Reducing Password Fatique with YubiKey
Yubico makes a nice little hardware key that, among other things, can be used to generate one time passwords for user authentication.
Initialization
yubikey-personalization-gui
is a Qt-based program that can be used to write private keys to one of two
slots
.
Copy the 12-digit private identity and the 32-digit secret key without spaces
to like so
echo "5c e1 e0 3e 63 a4" | tr -d ' ' > /var/db/yubikey/$USER.uid echo "57 e3 af 3e 9b 51 2b 10 58 7d 33 fb d9 08 ef 7b" | tr -d ' ' > /var/db/yubikey/$USER.key
OpenBSD Auth
It is also important to have the right permissions. If you are running X be sure to change the owner of each key to match it's owner so that screen lock programs can authenticate
chmod 600 /var/db/yubikey/$USER.{key,uid} chown $USER /var/db/yubikey/$USER.{key,uid}
Now set YubiKey as the authentication method for the group staff
by editing
/etc/login.conf
auth=yubikey,passwd:
Note that
auth=
should come before entries that merge other configuration, such as
tc=
If you're a long-time BSD user you might be tempted to run cap_mkdb to rebuild
the login DB. You don't need to do this; in fact the new .db file will
override local changes to
/etc/login.conf