OpenBSD Yubikey Authentication

OpenBSD includes out-of-the-box support for login via. YubiKey. Yay! OpenBSD doesn’t authenticate against a central server (such as the service offered by Yubico) to verify a YubiKey. This is good because I don’t have to trust a 3rd party with my credentials. Unfortunately, this also means that OpenBSD is tracking the “last-use” token (not centralized) which means that without somehow synchronizing the “last-use” value I can only safely use a YubiKey token on a single machine. [Read More]

OpenBSD Yubikey Authentication with PIN

I think that using the Yubikey for authentication is worthwhile. OpenBSD’s current implementation of login_yubikey.c, however, relies entirely on the one-time password. I think the system would be stronger combining the Yubikey with an additional PIN so that a compromise of the physical security of the token doesn’t compromise the associated account. My work is loosely based off of Remi Locherer’s suggested patch. Where it differs is that I’d like to add an optional additional PIN to the authentication rather than use an existing credential, such as the system password. [Read More]