Theo de Raadt <dera...@cvs.openbsd.org> writes: >> Well I moved to position that booting with a passphrase and then >> concatenate strong passphrase from an Yubikey configured with >> static passphrase would be better solution than keydisk and >> passphrase. >> >> Although I don't have an Yubikey token now but as an Yubikey >> token is simulatin usb keyboard it should work. Has anybody >> tested Yubikey with new boot(8) asking for passphrase? > > Then you had better start work on the usb stack for the bootcode.
The Yubikey presents itself to the system as a standard USB keyboard. It has two "slots" for passwords. You can program either slot (or both) to hold a static value or as an OTP generator. When you touch the button on the Yubikey it types out slot one's value. If you touch and hold for 2-3 seconds it types out slot two's value. I just tried mine. At the /boot prompt I plugged it in and touched the "type" button and it typed out my OTP. I also tried the static password. No problem. Obviously the OTP wouldn't be useful since it requires custom code in the receiver but the static password seems like a viable option. I was thinking the same as Jiri except I'd prepend the system-specific value before letting the Yubikey type the password since it types a carriage return at the end. I imagine the Yubikey wouldn't work for any system that can't use USB keyboards. YMMV Tip to anyone looking to buy one: they're (US)$25/each. If you look on the store you'll find an option to buy the Password Safe bundle. The package comes with 2 Yubikeys for (US)$40.
