On Sat, 23 Aug 2025 01:06:48 +0200,
Emiel Kollof <emiel@kollof.nl> wrote:
> 
> Brandon Mercer schreef op 2025-08-22 16:56:
> > On Fri, Aug 22, 2025, at 10:42 AM, Theo de Raadt wrote:
> >> Mark Kettenis <mark.kettenis@xs4all.nl> wrote:
> >> 
> >> > > From: "Theo de Raadt" <deraadt@openbsd.org>
> >> > > Date: Fri, 22 Aug 2025 08:31:19 -0600
> >> > >
> >> > > Why not invert this with a "donotconnect" variable, then your diff
> >> > > shrinks significantly.
> >> >
> >> > Not really; the struct wkbddev_attach_args is typically allocated on
> >> > the stack, without an explicit memset, so the new member must be set.
> >> 
> >> So change all those stack allocations to = { 0 }
> >> 
> >> And change one driver to set .noconnect = 1;
> >> 
> >> 
> >> Making the default noconnect is going to explode someone's head later
> >> on when they write a new kbd driver.
> > 
> > My reply has nothing to do with the diff and more to do with a
> > particular use case. My typical usage is to use my OTP to sign into my
> > machine upon boot. If I have to fiddle with wsconsctl in order to use
> > the yubikey OTP, then my initial sign on requires me to sign in first.
> > This makes me lean towards fixing the yubikey tools so it's easier to
> > reprogram the default behavior of slot one not to spam OTP's on each
> > press. I do agree that their tooling is arduous at very best and this
> > default behavior is prohibitive.
> 
> So my idea and patch to add a sysctl (which you can add in
> /etc/sysctl.conf)
> isn't that crazy. Instead of fiddling with wsconsctl, you set a sysctl
> and
> reinsert your device and it magically works again, without having to log
> in.
> 
> Adding a sysctl might be a kill-a-mosquito-with-a-nuke solution, but it
> is
> effective. And yes, better tools for yubikeys would be preferable, but
> it
> is what it is.
> 

OTP can be dissabled via ykman as:

ykman config usb -d OTP

at least on the device which is plugin my laptop.

Yes, after I run this command, no more random string from the device.

-- 
wbr, Kirill