• If you already run a WordPress blog you can easily turn it into an OpenID provider to be used with your YubiKey.  What you need is the OpenID plugin and the YubiKey plugin.
• If you decide to personalize your YubiKey I can very much recommend the DuckCorp YubikeyHelp, in addition to the official documentation.
• The new 2.x version of yubikey-val-server-php seems to prefer being part of a group of validation servers, being kept in sync with each other. Failing to figure out how to configure my standalone installation to disregard that synchronization I modified ykval-verify.php (see patch) not to perform those checks.
• The YubiKey WordPress plugin mentioned earlier is hardcoded into using the official Yubico validation server. Apart from  the validation URL, set in the function yubikey_verify_otp(), there is also the length of the key id. Just look for the numeric value 12 and you will find where the key id is being used.

No, this post is not meant to make sense on its own. You probably need to be at least somewhat familiar with the YubiKey as well as the services provided by Yubico.

The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.

First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.

Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.

auth       sufficient pam_unix.so
auth       sufficient pam_opie.so
auth       required  pam_deny.so

If you only want allow OTP-logins; this line will do.

auth       required   pam_opie.so

Next it’s time to edit /etc/ssh/sshd_config.

ChallengeResponseAuthentication yes

That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.

Client-side it’s usually enough to install the package opie-client.