1*720a7a94Sjmc.\" $OpenBSD: login_yubikey.8,v 1.8 2013/08/14 08:39:31 jmc Exp $ 25e4064a0Sdhill.\" 35e4064a0Sdhill.\" Copyright (c) 2010 Daniel Hartmeier <daniel@benzedrine.cx> 45e4064a0Sdhill.\" All rights reserved. 55e4064a0Sdhill.\" 65e4064a0Sdhill.\" Redistribution and use in source and binary forms, with or without 75e4064a0Sdhill.\" modification, are permitted provided that the following conditions 85e4064a0Sdhill.\" are met: 95e4064a0Sdhill.\" 105e4064a0Sdhill.\" - Redistributions of source code must retain the above copyright 115e4064a0Sdhill.\" notice, this list of conditions and the following disclaimer. 125e4064a0Sdhill.\" - Redistributions in binary form must reproduce the above 135e4064a0Sdhill.\" copyright notice, this list of conditions and the following 145e4064a0Sdhill.\" disclaimer in the documentation and/or other materials provided 155e4064a0Sdhill.\" with the distribution. 165e4064a0Sdhill.\" 175e4064a0Sdhill.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 185e4064a0Sdhill.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 195e4064a0Sdhill.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 205e4064a0Sdhill.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 215e4064a0Sdhill.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 225e4064a0Sdhill.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 235e4064a0Sdhill.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 245e4064a0Sdhill.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 255e4064a0Sdhill.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 265e4064a0Sdhill.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 275e4064a0Sdhill.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 285e4064a0Sdhill.\" POSSIBILITY OF SUCH DAMAGE. 295e4064a0Sdhill.\" 30*720a7a94Sjmc.Dd $Mdocdate: August 14 2013 $ 315e4064a0Sdhill.Dt LOGIN_YUBIKEY 8 325e4064a0Sdhill.Os 335e4064a0Sdhill.Sh NAME 345e4064a0Sdhill.Nm login_yubikey 35fbc8caf7Ssobrado.Nd provide YubiKey authentication type 365e4064a0Sdhill.Sh SYNOPSIS 375e4064a0Sdhill.Nm login_yubikey 38a2f38ad9Ssobrado.Op Fl dv 395e4064a0Sdhill.Op Fl s Ar service 405e4064a0Sdhill.Ar user 415e4064a0Sdhill.Op Ar class 425e4064a0Sdhill.Sh DESCRIPTION 435e4064a0SdhillThe 445e4064a0Sdhill.Nm 455e4064a0Sdhillutility is called by 465e4064a0Sdhill.Xr login 1 , 475e4064a0Sdhill.Xr su 1 , 485e4064a0Sdhill.Xr ftpd 8 , 495e4064a0Sdhilland others to authenticate the 505e4064a0Sdhill.Ar user 51fbc8caf7Ssobradowith YubiKey authentication. 525e4064a0Sdhill.Pp 53a2f38ad9SsobradoThe options are as follows: 548ee6d8e4Sdhill.Bl -tag -width indent 558ee6d8e4Sdhill.It Fl d 568ee6d8e4SdhillDebug mode. 57*720a7a94SjmcOutput is sent to the standard output instead of the 58*720a7a94Sjmc.Bx 59*720a7a94SjmcAuthentication backchannel. 60a2f38ad9Ssobrado.It Fl s Ar service 618ee6d8e4SdhillSpecify the service. 628ee6d8e4SdhillCurrently, only 638ee6d8e4Sdhill.Li challenge , 648ee6d8e4Sdhill.Li login , 655e4064a0Sdhilland 668ee6d8e4Sdhill.Li response 678ee6d8e4Sdhillare supported. 685e4064a0SdhillThe default protocol is 695e4064a0Sdhill.Em login . 708ee6d8e4Sdhill.It Fl v 718ee6d8e4SdhillThis option and its value are ignored. 728ee6d8e4Sdhill.El 735e4064a0Sdhill.Pp 745e4064a0SdhillThe 755e4064a0Sdhill.Ar user 765e4064a0Sdhillargument is the login name of the user to be authenticated. 775e4064a0Sdhill.Pp 785e4064a0SdhillThe optional 795e4064a0Sdhill.Ar class 805e4064a0Sdhillargument is accepted for consistency with the other login scripts but 815e4064a0Sdhillis not used. 825e4064a0Sdhill.Pp 835e4064a0Sdhill.Nm 84cecb1a96Sjmcwill read the user's UID (12 hex digits) from the file 855e4064a0Sdhill.Em user.uid , 865e4064a0Sdhillthe user's key (32 hex digits) from 875e4064a0Sdhill.Em user.key , 885e4064a0Sdhilland the user's last-use counter from 896fb9c2b1Ssobrado.Em user.ctr 905e4064a0Sdhillin the 915e4064a0Sdhill.Em /var/db/yubikey 925e4064a0Sdhilldirectory. 935e4064a0Sdhill.Pp 945e4064a0SdhillIf 955e4064a0Sdhill.Ar user 96cecb1a96Sjmcdoes not have a UID or key, the login is rejected. 975e4064a0SdhillIf 985e4064a0Sdhill.Ar user 995e4064a0Sdhilldoes not have a last-use counter, a value of zero is used and 1005e4064a0Sdhillany counter is accepted during the first login. 1015e4064a0Sdhill.Pp 1025e4064a0SdhillThe one-time password provided by the user is decrypted using the 1035e4064a0Sdhilluser's key. 1045e4064a0SdhillAfter the decryption, the checksum embedded in the one-time password 1055e4064a0Sdhillis verified. 1065e4064a0SdhillIf the checksum is not valid, the login is rejected. 1075e4064a0Sdhill.Pp 108cecb1a96SjmcIf the checksum is valid, the UID embedded in the one-time password 109cecb1a96Sjmcis compared against the user's UID. 110cecb1a96SjmcIf the UID does not match, the login is rejected. 1115e4064a0Sdhill.Pp 112cecb1a96SjmcIf the UID matches, the use counter embedded in the one-time password 1135e4064a0Sdhillis compared to the last-use counter. 1145e4064a0SdhillIf the counter is less than or equal to the last-use counter, the 1155e4064a0Sdhilllogin is rejected. 1165e4064a0SdhillThis indicates a replay attack. 1175e4064a0Sdhill.Pp 1185e4064a0SdhillIf the counter is larger than the last-use counter, the counter 1195e4064a0Sdhillis stored as the new last-use counter, and the login is accepted. 1205e4064a0Sdhill.Sh FILES 1215e4064a0Sdhill.Bl -tag -width /var/db/yubikey 1225e4064a0Sdhill.It Pa /var/db/yubikey 123fbc8caf7SsobradoDirectory containing user entries for YubiKey. 1245e4064a0Sdhill.El 1255e4064a0Sdhill.Sh SEE ALSO 1265e4064a0Sdhill.Xr login 1 , 1275e4064a0Sdhill.Xr login.conf 5 128