Lloyd schreef op 2025-08-14 22:59:

[snip]

> I also don't buy this argument:
> 
>> We make a policy decision to not attach these as keyboards anymore,
>> because a majority of users just want the FIDO functionality.  If you
>> want to use OTP, buy a different device from a different vendor

Same here, assuming what user use hardware for is a big mistake. 
Breaking
existing and established use cases is an even bigger one.

FreeBSD may be a bit silly at times, but their POLA policy is actually
spot on.

[snip]

> The whole point of Yubikey OTP is that it *does* act like a USB 
> keyboard
> and thus requires no drivers and can be used remotely. One man's
> 'accidental output' is another's intended output.

Exactly this.

> This decision seems a bit punitive but punishes the wrong group of 
> users:
> the ones that already have working OTP setups or deliberately bought 
> the
> product for the OTP functionality, and not the ones that can't figure 
> out
> what they're buying or have a dusty old box of Yubikey 5's in the attic
> they're trying to make use of.

I also petition to revert this, or to make this a sysctl knob that 
defaults
to disabled so at least people that do want it can at least turn it back
on and have to do so knowingly.

Some of us don't really have a say in what security products our 
employers
choose, and we'd like to continue using OpenBSD.

Cheers,
Emiel Kollof