Emiel Kollof schreef op 2025-08-19 11:24:

> I also petition to revert this, or to make this a sysctl knob that 
> defaults
> to disabled so at least people that do want it can at least turn it 
> back
> on and have to do so knowingly.

Attached is a patch that does exactly this.

Cheers,
Emiel
Index: sys/sys/sysctl.h
===================================================================
RCS file: /cvs/src/sys/sys/sysctl.h,v
diff -u -p -r1.246 sysctl.h
--- sys/sys/sysctl.h	31 Jul 2025 09:05:11 -0000	1.246
+++ sys/sys/sysctl.h	20 Aug 2025 07:41:08 -0000
@@ -193,7 +193,8 @@ struct ctlname {
 #define	KERN_VIDEO		89	/* struct: video properties */
 #define	KERN_CLOCKINTR		90	/* node: clockintr */
 #define	KERN_AUTOCONF_SERIAL	91	/* int: kernel device tree state serial */
-#define	KERN_MAXID		92	/* number of valid kern ids */
+#define	KERN_YUBICO_SUCKS	92	/* int: Yubico is a horrible company */
+#define	KERN_MAXID		93	/* number of valid kern ids */
 
 #define	CTL_KERN_NAMES { \
 	{ 0, 0 }, \
@@ -288,6 +289,7 @@ struct ctlname {
 	{ "video", CTLTYPE_STRUCT }, \
  	{ "clockintr", CTLTYPE_NODE }, \
 	{ "autoconf_serial", CTLTYPE_INT }, \
+	{ "yubico_sucks", CTLTYPE_INT }, \
 }
 
 /*
Index: sys/kern/kern_sysctl.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
diff -u -p -r1.482 kern_sysctl.c
--- sys/kern/kern_sysctl.c	6 Aug 2025 14:00:33 -0000	1.482
+++ sys/kern/kern_sysctl.c	20 Aug 2025 07:41:08 -0000
@@ -344,6 +344,7 @@ extern int nosuidcoredump;
 extern int maxlocksperuid;
 extern int uvm_wxabort;
 extern int global_ptrace;
+extern int yubico_sucks;
 
 const struct sysctl_bounded_args kern_vars[] = {
 	{KERN_OSREV, &openbsd, SYSCTL_INT_READONLY},
@@ -397,6 +398,7 @@ const struct sysctl_bounded_args kern_va
 	{KERN_GLOBAL_PTRACE, &global_ptrace, 0, 1},
 #endif
 	{KERN_AUTOCONF_SERIAL, &autoconf_serial, SYSCTL_INT_READONLY},
+	{KERN_YUBICO_SUCKS, &yubico_sucks, 0, 1},
 };
 
 int
@@ -709,6 +711,7 @@ kern_sysctl(int *name, u_int namelen, vo
 	case KERN_NETLIVELOCKS:
 	case KERN_GLOBAL_PTRACE:
 	case KERN_AUTOCONF_SERIAL:
+	case KERN_YUBICO_SUCKS:
 #endif /* SMALL_KERNEL */
 	case KERN_OSREV:
 	case KERN_MAXPARTITIONS:
Index: sys/dev/usb/ukbd.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/ukbd.c,v
diff -u -p -r1.91 ukbd.c
--- sys/dev/usb/ukbd.c	14 Aug 2025 14:39:44 -0000	1.91
+++ sys/dev/usb/ukbd.c	20 Aug 2025 07:41:08 -0000
@@ -135,6 +135,14 @@ struct ukbd_softc {
 #endif
 };
 
+/* Disable yubico usb keys by default. Because of
+ *
+ * ccccccccccbkkrjuubeufctukdrlcejhlkidctfenjfr
+ *
+ * Enable with sysctl kern.yubico_sucks=1 and reinsert key
+ */
+int     yubico_sucks = 0;
+
 void	ukbd_cngetc(void *, u_int *, int *);
 void	ukbd_cnpollc(void *, int);
 void	ukbd_cnbell(void *, u_int, u_int, u_int);
@@ -196,12 +204,12 @@ ukbd_match(struct device *parent, void *
 	int size;
 	void *desc;
 
-	/*
-	 * Most Yubikey have OTP enabled by default, and the feature
-	 * is difficult to disable.  Policy decision: Don't attach
-	 * as a keyboard.
-	 */
-	if (uha->uaa->vendor == USB_VENDOR_YUBICO)
+        /*
+         * Most Yubikey have OTP enabled by default, and the feature
+         * is difficult to disable.  Policy decision: Don't attach
+         * as a keyboard by default. Set sysctl to enable (grep for it)
+         */
+	if (!yubico_sucks && uha->uaa->vendor == USB_VENDOR_YUBICO)
 		return (UMATCH_NONE);
 
 	if (UHIDEV_CLAIM_MULTIPLE_REPORTID(uha))

• yubico_sucks.diff (3K)