The relevant part of the ~/.ratpoisonrc :

set status_format="/usr/local/bin/notify.sh '%r %f (%L) [Msgs:%?M?%M/?%m%?n? New:%n?%?d? Del:%d?%?F? Flag:%F?%?t? Tag:%t?%?p? Post:%p?%?b? Inc:%b?]'|"

/usr/local/bin/notify.sh (quick 'n dirty but it works!) :

#!/bin/bash
#
# Small script which display a message in ratpoison 
# when new incoming mail
#

echo "$1" | grep -q "New" > /dev/null 2>&1

if [ $? -eq 0 ];
then
  ratpoison -c "echo Unread mail in Inbox"
fi

echo "$1"

Working features :

• Config file in INI format
• Multiple Yubikeys support for each user
• "Whitelist" : you can define IP (or networks using CIDR notation) for clients which doesn't need to provide OTP.
• HMAC verification
• Error logging

Planned features :

• Integration of PreludeEasy to report authentication failures to your Prelude SIEM manager.

Available from my Git repository.

Ratpoison is a keyboard driven window manager.
I've written a small perl script designed to be called via standard Ratpoison bind functions to interact with Midori (can be easily used with other web browsers). Here are the default binds :

• :gg : search for in google.com
• :dp : load packages.debian.org page of
• :db : load bugs.debian.org page of
• :wi : search for in Wikipedia

There is also a shortcut (actually bind to escape-g) which send the current selection to the browser, if the selection is an URL, load it into the browser, otherwise search for string in Google.

Relevant part of my ~/.ratpoisonrc :

# Browser Wrapper
bind g exec ~/bin/browser_wrapper.pl selection `$RATPOISON -c getsel`
alias gg exec ~/bin/browser_wrapper.pl gg
alias dp exec ~/bin/browser_wrapper.pl dp
alias db exec ~/bin/browser_wrapper.pl db
alias wi exec ~/bin/browser_wrapper.pl wi

~/bin/browser_wrapper.pl :

#!/usr/bin/perl

{
  my $shortcut = $ARGV[0] || 'gg';
  my $browser = "/usr/bin/midori";
  my $request = undef;
  my $url = undef;

  foreach $argnum ( 1 .. $#ARGV ) {
    $request .= $ARGV[$argnum].'%20';
  }

  $request =~ s/\%20$//;

  my $shortcuts_table = {
    'gg' => sub {
              $url = "http://www.google.fr/search?q=" . $request;
              system( $browser . " " . $url );
            },

    'dp' => sub {
              $url = "http://packages.debian.org/" . $request;
              system( $browser . " " . $url );
            },

    'db' => sub {
              $url = "http://bugs.debian.org/" . $request;
              system( $browser . " " . $url );
            },

    'wi' => sub {
              $url = "http://en.wikipedia.org/wiki/" . $request;
              system( $browser . " " . $url );
            },

    'selection' => sub {
              if ( $request =~ m/^http:\/\/.*/ ) {
                $url = $request;
              } else {
                $url = "http://www.google.fr/search?q=" . $request;
              }
              system( $browser . " " . $url );
            }
  };

  $shortcuts_table->{$shortcut} ? $shortcuts_table->{$shortcut}->() : $shortcuts_table->{'gg'}->();
}
0;

Put the following line into ~/.mailcap :

text/html; w3m -I %{charset} -T text/html -dump; copiousoutput

And just append :

auto_view text/html

in ~/.mutt/muttrc

Package : http://packages.debian.org/sid/libnet-akamai-perl
Bugs : http://packages.debian.org/libnet-akamai.perl

This version is based on the latest released version available on the official SimpleID website: 0.7.1 and also include patches to work correctly with PHP 5.3.1.
I will contact the author to see if he's interested in this feature and if he wants these patches to be included in the official SimpleID tree, but if for any reason they would not be accepted, i'll keep my git repository up-to-date with any future release.

More interesting than a long blahblah here is the git repository : http://github.com/adedommelin/simpleid-yubikey

Please take 2 minutes to read the small README as it explains how to associate your key to your OpenID Identity.

What is Two-Factor authentication ?

