From: Lloyd <ng2d68@proton.me>
Subject: Re: another yubikey diff
To: Theo de Raadt <deraadt@openbsd.org>
Cc: Emiel Kollof <emiel@kollof.nl>, tech@openbsd.org
Date: Sat, 23 Aug 2025 04:38:27 +0000

Theo de Raadt wrote:

> So instead, find developers who can fix the OTP disabling garbage
> software

We can all sit around a table and agree something is 'garbage' but
it does not translate very well into actual requirements. I am
struggling to understand what the grievance is here for a piece of
software that has to be used exactly once then thrown away.

I'm sure a native 'ykctl' would be better - and without the kitchen
sink of Python libraries required - but the ROI isn't great.

> if devices can be reconfigured using OpenBSD instead of
> Windows to stop doing OTP, the firm position can be reconsidered.

As Kirill pointed out, the Yubico tools are in ports, they can be
reconfigured on OpenBSD. Am I missing something here? This token
is a few years old so it's possible the newer ones don't work as
well, but I was able to disable OTP on a YubiKey 5 Nano on 7.7:

# ykman info | grep Enabled
Enabled USB interfaces: OTP, FIDO, CCID

# ykman config usb -d OTP
WARNING: No OTP HID backend available. OTP protocols will not function.
ERROR: Unable to list devices for connection
USB configuration changes:
  Disable Yubico OTP
  The YubiKey will reboot
Proceed? [y/N]: y
USB application configuration updated.

# ykman info | grep Enabled
Enabled USB interfaces: FIDO, CCID

(no more cccccc...)

Regards
Lloyd