Tested on OpenBSD 6.3

Configure login(1) and sshd(8) for YubiKey on OpenBSD

The login_yubikey(8) utility is called by login(1) and others to authenticate the user with YubiKey authentication.

Prepare YubiKey

Install and start YubiKey Personalization GUI:

# pkg_add yubikey-personalization-gui
...
yubikey-personalization-gui-3.1.25: ok
# yubikey-personalization-gui

Insert your YubiKey into USB port, select Yubico OTP > Quick, select Configuration Slot 1 or 2, click Write Configuration, save the log into /tmp/yubikey.csv, click Exit.

Extract uid and key from the log, verify /var/db/yubikey/* files, and remove yubikey.csv file.

# cd /var/db/yubikey
# touch romanzolotarev.{uid,key}
# chown root:auth *
# chmod 440 *
# grep Yubico /tmp/yubikey.csv | cut -f5 -d, > romanzolotarev.uid
# grep Yubico /tmp/yubikey.csv | cut -f6 -d, > romanzolotarev.key
# cat *
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx
# rm /tmp/yubikey.csv
# ls -l
-r--r-----  1 root  auth  33 May  1 15:22 romanzolotarev.key
-r--r-----  1 root  auth  13 May  1 15:22 romanzolotarev.uid
#

You can uninstall yubikey-personalization-gui

# pkg_delete yubikey-personalization-gui
yubikey-personalization-gui-3.1.25: ok
Read shared items: ok
# pkg_delete -a
...
Read shared items: ok
#

Configure login(1) and sshd(8)

Back up login.conf(5) and sshd_config(5) to be able to revert changes.

# cp /etc/login.conf /etc/login.conf.bak
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
#

Change auth-defaults in /etc/login.conf:

auth-defaults:auth=yubikey:

Add this line to etc/ssh/sshd_config:

AuthenticationMethods publickey,password

Restart sshd and verify: when ssh asks for a password—instead of entering your regular password—touch YubiKey, if you have used slot 1 (or touch and hold it for 2-3 seconds for slot 2)...

# rcctl restart sshd
# ssh root@localhost
root@localhost's password:
Last login: Wed May  2 17:11:06 2018 OpenBSD 6.3
(GENERIC.MP) #1: Sat Apr 21 14:26:25 CEST 2018

Welcome to OpenBSD: The proactively secure Unix-like
operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the
latest version of the code. With bug reports, please try to
ensure that enough information to reproduce the problem is
enclosed, and if a known fix for it exists, include that as well.
# exit
© roman zolotarev