NAME
login_yubikey
—
provide YubiKey OTP authentication
type
SYNOPSIS
login_yubikey |
[-dv ] [-s
service] user
[class] |
DESCRIPTION
The login_yubikey
utility is called by
login(1), su(1),
ftpd(8), and others to authenticate the user
with the Yubico one-time password (OTP) authentication mechanism.
The options are as follows:
-d
- Debug mode. Output is sent to the standard output instead of the BSD Authentication backchannel.
-s
service- Specify the service. Currently, only
challenge
,login
, andresponse
are supported. The default protocol is login. -v
- This option and its value are ignored.
The user argument is the login name of the user to be authenticated.
The optional class argument is accepted for consistency with the other login scripts but is not used.
login_yubikey
will read the
user's UID (12 hex digits) from the file
user.uid, the
user's key (32 hex digits) from
user.key,
and the user's last-use counter from
user.ctr
in the
/var/db/yubikey
directory.
If user does not have a UID or key, the login is rejected. If user does not have a last-use counter, a value of zero is used and any counter is accepted during the first login.
The one-time password provided by the user is decrypted using the user's key. After the decryption, the checksum embedded in the one-time password is verified. If the checksum is not valid, the login is rejected.
If the checksum is valid, the UID embedded in the one-time password is compared against the user's UID. If the UID does not match, the login is rejected.
If the UID matches, the use counter embedded in the one-time password is compared to the last-use counter. If the counter is less than or equal to the last-use counter, the login is rejected. This indicates a replay attack.
If the counter is larger than the last-use counter, the counter is stored as the new last-use counter, and the login is accepted.
FILES
- /var/db/yubikey
- Directory containing user entries for YubiKey OTP security keys.
SEE ALSO
HISTORY
The login_yubikey
utility first appeared
in OpenBSD 5.1.
AUTHORS
Daniel Hartmeier
CAVEATS
The login_yubikey
utility does not
implement the U2F/FIDO2 open authentication standard.