Yubikey OTP support disabled in -current

Contributed by rueda on 2025-08-21 from the cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk dept.

Yubikey OTP support has been disabled in -current. The commit message explains the rationale:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2025/08/14 08:39:44

Modified files:
	sys/dev/usb    : ukbd.c 

Log message:
Most Yubikey ship with OTP support enabled out of the box (and generate
accidental output like cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk).
Yubikey re-configuration requires crazy buggy and fragile tools using crazy
usb feature support, and therefore OTP disabling is very annoying.  We
make a policy decision to not attach these as keyboards anymore, because a
majority of users just want the FIDO functionality.  If you want to use OTP,
buy a different device from a different vendor or convince Yubikey to
significantly improve their tooling.
idea from kettenis

To be clear: this affects only the keyboard attachment of only Yubico devices. Therefore:

USB security devices from other vendors are not affected.
FIDO functionality of Yubikeys (and Yubico security keys) is not affected.
login_yubikey(8) can no longer be used for local authentication purposes, but will still function for authentication of remote clients (so long as they support Yubikey OTP).

Running a patched kernel is the only way [at present] to reverse this change.

Comments

By Damon (oneofthedamons) undeadly@damon.sarahsempire.com on 2025-08-24 03:14
```
If you want to use OTP, buy a different device from a different vendor
```
Any suggestions?
Reply
Comments
1. By Robert Alessi (ralessi) alessi@robertalessi.net on 2025-08-31 17:39
  
  I believe OnlyKey might be an option. But the slot needs to be configured with an application that is not in ports.
  
  Reply

Latest Articles

Wed, Sep 03
- 06:42 Preliminary support for Raspberry Pi 5 (0)
Fri, Aug 22
- 17:15 C++ library update in -current (0)
- 06:42 Yubikey OTP support disabled in -current (2)
Mon, Aug 18
- 11:30 OpenSSH will now adapt IP QoS to actual sessions and traffic (0)
- 07:43 Game of Trees 0.117 released (0)
Sun, Aug 17
- 07:58 is OpenBSD 10x faster than Linux? (tedu@) (0)
Tue, Aug 12
- 06:42 Eighteen Years of Greytrapping Retrospective Published (0)
Mon, Aug 11
- 11:00 Post-Quantum Cryptography Advice Added to OpenSSH Website (0)
Fri, Aug 08
- 08:33 Call for testing: USB webcams (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]