TL;DR http://25thandclement.com/~william/YubiKey_NEO.html
This is slightly off-topic, but perhaps some people on this list would be interested in this. I've been waiting over a decade, and tonight I've finally found the smartcard promise land. By gods, I'll never have to d*ck around with OpenSC ever again (not that I ever got it working to my satisfication; not in years of trying, and hundreds of dollars blown on various tokens). OpenBSD has native server auth support for the YubiKey OTP HID device, which is pretty awesome. I have over 10 tokens and an HSM module (which I need to eventually getting working on OpenBSD). I'm a Yubico fan. The recently released YubiKey NEO has added OpenPGP CCID support. The NEO is only the second card in the universe, AFAIK, that supports the OpenPGP smartcard specification. And at the moment the only one commercially available with a built-in reader. Why is this important? Because GnuPG has *native* support for OpenPGP CCID tokens. And while GnuPG and the underlying libusb library give me pause (the source code is... not pretty), it doesn't matter that much on the client side--at worse some exceptionally capable attacker sniffs your PIN. Yubico's libraries and GnuPG have made token management as simple as I've ever seen, from an open source perspective. I'm not that familiar with OpenPGP; I never cared to use PGP PKI without a hardware token. I had trouble getting everything working, so I've put together a HOWTO for configuring and using the YubiKey NEO as an OpenSSH authentication token on OS X. (*boo* *hiss* I like Mac laptops and I'm too lazy to put anything else on it.) Fortunately, most of the instructions should be identical for other Unix-like machines. http://25thandclement.com/~william/YubiKey_NEO.html
