On Sat, 23 Aug 2025 06:38:27 +0200,
Lloyd <ng2d68@proton.me> wrote:
> 
> Theo de Raadt wrote:
> 
> > So instead, find developers who can fix the OTP disabling garbage
> > software
> 
> We can all sit around a table and agree something is 'garbage' but
> it does not translate very well into actual requirements. I am
> struggling to understand what the grievance is here for a piece of
> software that has to be used exactly once then thrown away.
> 
> I'm sure a native 'ykctl' would be better - and without the kitchen
> sink of Python libraries required - but the ROI isn't great.
>

I think that ykctl is retired and ykman is the right official tool.

Other supported way is https://github.com/Yubico/yubioath-flutter

> > if devices can be reconfigured using OpenBSD instead of
> > Windows to stop doing OTP, the firm position can be reconsidered.
> 
> As Kirill pointed out, the Yubico tools are in ports, they can be
> reconfigured on OpenBSD. Am I missing something here? This token
> is a few years old so it's possible the newer ones don't work as
> well, but I was able to disable OTP on a YubiKey 5 Nano on 7.7:
> 
> # ykman info | grep Enabled
> Enabled USB interfaces: OTP, FIDO, CCID
> 
> # ykman config usb -d OTP
> WARNING: No OTP HID backend available. OTP protocols will not function.
> ERROR: Unable to list devices for connection
> USB configuration changes:
>   Disable Yubico OTP
>   The YubiKey will reboot
> Proceed? [y/N]: y
> USB application configuration updated.
> 
> # ykman info | grep Enabled
> Enabled USB interfaces: FIDO, CCID
> 
> (no more cccccc...)
> 

It has one more way to disable it:

ykman otp delete 1
ykman otp delete 2

which "releases" OTP from slot 1 (short-press) and 2 (long-press).

-- 
wbr, Kirill