On Tue, Dec 30, 2025 at 11:22:58PM +0000, Lloyd wrote: > Stuart Henderson wrote: > > > Two fairly simple options: patch the kernel to allow using yubimey, or > > use yubikey on another OS. (You could even just have it write the otp > > into a text editor and re-type it on the OpenBSD machine if you want). > > An even simpler solution would be.... use the YubiKey with no changes? > > There is some confusion on exactly what YubiKey support was removed. > > OP stated he needs FIDO support. My understanding is the change simply > disabled OTP support locally by preventing attachment of the USB > keyboard, but FIDO and smartcard mode should be unaffected, no?
Yes, that's exactly right. I have a YK 5 nano that works perfectly with FIDO. To get OTP authentication *locally,* the kernel needs to be patched from 7.8 onwards as it is very clearly explained on undeadly.org.[1] While not necessarily intending to defend the wretch who dared to cause confusion with an unfortunate comment posted there, I would point out that OnlyKey's website states that a model such as this one [2] is compatible with the Yubikey OTP scheme. I quote from the same page: > UNIVERSALLY SUPPORTED – Works with all websites including Twitter, > Facebook, GitHub, and Google. OnlyKey supports multiple methods of > two-factor authentication including FIDO2 / U2F, Yubikey OTP, TOTP, > Challenge-response. Hence the wild suggestion that OnlyKey *might* work as a Yubikey replacement for OTP. Footnotes: [1] https://undeadly.org/cgi?action=article;sid=20250822064253 [2] https://onlykey.io/products/onlykey-color-secure-password-manager-and-2-factor-token-u2f-yubikey-otp-google-auth-make-password-hacking-obsolete
