On Nov 5, 2012, at 2:50 AM, Jiri B wrote: > On Sun, Nov 04, 2012 at 02:46:55PM -0600, Aaron Poffenberger wrote: >> Theo de Raadt <dera...@cvs.openbsd.org> writes: >> >>>> Well I moved to position that booting with a passphrase and then >>>> concatenate strong passphrase from an Yubikey configured with >>>> static passphrase would be better solution than keydisk and >>>> passphrase. >>>> >>>> Although I don't have an Yubikey token now but as an Yubikey >>>> token is simulatin usb keyboard it should work. Has anybody >>>> tested Yubikey with new boot(8) asking for passphrase? >>> >>> Then you had better start work on the usb stack for the bootcode. >> >> The Yubikey presents itself to the system as a standard USB keyboard. It >> has two "slots" for passwords. You can program either slot (or both) to >> hold a static value or as an OTP generator. When you touch the button on >> the Yubikey it types out slot one's value. If you touch and hold for 2-3 >> seconds it types out slot two's value. >> >> I just tried mine. At the /boot prompt I plugged it in and touched the >> "type" button and it typed out my OTP. I also tried the static password. >> No problem. >> >> Obviously the OTP wouldn't be useful since it requires custom code in >> the receiver but the static password seems like a viable option. I was >> thinking the same as Jiri except I'd prepend the system-specific value >> before letting the Yubikey type the password since it types a carriage >> return at the end. > > OTP would be nice but probably one would not get anything as it would need > access to something like /var/db/yubikey which could not be secured enough > for boot(8)... > > This was exactly was I meant with '...then concatenate strong passphrase > from an Yubikey...'. > > Thanks for info! > > jirib
Mea culpa. You did write "…then concatenate". So much for comprehension 101. ;-) You're welcome. --Aaron