Index | Thread | Search

From:
Paul de Weerd <weerd@weirdnet.nl>
Subject:
Re: patch: stop login_yubikey(8) leaking OTP data to syslog
To:
Emiel Kollof <emiel@kollof.nl>
Cc:
Loganaden Velvindron <loganaden@gmail.com>, tech@openbsd.org
Date:
Tue, 19 Aug 2025 18:55:24 +0200

Download raw body.

Thread 
On Tue, Aug 19, 2025 at 04:15:29PM +0200, Emiel Kollof wrote:
| Loganaden Velvindron schreef op 2025-08-19 15:50:
| > > Some of us don't really have a say in what security products our
| > > employers
| > > choose, and we'd like to continue using OpenBSD.
| 
| > Can you tell your employers to put pressure on the vendor to fix
| > this because
| > your employer might no longer be a customer after the next
| > budget exercise ?
| 
| I would love to, but I'm just an enthusiast that has to use this
| hardware for
| work, while my colleagues are happily using Linux which won't have
| this issue.
| 
| So I doubt that will have any effect. They'd just say "well just use
| Linux".
| 
| I've patched my kernel (it's a one line patch, really), and it just
| adds more
| hoops for me. I doubt doing something like this (although well
| intentioned) is
| not going to stop people that are not afraid to poke around in
| kernels. For new
| users that expect their Yubikeys to work in OTP mode it's going to
| be a hurdle.
| 
| I sent a sendbug(1) when I encountered this at first. Expect many
| more from other
| users when 7.8 rolls around when they upgrade from 7.7 where it
| still works.

I've gone to https://support.yubico.com/hc/en-us/requests/new and put
in a request to improve their devices and documentation:

----------------------------------------------------------------------
Recently, the OpenBSD project disabled OTP support from Yubikey
devices by not attaching the USB keyboard driver to matching hardware
(any USB device with a vendor id of 0x1050). They did this to prevent
accidental touches from inserting gibberish into ones typing.

One problem listed as a reason to take this rather drastic measure is
the poor way in which users have to configure their yubikeys: it
requires "buggy and fragile" tools using "crazy usb feature support"
thus making disabling OTP support "very annoying".

Those users wishing to use their Yubikey for its OTP functions are
left to patching their kernels (trivial if you know what to do, but
not for everyone).

To correct this issue, I would like to request that you make
configuring your devices simpler and better documented.

See https://marc.info/?l=openbsd-cvs&m=175518230509430&w=2 for the
commit message that described the change I'm referring to.
----------------------------------------------------------------------

Of course, just one loony customer of theirs asking for something like
this is easy to ignore.  But it's worth a shot.

Paul

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/