On 2025-09-02, Robert Alessi <[email protected]> wrote: > I wouldn't mind either but the thing is one can't assume > login_yubikey(8) will remain in base.[1] A good reason to keep it would > be to allow ssh login from a machine where yubikey otp can be used.
careful with login_yubikey for ssh; there's no good way to sync the counter files, so replay detection is only per-machine. (concretely: if someone captures your otp from one login, they can login to other machines using the same key until you've logged in to them too). this is a shortcoming of login_yubikey(8) - other yk otp-based login methods (e.g. using radius to auth at a central location that checks coubters) are possible. -- Please keep replies on the mailing list.
