whole point of Yubikey OTP is that it *does* act like a USB keyboard
and thus requires no drivers and can be used remotely. One man's
'accidental output' is another's intended output.

This decision seems a bit punitive but punishes the wrong group of users:
the ones that already have working OTP setups or deliberately bought the
product for the OTP functionality, and not the ones that can't figure out
what they're buying or have a dusty old box of Yubikey 5's in the attic
they're trying to make use of.

Regards
Lloyd