Yubikey OTP support disabled in -current
Contributed by rueda on from the cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk dept.
Yubikey
OTP
support has been disabled in -current
.
The
commit message
explains the rationale:
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/08/14 08:39:44 Modified files: sys/dev/usb : ukbd.c Log message: Most Yubikey ship with OTP support enabled out of the box (and generate accidental output like cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk). Yubikey re-configuration requires crazy buggy and fragile tools using crazy usb feature support, and therefore OTP disabling is very annoying. We make a policy decision to not attach these as keyboards anymore, because a majority of users just want the FIDO functionality. If you want to use OTP, buy a different device from a different vendor or convince Yubikey to significantly improve their tooling. idea from kettenis
To be clear: this affects only the keyboard attachment of only Yubico devices. Therefore:
- USB security devices from other vendors are not affected.
- FIDO functionality of Yubikeys (and Yubico security keys) is not affected.
login_yubikey(8)
can no longer be used for local authentication purposes, but will still function for authentication of remote clients (so long as they support Yubikey OTP).
Running a patched kernel is the only way [at present] to reverse this change.