|LOGIN_YUBIKEY(8)||System Manager's Manual||LOGIN_YUBIKEY(8)|
] user [
login_yubikeyutility is called by login(1), su(1), ftpd(8), and others to authenticate the user with YubiKey authentication. The options are as follows:
responseare supported. The default protocol is login.
login_yubikeywill read the user's UID (12 hex digits) from the file user.uid, the user's key (32 hex digits) from user.key, and the user's last-use counter from user.ctr in the /var/db/yubikey directory. If user does not have a UID or key, the login is rejected. If user does not have a last-use counter, a value of zero is used and any counter is accepted during the first login. The one-time password provided by the user is decrypted using the user's key. After the decryption, the checksum embedded in the one-time password is verified. If the checksum is not valid, the login is rejected. If the checksum is valid, the UID embedded in the one-time password is compared against the user's UID. If the UID does not match, the login is rejected. If the UID matches, the use counter embedded in the one-time password is compared to the last-use counter. If the counter is less than or equal to the last-use counter, the login is rejected. This indicates a replay attack. If the counter is larger than the last-use counter, the counter is stored as the new last-use counter, and the login is accepted.
login_yubikeyutility first appeared in OpenBSD 5.1. Daniel Hartmeier
|October 17, 2017||OpenBSD-current|