Yubikey OTP support disabled in -current

by
from OpenBSD Journal on (#6ZG23)

YubikeyOTPsupport has been disabled in -current.Thecommit messageexplains the rationale:

CVSROOT:/cvsModule name:srcChanges by:deraadt@cvs.openbsd.org2025/08/14 08:39:44Modified files:sys/dev/usb : ukbd.c Log message:Most Yubikey ship with OTP support enabled out of the box (and generateaccidental output like cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk).Yubikey re-configuration requires crazy buggy and fragile tools using crazyusb feature support, and therefore OTP disabling is very annoying. Wemake a policy decision to not attach these as keyboards anymore, because amajority of users just want the FIDO functionality. If you want to use OTP,buy a different device from a different vendor or convince Yubikey tosignificantly improve their tooling.idea from kettenis

To be clear: this affects only the keyboard attachment of onlyYubico devices.Therefore:

  • USB security devices from other vendors are not affected.
  • FIDO functionality of Yubikeys (and Yubico security keys) is not affected.
  • login_yubikey(8) can no longer be used for local authentication purposes, but will still function for authentication of remote clients (so long as they support Yubikey OTP).

Running apatchedkernel is the only way [at present]to reverse this change.

External Content
Source RSS or Atom Feed
Feed Location http://undeadly.org/cgi?action=rss
Feed Title OpenBSD Journal
Feed Link http://undeadly.org/
Reply 0 comments