On Sun, Nov 04, 2012 at 02:46:55PM -0600, Aaron Poffenberger wrote: > Theo de Raadt <dera...@cvs.openbsd.org> writes: > > >> Well I moved to position that booting with a passphrase and then > >> concatenate strong passphrase from an Yubikey configured with > >> static passphrase would be better solution than keydisk and > >> passphrase. > >> > >> Although I don't have an Yubikey token now but as an Yubikey > >> token is simulatin usb keyboard it should work. Has anybody > >> tested Yubikey with new boot(8) asking for passphrase? > > > > Then you had better start work on the usb stack for the bootcode. > > The Yubikey presents itself to the system as a standard USB keyboard. It > has two "slots" for passwords. You can program either slot (or both) to > hold a static value or as an OTP generator. When you touch the button on > the Yubikey it types out slot one's value. If you touch and hold for 2-3 > seconds it types out slot two's value. > > I just tried mine. At the /boot prompt I plugged it in and touched the > "type" button and it typed out my OTP. I also tried the static password. > No problem. > > Obviously the OTP wouldn't be useful since it requires custom code in > the receiver but the static password seems like a viable option. I was > thinking the same as Jiri except I'd prepend the system-specific value > before letting the Yubikey type the password since it types a carriage > return at the end.
OTP would be nice but probably one would not get anything as it would need access to something like /var/db/yubikey which could not be secured enough for boot(8)... This was exactly was I meant with '...then concatenate strong passphrase from an Yubikey...'. Thanks for info! jirib
