From: Paul de Weerd Subject: Re: patch: stop login_yubikey(8) leaking OTP data to syslog To: Emiel Kollof Cc: Loganaden Velvindron , tech@openbsd.org Date: Tue, 19 Aug 2025 18:55:24 +0200 On Tue, Aug 19, 2025 at 04:15:29PM +0200, Emiel Kollof wrote: | Loganaden Velvindron schreef op 2025-08-19 15:50: | > > Some of us don't really have a say in what security products our | > > employers | > > choose, and we'd like to continue using OpenBSD. | | > Can you tell your employers to put pressure on the vendor to fix | > this because | > your employer might no longer be a customer after the next | > budget exercise ? | | I would love to, but I'm just an enthusiast that has to use this | hardware for | work, while my colleagues are happily using Linux which won't have | this issue. | | So I doubt that will have any effect. They'd just say "well just use | Linux". | | I've patched my kernel (it's a one line patch, really), and it just | adds more | hoops for me. I doubt doing something like this (although well | intentioned) is | not going to stop people that are not afraid to poke around in | kernels. For new | users that expect their Yubikeys to work in OTP mode it's going to | be a hurdle. | | I sent a sendbug(1) when I encountered this at first. Expect many | more from other | users when 7.8 rolls around when they upgrade from 7.7 where it | still works. I've gone to https://support.yubico.com/hc/en-us/requests/new and put in a request to improve their devices and documentation: ---------------------------------------------------------------------- Recently, the OpenBSD project disabled OTP support from Yubikey devices by not attaching the USB keyboard driver to matching hardware (any USB device with a vendor id of 0x1050). They did this to prevent accidental touches from inserting gibberish into ones typing. One problem listed as a reason to take this rather drastic measure is the poor way in which users have to configure their yubikeys: it requires "buggy and fragile" tools using "crazy usb feature support" thus making disabling OTP support "very annoying". Those users wishing to use their Yubikey for its OTP functions are left to patching their kernels (trivial if you know what to do, but not for everyone). To correct this issue, I would like to request that you make configuring your devices simpler and better documented. See https://marc.info/?l=openbsd-cvs&m=175518230509430&w=2 for the commit message that described the change I'm referring to. ---------------------------------------------------------------------- Of course, just one loony customer of theirs asking for something like this is easy to ignore. But it's worth a shot. Paul -- >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] http://www.weirdnet.nl/