From: Kirill A. Korinsky Subject: Re: another yubikey diff To: Emiel Kollof Cc: tech@openbsd.org Date: Sat, 23 Aug 2025 02:45:07 +0200 On Sat, 23 Aug 2025 01:06:48 +0200, Emiel Kollof wrote: > > Brandon Mercer schreef op 2025-08-22 16:56: > > On Fri, Aug 22, 2025, at 10:42 AM, Theo de Raadt wrote: > >> Mark Kettenis wrote: > >> > >> > > From: "Theo de Raadt" > >> > > Date: Fri, 22 Aug 2025 08:31:19 -0600 > >> > > > >> > > Why not invert this with a "donotconnect" variable, then your diff > >> > > shrinks significantly. > >> > > >> > Not really; the struct wkbddev_attach_args is typically allocated on > >> > the stack, without an explicit memset, so the new member must be set. > >> > >> So change all those stack allocations to = { 0 } > >> > >> And change one driver to set .noconnect = 1; > >> > >> > >> Making the default noconnect is going to explode someone's head later > >> on when they write a new kbd driver. > > > > My reply has nothing to do with the diff and more to do with a > > particular use case. My typical usage is to use my OTP to sign into my > > machine upon boot. If I have to fiddle with wsconsctl in order to use > > the yubikey OTP, then my initial sign on requires me to sign in first. > > This makes me lean towards fixing the yubikey tools so it's easier to > > reprogram the default behavior of slot one not to spam OTP's on each > > press. I do agree that their tooling is arduous at very best and this > > default behavior is prohibitive. > > So my idea and patch to add a sysctl (which you can add in > /etc/sysctl.conf) > isn't that crazy. Instead of fiddling with wsconsctl, you set a sysctl > and > reinsert your device and it magically works again, without having to log > in. > > Adding a sysctl might be a kill-a-mosquito-with-a-nuke solution, but it > is > effective. And yes, better tools for yubikeys would be preferable, but > it > is what it is. > OTP can be dissabled via ykman as: ykman config usb -d OTP at least on the device which is plugin my laptop. Yes, after I run this command, no more random string from the device. -- wbr, Kirill