"Thank you & thanks again because I wouldn't be using a YubiKey without your help!"
# pkg_add yubikey-personalization-gui quirks-2.414 signed on 2018-03-28T14:24:37Z yubikey-personalization-gui-3.1.25: ok # yubikey-personalization-gui
Insert your YubiKey into USB port. Click Yubico OTP, then Quick.
Select Configuration Slot 1 or 2. Click Write Configuration.
Important: save the log into
/tmp/yubikey.csv. Click Exit.
root extract uid and key from the log, verify
files, and remove
# cd /var/db/yubikey # grep Yubico /tmp/yubikey.csv | cut -f5 -d,>root.uid # grep Yubico /tmp/yubikey.csv | cut -f6 -d,>root.key # chown root:auth root.* # chmod 440 root.* # cat root.* xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxx # rm /tmp/yubikey.csv
/var/db/yubikey/root.ctr is present, remove it to reset the counter.
# rm root.ctr
If you have one more YubiKey, then repeat these steps, but replace
USERNAME is a name of your user.
Or, if you have only one YubiKey, then just copy those two files.
# cp root.uid USERNAME.uid # cp root.key USERNAME.key
The result in my case looks like this:
# ls -l /var/db/yubikey/* -r--r----- 1 root auth 33 May 1 15:22 romanzolotarev.key -r--r----- 1 root auth 13 May 1 15:22 romanzolotarev.uid -r--r----- 1 root auth 33 May 1 14:59 root.key -r--r----- 1 root auth 13 May 1 14:59 root.uid
We are about to change two config files, let's back up them first.
# cp /etc/login.conf /etc/login.conf.bak # cp /etc/ssh/sshd_config /etc/ssh/ssh_config.bak
In case something goes wrong you'll be able to boot in a single user mode, revert changes, reboot and login with a regular password as usual.
Now we can change
PermitRootLogin yes AuthenticationMethods publickey,password PasswordAuthentication yes
sshd, then verify: when ssh asks for a password---instead of
entering your regular password---touch YubiKey, if you have used
slot 1 (or touch and hold it for 2-3 seconds for slot 2)...
# rcctl restart sshd # ssh root@localhost root@localhost's password: Last login: Wed May 2 17:11:06 2018 OpenBSD 6.3 (GENERIC.MP) #1: Sat Apr 21 14:26:25 CEST 2018 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well.
...then exit and reboot:
# exit # reboot
Tested on OpenBSD 6.3.
P.S. Also tweak your login screen if you wish.