On Tue, 19 Aug 2025 at 13:25, Emiel Kollof <emiel@kollof.nl> wrote:
>
> Lloyd schreef op 2025-08-14 22:59:
>
> [snip]
>
> > I also don't buy this argument:
> >
> >> We make a policy decision to not attach these as keyboards anymore,
> >> because a majority of users just want the FIDO functionality.  If you
> >> want to use OTP, buy a different device from a different vendor
>
> Same here, assuming what user use hardware for is a big mistake.
> Breaking
> existing and established use cases is an even bigger one.
>
> FreeBSD may be a bit silly at times, but their POLA policy is actually
> spot on.
>
> [snip]
>
> > The whole point of Yubikey OTP is that it *does* act like a USB
> > keyboard
> > and thus requires no drivers and can be used remotely. One man's
> > 'accidental output' is another's intended output.
>
> Exactly this.
>
> > This decision seems a bit punitive but punishes the wrong group of
> > users:
> > the ones that already have working OTP setups or deliberately bought
> > the
> > product for the OTP functionality, and not the ones that can't figure
> > out
> > what they're buying or have a dusty old box of Yubikey 5's in the attic
> > they're trying to make use of.
>
> I also petition to revert this, or to make this a sysctl knob that
> defaults
> to disabled so at least people that do want it can at least turn it back
> on and have to do so knowingly.
>
> Some of us don't really have a say in what security products our
> employers
> choose, and we'd like to continue using OpenBSD.
>

Can you tell your employers to put pressure on the vendor to fix this because
your employer might no longer be a customer after the next budget exercise ?


> Cheers,
> Emiel Kollof
>