An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) or (2FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. Two-factor authentication typically is a signing-on process where a person proves his or her identity with two of the three methods: "something you know" (e.g., password or PIN), "something you have" (e.g.,smartcard or token), or "something you are" (e.g., fingerprint or iris scan).

How does the Yubikey work ?

A Yubikey is a small USB HID device which is seen as a generic keyboard (no driver needed) with a small button. Each time the button is pressed it generates a one-time password secured using AES-128 encryption and ModHex encoding. For more details, you can have a look at this detailed article.

How to integrate a Yubikey in the SSH login process ?

There is various solutions available, one of them is to use the a PAM module, but it's still in development and users reports some crashes, so it doesn't sound a very good solution to me at this time.
The other solution (the one I'll present in this article) was to develop a script which will be invoked at each login, before giving a shell to the user, which will check the OTP.

Ok ... ok ! But how can I use it with my OpenSSH server ?

Here is the way my solution works : I've added a group called "yubikey" on the system. The SSH server will execute the authentication script for all the members of this group on each login (this is done using the sshd_config Match directive). The script will ask the user to generate an OTP using his Yubikey, check if this key is authorized for this user, parsing ~/.ssh/trusted_yubikeys then proceed to the validation of the password. If everything is fine the script gives the user his shell.
Here are all the steps in detail :

Create the group :

$ groupadd yubikey

Add your user inside the group :

$ adduser mon_user yubikey

Specify the trusted keys for this user :

$ cd /home/mon_user/.ssh
$ echo "yubikeyid" >> trusted_yubikeys

Create the script in /usr/local/bin/yubikey.sh :

#!/bin/bash
#
# (c) 2010 Alexandre De Dommelin
#
# This program is free software. It comes without any warranty, to
# the extent permitted by applicable law. You can redistribute it
# and/or modify it under the terms of the Do What The Fuck You Want
# To Public License, Version 2, as published by Sam Hocevar. See
# http://sam.zoy.org/wtfpl/COPYING for more details.
#

YUBICO_API_ID="XXXX"
TRUSTED_KEYS_FILE="$HOME/.ssh/trusted_yubikeys"

STD="\\033[0;39m"
OK="\\033[1;32m[i]$STD"
ERR="\\033[1;31m[e]$STD"

##################################################
## Disconnect clients trying to exit the script ##
##################################################

trap disconnect INT
disconnect() {
  sleep 1
  kill -9 $PPID
  exit 1
}


echo ""
echo "** One-Time Password Validation Step **"
echo ""

echo -n "Please provide Yubi OTP then enter Ctrl-d: "
OTP=`tr -c -d a-z < /dev/tty`
KEY_ID=${OTP:0:12}


####################################
## Get user-trusted yubikeys list ##
####################################

if [ ! -f $TRUSTED_KEYS_FILE ]
then
  echo -e "$ERR Unable to find trusted keys list"
  disconnect
else
  TRUSTED_KEYS=`cat $TRUSTED_KEYS_FILE`
fi



#######################################
## Iterate through trusted keys list ##
#######################################

for trusted in ${TRUSTED_KEYS[@]}
do
  if [ $KEY_ID = $trusted ]
  then
    echo -e "$OK Found key in $TRUSTED_KEYS_FILE - validating OTP now ..."

    if wget "https://api.yubico.com/wsapi/verify?id=$YUBICO_API_ID&otp=$OTP" -O - 2> /dev/null | grep "status=OK" > /dev/null
    then
      echo -e "$OK OTP validated"

      exec `grep "^$(whoami)" /etc/passwd | cut -d ":" -f 7`
    else
      echo -e "$ERR Unable to validate generated OTP" > /dev/stderr
      sleep 1
      disconnect
    fi
  fi
done

echo -e "$ERR Key not trusted" > /dev/stderr
disconnect

Give it the right permissions :

$ chmod 755 /usr/local/bin/yubikey.sh

Configure /etc/ssh/sshd_config with this parameters :

Match group yubikey
        ForceCommand /usr/local/bin/yubikey.sh

Then restart SSH server :

$ /etc/init.d/ssh restart

Important notes

• Keep an active SSH session during your tests :-)
• You have to put your API ID in YUBICO_API_ID inside the script. API ID can be obtained at api.yubico.com
• Make sure that ~/.ssh/trusted_keys is readable by the matching user
• Of course, you can use your own validation server, just adapt the script accordingly
• I'm not responsible of what you do, this script works for me, but it comes with no warranty, if your dog die tomorrow or anything else like that don't blame me
• Updated versions will be commited to my Github repository

Medor use the RFIDIOT library to access the RFID reader, have a look at my previous article to know how to use it on Debian GNU/Linux.

