login_yubikey - OpenBSD Authentication using YubiKey
A YubiKey is a small
USB stick with a single button.
When connected to a computer, it acts like a keyboard, which works
with any operating system and requires no software drivers.
When the button is pressed, the device sends a one-time password to
the computer as a sequence of keystrokes.
is based on a secret 128-bit AES key and a non-volatile use counter to
protect against replay attacks.
Especially nice is that the product is very open source friendly.
You only pay for the hardware (about USD $25 per device), and you
don't need to license proprietary server software. The algorithm
is documented, and there are open source sample implementations.
While the device ships with a unique encryption key which can be used
to authenticate against the vendor's online server, you can freely
update the device with any encryption key of your choosing.
One drawback is the symmetric key: to verify your one-time
passwords, the server needs to have a copy of your key. Which, of
course, enables the server to login to other servers as you.
I.e. unlike with asymmetric keys (e.g. publickey used in ssh) you have
to trust the server.
login_yubikey adds an
authentication style for YubiKey to OpenBSD.
Note: as of OpenBSD 5.1 the code has been
imported (and improved) and no longer requires installation, see the
login_yubikey(8) man page.
Fetch the source tarball, extract, build and install:
$ tar zxf login_yubikey-1.0.tar.gz
$ cd login_yubikey
# make install
# ls -l /usr/libexec/auth/login_yubikey
-r-xr-sr-x 1 root auth 11776 Mar 16 14:31 /usr/libexec/auth/login_yubikey
Note the set-group-ID auth, which is needed for the process to
access the key files (see below).
In /etc/login.conf, add yubikey to
# Default allowed authentication styles
Adding it as the first style like this makes it the default,
see login.conf(5) for details.
Create /var/db/yubikey and set its owner and permissions to
# mkdir /var/db/yubikey
# chown root:auth /var/db/yubikey
# chmod ug+rwx /var/db/yubikey
# chmod o-rwx /var/db/yubikey
# ls -l /var/db/
drwxrwx--- root auth yubikey
When you initialize your device with the
you choose your own uid (6 bytes as 12 hex digits) and
key (16 bytes as 32 hex digits). For example
Put the uid (as 12 hex digits) in /var/db/yubikey/user.uid and
the key (as 32 hex digits) in /var/db/yubikey/user.key
with the following owner and permissions
# echo 8792ebfe26cc >/var/db/yubikey/dhartmei.uid
# echo ecde18dbe76fbd0c33330f1c354871db >/var/db/yubikey/dhartmei.key
# chown root:auth /var/db/yubikey/*
# chmod o-rw /var/db/yubikey/*
# ls -l /var/db/yubikey/
-r--r----- root auth dhartmei.key
-r--r----- root auth dhartmei.uid
Now you can login with the YubiKey.
See /var/log/authlog for syslog messages from the program.
LOGIN_YUBIKEY(8) OpenBSD System Manager's Manual LOGIN_YUBIKEY(8)
login_yubikey - provide Yubikey authentication type
login_yubikey [-d] [-s service] user [class]
The login_yubikey utility is called by login(1), su(1), ftpd(8), and oth-
ers to authenticate the user with Yubikey authentication.
The service argument specifies which protocol to use with the invoking
program. The allowed protocols are login, challenge, and response. The
default protocol is login.
The user argument is the login name of the user to be authenticated.
The optional class argument is accepted for consistency with the other
login scripts but is not used.
login_yubikey will read the user's uid (12 hex digits) from the file
user.uid, the user's key (32 hex digits) from user.key, and the user's
last-use counter from user.cnt in the /var/db/yubikey directory.
If user does not have a uid or key, the login is rejected. If user does
not have a last-use counter, a value of zero is used and any counter is
accepted during the first login.
The one-time password provided by the user is decrypted using the user's
key. After the decryption, the checksum embedded in the one-time pass-
word is verified. If the checksum is not valid, the login is rejected.
If the checksum is valid, the uid embedded in the one-time password is
compared against the user's uid. If the uid does not match, the login is
If the uid matches, the use counter embedded in the one-time password is
compared to the last-use counter. If the counter is less than or equal
to the last-use counter, the login is rejected. This indicates a replay
If the counter is larger than the last-use counter, the counter is stored
as the new last-use counter, and the login is accepted.
/var/db/yubikey directory containing user entries for Yubikey
OpenBSD 4.2 March 16, 2010 1
BSD license applies.
March 16th 2010. First version.