From: Emiel Kollof <emiel@kollof.nl>
Subject: Re: another yubikey diff
To: Lloyd <ng2d68@proton.me>
Cc: Theo de Raadt <deraadt@openbsd.org>, tech@openbsd.org
Date: Sun, 24 Aug 2025 00:28:56 +0200

On 23.08.2025 04:38, Lloyd wrote:
>Theo de Raadt wrote:
>> if devices can be reconfigured using OpenBSD instead of
>> Windows to stop doing OTP, the firm position can be reconsidered.
>
>As Kirill pointed out, the Yubico tools are in ports, they can be
>reconfigured on OpenBSD. Am I missing something here? This token
>is a few years old so it's possible the newer ones don't work as
>well, but I was able to disable OTP on a YubiKey 5 Nano on 7.7:
>
># ykman info | grep Enabled
>Enabled USB interfaces: OTP, FIDO, CCID
>
># ykman config usb -d OTP
>WARNING: No OTP HID backend available. OTP protocols will not function.
>ERROR: Unable to list devices for connection
>USB configuration changes:
>  Disable Yubico OTP
>  The YubiKey will reboot
>Proceed? [y/N]: y
>USB application configuration updated.

Can confirm this works. My keys are yubi 4, so I have to use:

$ ykman config mode FIDO+CCID
WARNING: No OTP HID backend available. OTP protocols will not function.
ERROR: Unable to list devices for connection
Set mode of YubiKey to FIDO+CCID? [y/N]: y
Mode set! You must remove and re-insert your YubiKey for this change to take effect.

After this, Yubi OTP is disabled. Tested with 7.7 release and a patched
7.7-current.

Cheers,
Emiel