ccccccluufelcluublrnvrefefgebjddbedivujkndic

Lloyd <ng2d68@proton.me> wrote:

> Theo Buehler wrote:
> 
> > 
> > Thanks. I have committed this, but I should point out that
> > login_yubikey will no longer work due to an earlier commit
> > to uskbd.c:
> > 
> > https://marc.info/?l=openbsd-cvs&m=175518230509430&w=2
> 
> Thanks for merging this. If I understand correctly this would not impact
> the Yubikey OTP BSD auth via login_yubikey over SSH or FTP, only locally
> attached keys that act like a USB HID keyboard. In that case, VMs would
> not be affected either if the key is attached under another host OS.
> 
> That said, I politely appeal to Theo D. to revert this change because it
> doesn't make sense. Yes - I fully agree Yubikey tooling is dogshit - but
> it is what it is, and to be honest most people provision Yubikeys on other
> platforms where they provide GUI tools such as Mac OS. Once provisioned,
> the keys work fine.
> 
> I also don't buy this argument:
> 
> > We make a policy decision to not attach these as keyboards anymore,
> > because a majority of users just want the FIDO functionality.  If you
> > want to use OTP, buy a different device from a different vendor
> 
> If users only want FIDO functionality, they should be buying the Yubikey
> Security Key instead which is half the price and doesn't do PIV or OTP.
> 
> Or buy another vendor's cheaper product. In essence, they wasted $40 by
> not reading the documentation before they clicked 'buy'.
> 
> The whole point of Yubikey OTP is that it *does* act like a USB keyboard
> and thus requires no drivers and can be used remotely. One man's
> 'accidental output' is another's intended output.
> 
> This decision seems a bit punitive but punishes the wrong group of users:
> the ones that already have working OTP setups or deliberately bought the
> product for the OTP functionality, and not the ones that can't figure out
> what they're buying or have a dusty old box of Yubikey 5's in the attic
> they're trying to make use of.
> 
> Regards
> Lloyd
>