From: Stuart Henderson Subject: Re: patch: stop login_yubikey(8) leaking OTP data to syslog To: Lloyd Cc: Emiel Kollof , tech@openbsd.org Date: Wed, 20 Aug 2025 23:46:48 +0100 On 2025/08/20 18:18, Lloyd wrote: > Stuart Henderson wrote: > > > though none of this helps with the actual problem that AIUI is really > > what prompted the "disable attaching kbd" commit: the difficulty of > > using the vendor's original management tools (to disable otp, or swap > > it to the "long press" slot) - for that, implementing hidraw(4) might > > be the best option as it would allow using the current vendor config > > tool (rather than the old one yubikey-personalisation-gui which uses > > libusb and is very awkward to get working on OpenBSD) - though there > > is still a question of which uids get access to that (it feels > > somewhat similar to the cases of microphones or cameras) > > IIRC Yubikey has multiple management interfaces. Because if you e.g. > disable the OTP application that communicates over HID, you must use > the CCID interface to re-enable it because it's no longer available. > > That said, would detaching the keyboard in effect disable the HID > management interface as well? i don't think so. might actually make it easier to use the hid management interface. haven't tried recently but iirc you used to have to prevent ukbd attaching in order to be able to use it.