Reducing Password Fatique with YubiKey

Yubico makes a nice little hardware key that, among other things, can be used to generate one time passwords for user authentication.

Initialization

yubikey-personalization-gui is a Qt-based program that can be used to write private keys to one of two slots. Copy the 12-digit private identity and the 32-digit secret key without spaces to like so

echo "5c e1 e0 3e 63 a4" | tr -d ' ' > /var/db/yubikey/$USER.uid
echo "57 e3 af 3e 9b 51 2b 10 58 7d 33 fb d9 08 ef 7b" | tr -d ' ' > /var/db/yubikey/$USER.key

OpenBSD Auth

It is also important to have the right permissions. If you are running X be sure to change the owner of each key to match it's owner so that screen lock programs can authenticate

chmod 600 /var/db/yubikey/$USER.{key,uid}
chown $USER /var/db/yubikey/$USER.{key,uid}

Now set YubiKey as the authentication method for the group staff by editing /etc/login.conf

auth=yubikey,passwd:

Note that auth= should come before entries that merge other configuration, such as tc=

If you're a long-time BSD user you might be tempted to run cap_mkdb to rebuild the login DB. You don't need to do this; in fact the new .db file will override local changes to /etc/login.conf