tested on openbsd 6.3
the login_yubikey(8) utility is called by login(1) and others to authenticate the user with yubikey authentication.
install and start yubikey personalization gui:
# pkg_add yubikey-personalization-gui
...
yubikey-personalization-gui-3.1.25: ok
# yubikey-personalization-gui
insert your yubikey into usb port, select yubico otp > quick, select
configuration slot 1 or 2, click write configuration, save the log
into /tmp/yubikey.csv, click exit.
extract uid and key from the log, verify /var/db/yubikey/* files, and
remove yubikey.csv file.
# cd /var/db/yubikey
# touch romanzolotarev.{uid,key}
# chown root:auth *
# chmod 440 *
# grep Yubico /tmp/yubikey.csv | cut -f5 -d, > romanzolotarev.uid
# grep Yubico /tmp/yubikey.csv | cut -f6 -d, > romanzolotarev.key
# cat *
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx
# rm /tmp/yubikey.csv
# ls -l
-r--r----- 1 root auth 33 May 1 15:22 romanzolotarev.key
-r--r----- 1 root auth 13 May 1 15:22 romanzolotarev.uid
#
you can uninstall yubikey-personalization-gui
# pkg_delete yubikey-personalization-gui
yubikey-personalization-gui-3.1.25: ok
Read shared items: ok
# pkg_delete -a
...
Read shared items: ok
#
back up login.conf(5) and sshd_config(5) to be able to revert changes.
# cp /etc/login.conf /etc/login.conf.bak
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
#
change auth-defaults in /etc/login.conf:
auth-defaults:auth=yubikey:
add this line to etc/ssh/sshd_config:
AuthenticationMethods publickey,password
restart sshd and verify: when ssh asks for a password—instead of
entering your regular password—touch yubikey, if you have used slot 1
(or touch and hold it for 2-3 seconds for slot 2)...
# rcctl restart sshd
# ssh root@localhost
root@localhost's password:
Last login: Wed May 2 17:11:06 2018 OpenBSD 6.3
(GENERIC.MP) #1: Sat Apr 21 14:26:25 CEST 2018
...
# exit