Il 2025-12-31 00:22 Lloyd ha scritto:
> Stuart Henderson wrote:
>
I apologize, I replied to you privately without realizing it. I've
pasted what I replied below.
Hi, thanks for the reply.
Using a YuBiKey would definitely be the simplest solution.
However, it's true that these devices are a bit expensive in my opinion.
So buying another one could be a hassle.
>> Two fairly simple options: patch the kernel to allow using yubimey, or
>> use yubikey on another OS. (You could even just have it write the otp
>> into a text editor and re-type it on the OpenBSD machine if you want).
>
> An even simpler solution would be.... use the YubiKey with no changes?
>
> There is some confusion on exactly what YubiKey support was removed.
>
Yes, I admit that part (or perhaps all) of the blame for the problem
lies with me. When I bought the device, I was a bit confused about the
different standards, and since I was buying the device solely to
authenticate to AWS, I intended to use only TOTP. After I bought the
device, I looked into the matter further and decided to go with FIDO, as
it seemed to be more secure. Because, if I understood correctly, FIDO
also authenticates the domain, while a TOTP password can also be entered
into a phishing domain. If I had been clear from the start, I would
certainly have bought Yubico, because, as it's clearly stated on
undeadly.org, FIDO works perfectly.
> OP stated he needs FIDO support. My understanding is the change simply
> disabled OTP support locally by preventing attachment of the USB
> keyboard, but FIDO and smartcard mode should be unaffected, no?
>
Exactly.
> Regards
> Lloyd
Thanks, Regards.
No comments:
Post a Comment