From: Damien Miller <djm@mindrot.org>
Subject: Re: Remove privsep vestige
To: Stuart Henderson <stu@spacehopper.org>
Cc: tech@openbsd.org, openssh@openssh.com
Date: Fri, 6 Feb 2026 12:23:17 +1100

On Thu, 5 Feb 2026, Stuart Henderson wrote:

> On 2026/02/05 11:20, Damien Miller wrote:
> > Hi,
> > 
> > This is another vestigial bit of support for the !privsep case in
> > sshd. All direct access to the KbdintDevice should happen in the
> > unprivileged ssh-auth process and should therefore be done by RPC
> > into the privileged monitor. This means using the mm_* functions
> > unconditionally.
> > 
> > Would appreciate if someone who uses BSD authentication (e.g.
> > login_yubikey or login_ldap) could test this.
> 
> Yes, this still works. Tested with totp via login_oath.

Thanks - I'll commit.

-d