From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: patch: stop login_yubikey(8) leaking OTP data to syslog
To: Emiel Kollof <emiel@kollof.nl>
Cc: Loganaden Velvindron <loganaden@gmail.com>, tech@openbsd.org
Date: Tue, 19 Aug 2025 09:07:32 -0600

cccccblddbkhttjnhvbufcvrtggtvvfnuviieecckfcg

Emiel Kollof <emiel@kollof.nl> wrote:

> Loganaden Velvindron schreef op 2025-08-19 15:50:
> >> Some of us don't really have a say in what security products our
> >> employers
> >> choose, and we'd like to continue using OpenBSD.
> 
> > Can you tell your employers to put pressure on the vendor to fix
> > this because
> > your employer might no longer be a customer after the next budget
> > exercise ?
> 
> I would love to, but I'm just an enthusiast that has to use this
> hardware for
> work, while my colleagues are happily using Linux which won't have
> this issue.
> 
> So I doubt that will have any effect. They'd just say "well just use
> Linux".
> 
> I've patched my kernel (it's a one line patch, really), and it just
> adds more
> hoops for me. I doubt doing something like this (although well
> intentioned) is
> not going to stop people that are not afraid to poke around in
> kernels. For new
> users that expect their Yubikeys to work in OTP mode it's going to be
> a hurdle.
> 
> I sent a sendbug(1) when I encountered this at first. Expect many more
> from other
> users when 7.8 rolls around when they upgrade from 7.7 where it still
> works.
> 
> Cheers,
> Emiel
>