[benzedrine.ch logo]
Daniel Hartmeier
Packet Filter
Mailing list
Annoying spammers
Prioritizing ACKs
Transparent squid
Planet Wars
Hexiom solver
Mikero's grid puzzle
Dark Star

login_yubikey - OpenBSD Authentication using YubiKey


A YubiKey is a small USB stick with a single button.

When connected to a computer, it acts like a keyboard, which works with any operating system and requires no software drivers. When the button is pressed, the device sends a one-time password to the computer as a sequence of keystrokes.

The security is based on a secret 128-bit AES key and a non-volatile use counter to protect against replay attacks.

Especially nice is that the product is very open source friendly. You only pay for the hardware (about USD $25 per device), and you don't need to license proprietary server software. The algorithm is documented, and there are open source sample implementations.

While the device ships with a unique encryption key which can be used to authenticate against the vendor's online server, you can freely update the device with any encryption key of your choosing. One drawback is the symmetric key: to verify your one-time passwords, the server needs to have a copy of your key. Which, of course, enables the server to login to other servers as you. I.e. unlike with asymmetric keys (e.g. publickey used in ssh) you have to trust the server.

login_yubikey adds an authentication style for YubiKey to OpenBSD.

Note: as of OpenBSD 5.1 the code has been imported (and improved) and no longer requires installation, see the login_yubikey(8) man page.


Fetch the source tarball, extract, build and install:

$ tar zxf login_yubikey-1.0.tar.gz
$ cd login_yubikey
$ make
# make install
# ls -l /usr/libexec/auth/login_yubikey
-r-xr-sr-x  1 root  auth  11776 Mar 16 14:31 /usr/libexec/auth/login_yubikey

Note the set-group-ID auth, which is needed for the process to access the key files (see below).

In /etc/login.conf, add yubikey to

# Default allowed authentication styles

Adding it as the first style like this makes it the default, see login.conf(5) for details.

Create /var/db/yubikey and set its owner and permissions to

# mkdir /var/db/yubikey
# chown root:auth /var/db/yubikey
# chmod ug+rwx /var/db/yubikey
# chmod o-rwx /var/db/yubikey
# ls -l /var/db/
drwxrwx---   root   auth   yubikey

When you initialize your device with the personalization tool, you choose your own uid (6 bytes as 12 hex digits) and key (16 bytes as 32 hex digits). For example

key: ecde18dbe76fbd0c33330f1c354871db
uid: 8792ebfe26cc

Put the uid (as 12 hex digits) in /var/db/yubikey/user.uid and the key (as 32 hex digits) in /var/db/yubikey/user.key with the following owner and permissions

# echo 8792ebfe26cc >/var/db/yubikey/dhartmei.uid
# echo ecde18dbe76fbd0c33330f1c354871db >/var/db/yubikey/dhartmei.key
# chown root:auth /var/db/yubikey/*
# chmod o-rw /var/db/yubikey/*
# ls -l /var/db/yubikey/
-r--r-----   root   auth   dhartmei.key
-r--r-----   root   auth   dhartmei.uid

Now you can login with the YubiKey.

See /var/log/authlog for syslog messages from the program.

Man page

LOGIN_YUBIKEY(8)	OpenBSD System Manager's Manual	      LOGIN_YUBIKEY(8)

     login_yubikey - provide Yubikey authentication type

     login_yubikey [-d] [-s service] user [class]

     The login_yubikey utility is called by login(1), su(1), ftpd(8), and oth-
     ers to authenticate the user with Yubikey authentication.

     The service argument specifies which protocol to use with the invoking
     program.  The allowed protocols are login, challenge, and response.  The
     default protocol is login.

     The user argument is the login name of the user to be authenticated.

     The optional class argument is accepted for consistency with the other
     login scripts but is not used.

     login_yubikey will read the user's uid (12 hex digits) from the file
     user.uid, the user's key (32 hex digits) from user.key, and the user's
     last-use counter from user.cnt in the /var/db/yubikey directory.

     If user does not have a uid or key, the login is rejected.	 If user does
     not have a last-use counter, a value of zero is used and any counter is
     accepted during the first login.

     The one-time password provided by the user is decrypted using the user's
     key.  After the decryption, the checksum embedded in the one-time pass-
     word is verified.	If the checksum is not valid, the login is rejected.

     If the checksum is valid, the uid embedded in the one-time password is
     compared against the user's uid.  If the uid does not match, the login is

     If the uid matches, the use counter embedded in the one-time password is
     compared to the last-use counter.	If the counter is less than or equal
     to the last-use counter, the login is rejected.  This indicates a replay

     If the counter is larger than the last-use counter, the counter is stored
     as the new last-use counter, and the login is accepted.

     /var/db/yubikey  directory containing user entries for Yubikey

     login(1), login.conf(5)

OpenBSD 4.2			March 16, 2010				     1


BSD license applies.



March 16th 2010. First version.

Related links

Last updated on Tue Jan 13 10:11:10 2015 by daniel@benzedrine.ch.