On Thu, Jun 25, 2026 at 5:14 AM Johnathan Chronister <[email protected]> wrote: > > Hello everyone, > > It seems to go against the normal OpenBSD way of doing things to remove the > keyboard functionality of Yubikeys on a kernel level. > > It is my understanding that this was more of a comfort decision because > people were accidentally emitting their OTP. > > The proper solution is to configure your Yubikey by moving your OTP to the > second slot. > > This change has crippled one of my use cases in which I stored a very long > password in slot 2. This way I could use it for say part of my FDE password > with other parts kept in my head (this still works fine) and I also did the > same with my KeepassXC database. Now broken. > > What irritates me about this is that it caters to something which can easily > be avoided by configuring the Yubikey properly and maybe I am wrong but I > don’t believe it’s a change which mitigates a security threat as other > security keys seem unaffected. > > I will migrate KeepassXC to use challenge response or something. I have tons > of Yubikeys laying around so I can use them. > > I did have the thought process about reading the data using usbhidctl and > getting ASCII output. Has anyone done that?
see the thread 'Workaround for Yubikey OTP on OpenBSD' for some usb HID shenanigans: https://marc.info/?l=openbsd-misc&m=176801963202592&w=2 > > Kind regards, > > Johnathan
