From: Loganaden Velvindron Subject: Re: patch: stop login_yubikey(8) leaking OTP data to syslog To: Emiel Kollof Cc: tech@openbsd.org Date: Tue, 19 Aug 2025 17:50:27 +0400 On Tue, 19 Aug 2025 at 13:25, Emiel Kollof wrote: > > Lloyd schreef op 2025-08-14 22:59: > > [snip] > > > I also don't buy this argument: > > > >> We make a policy decision to not attach these as keyboards anymore, > >> because a majority of users just want the FIDO functionality. If you > >> want to use OTP, buy a different device from a different vendor > > Same here, assuming what user use hardware for is a big mistake. > Breaking > existing and established use cases is an even bigger one. > > FreeBSD may be a bit silly at times, but their POLA policy is actually > spot on. > > [snip] > > > The whole point of Yubikey OTP is that it *does* act like a USB > > keyboard > > and thus requires no drivers and can be used remotely. One man's > > 'accidental output' is another's intended output. > > Exactly this. > > > This decision seems a bit punitive but punishes the wrong group of > > users: > > the ones that already have working OTP setups or deliberately bought > > the > > product for the OTP functionality, and not the ones that can't figure > > out > > what they're buying or have a dusty old box of Yubikey 5's in the attic > > they're trying to make use of. > > I also petition to revert this, or to make this a sysctl knob that > defaults > to disabled so at least people that do want it can at least turn it back > on and have to do so knowingly. > > Some of us don't really have a say in what security products our > employers > choose, and we'd like to continue using OpenBSD. > Can you tell your employers to put pressure on the vendor to fix this because your employer might no longer be a customer after the next budget exercise ? > Cheers, > Emiel Kollof >