From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: Remove privsep vestige
To: Damien Miller <djm@mindrot.org>
Cc: tech@openbsd.org, openssh@openssh.com
Date: Thu, 5 Feb 2026 12:52:50 +0000

On 2026/02/05 11:20, Damien Miller wrote:
> Hi,
> 
> This is another vestigial bit of support for the !privsep case in
> sshd. All direct access to the KbdintDevice should happen in the
> unprivileged ssh-auth process and should therefore be done by RPC
> into the privileged monitor. This means using the mm_* functions
> unconditionally.
> 
> Would appreciate if someone who uses BSD authentication (e.g.
> login_yubikey or login_ldap) could test this.

Yes, this still works. Tested with totp via login_oath.