provide YubiKey authentication type
utility is called by
, and others to
authenticate the user
The options are as follows:
- Debug mode. Output is sent to the standard output instead
of the BSD Authentication backchannel.
- Specify the service. Currently, only
response are supported. The default protocol is
- This option and its value are ignored.
argument is the login name of the user
to be authenticated.
The optional class
argument is accepted for
consistency with the other login scripts but is not used.
will read the user's UID (12 hex
digits) from the file user.uid
, the user's key
(32 hex digits) from user.key
, and the user's
last-use counter from user.ctr
does not have a UID or key, the login
is rejected. If user
does not have a last-use
counter, a value of zero is used and any counter is accepted during the first
The one-time password provided by the user is decrypted using the user's key.
After the decryption, the checksum embedded in the one-time password is
verified. If the checksum is not valid, the login is rejected.
If the checksum is valid, the UID embedded in the one-time password is compared
against the user's UID. If the UID does not match, the login is rejected.
If the UID matches, the use counter embedded in the one-time password is
compared to the last-use counter. If the counter is less than or equal to the
last-use counter, the login is rejected. This indicates a replay attack.
If the counter is larger than the last-use counter, the counter is stored as the
new last-use counter, and the login is accepted.
- Directory containing user entries for YubiKey.
utility first appeared in