From: "Theo de Raadt" Subject: Re: patch: stop login_yubikey(8) leaking OTP data to syslog To: Lloyd Cc: Theo Buehler , "tech@openbsd.org" Date: Thu, 14 Aug 2025 15:22:09 -0600 ccccccluufelcluublrnvrefefgebjddbedivujkndic Lloyd wrote: > Theo Buehler wrote: > > > > > Thanks. I have committed this, but I should point out that > > login_yubikey will no longer work due to an earlier commit > > to uskbd.c: > > > > https://marc.info/?l=openbsd-cvs&m=175518230509430&w=2 > > Thanks for merging this. If I understand correctly this would not impact > the Yubikey OTP BSD auth via login_yubikey over SSH or FTP, only locally > attached keys that act like a USB HID keyboard. In that case, VMs would > not be affected either if the key is attached under another host OS. > > That said, I politely appeal to Theo D. to revert this change because it > doesn't make sense. Yes - I fully agree Yubikey tooling is dogshit - but > it is what it is, and to be honest most people provision Yubikeys on other > platforms where they provide GUI tools such as Mac OS. Once provisioned, > the keys work fine. > > I also don't buy this argument: > > > We make a policy decision to not attach these as keyboards anymore, > > because a majority of users just want the FIDO functionality. If you > > want to use OTP, buy a different device from a different vendor > > If users only want FIDO functionality, they should be buying the Yubikey > Security Key instead which is half the price and doesn't do PIV or OTP. > > Or buy another vendor's cheaper product. In essence, they wasted $40 by > not reading the documentation before they clicked 'buy'. > > The whole point of Yubikey OTP is that it *does* act like a USB keyboard > and thus requires no drivers and can be used remotely. One man's > 'accidental output' is another's intended output. > > This decision seems a bit punitive but punishes the wrong group of users: > the ones that already have working OTP setups or deliberately bought the > product for the OTP functionality, and not the ones that can't figure out > what they're buying or have a dusty old box of Yubikey 5's in the attic > they're trying to make use of. > > Regards > Lloyd >