Il 2025-12-31 00:22 Lloyd ha scritto: > Stuart Henderson wrote: > I apologize, I replied to you privately without realizing it. I've pasted what I replied below.
Hi, thanks for the reply. Using a YuBiKey would definitely be the simplest solution. However, it's true that these devices are a bit expensive in my opinion. So buying another one could be a hassle. >> Two fairly simple options: patch the kernel to allow using yubimey, or >> use yubikey on another OS. (You could even just have it write the otp >> into a text editor and re-type it on the OpenBSD machine if you want). > > An even simpler solution would be.... use the YubiKey with no changes? > > There is some confusion on exactly what YubiKey support was removed. > Yes, I admit that part (or perhaps all) of the blame for the problem lies with me. When I bought the device, I was a bit confused about the different standards, and since I was buying the device solely to authenticate to AWS, I intended to use only TOTP. After I bought the device, I looked into the matter further and decided to go with FIDO, as it seemed to be more secure. Because, if I understood correctly, FIDO also authenticates the domain, while a TOTP password can also be entered into a phishing domain. If I had been clear from the start, I would certainly have bought Yubico, because, as it's clearly stated on undeadly.org, FIDO works perfectly. > OP stated he needs FIDO support. My understanding is the change simply > disabled OTP support locally by preventing attachment of the USB > keyboard, but FIDO and smartcard mode should be unaffected, no? > Exactly. > Regards > Lloyd Thanks, Regards.