Here are the 2 main scripts (up-to-date release will be available on my github under dotfiles/openbox/bin/Medor)

Medor.sh

#!/bin/bash
#
# Medor v0.1
# Alex "laotseu" DE DOMMELIN - http://blog.tuxz.net
#
# This program is free software. It comes without any warranty, to
# the extent permitted by applicable law. You can redistribute it
# and/or modify it under the terms of the Do What The Fuck You Want
# To Public License, Version 2, as published by Sam Hocevar. See
# http://sam.zoy.org/wtfpl/COPYING for more details.
#

RFID_ID="MYTAGID"
CHECK_TAG_SCRIPT="/home/laotseu/.config/openbox/bin/Medor/python-rfid/checkTag.py"

SCREENLOCK="xlock"
SCREENLOCK_OPTS="-mode blank"
XMPP_ALERT="/home/laotseu/.config/openbox/bin/Medor/xmpp_alert.py"



function protect() {
  (ssh-agent -k > /dev/null 2>&1)
  ($XMPP_ALERT "$(date) Security Alert : RFID reader unplugged" > /dev/null 2>&1)
  lock;
}

function lock() {
  ($SCREENLOCK $SCREENLOCK_OPTS &)
}

function unlock() {
  (/usr/bin/killall -9 $SCREENLOCK)
}



## Main Loop ##

ALERT_SENT=0
while [ 42 ];
do
  TAG=`$CHECK_TAG_SCRIPT 2>/dev/null`

  case $? in
    ############################
    ## Reader not present :-( ##
    ############################
    1 )
      if [ $ALERT_SENT -eq 0 ];
      then
        protect;
        ALERT_SENT=1
      fi;
    ;;


    #################################
    ## No tag present, lock screen ##
    #################################
    255 )
      (/bin/pidof $SCREENLOCK > /dev/null 2>&1)
      if [ $? -eq 1 ];
      then
        lock;
      fi;
    ;;


    #############################################
    ## Tag present, check if allowed to unlock ##
    #############################################
    0 )
      if [ "$TAG" == "$RFID_ID" ];
      then
        (/bin/pidof $SCREENLOCK > /dev/null 2>&1)
        if [ $? -eq 0 ];
        then
          unlock;
          ALERT_SENT=0
        fi;
      else
        (/bin/pidof $SCREENLOCK > /dev/null 2>&1)
        if [ $? -eq 1 ];
        then
          lock;
        fi;
      fi;
      ;;
  esac

  sleep 3
done;

checkTag.py

#!/usr/bin/python

import RFIDIOtconfig
import os

try:
  card = RFIDIOtconfig.card
except:
  os._exit(1)

if card.select():
  print "%s" % card.uid
else:
  os._exit(-1)

You need to install some packages :
apt-get install python-pyscard pcscd pcsc-tools python-pycryptopp python-serial python-crypto

Then download the latest release of RFIDIOT (RFID IO Tools) here and simply extract it.

Plug-in the reader and start pcsc_scan, you should see something like that :

found one
Scanning present readers
0: ACS ACR 38U-CCID 00 00 

The "0:" is the reader id, so ctrl+c out of pcsc_scan, edit RFIDIOtconfig.py, jump down to the readernum= directive, and change that to the correct id given by pcsc_scan.

You should now be able to test your reader using one of the contributed script such as multiselect.py.

An OpenID is in the form of a unique URL, and is authenticated by the user's 'OpenID provider' (that is, the entity hosting their OpenID URL).The OpenID protocol does not rely on a central authority to authenticate a user's identity. Since neither the OpenID protocol nor Web sites requiring identification may mandate a specific type of authentication, non-standard forms of authentication can be used, such as smart cards, biometrics, or ordinary passwords.

While you can create an identity on various providers websites (it's possible you already have one see Get an Openid) you may want to host your own identity server.

There are a lot of identities servers, in various languages (PHP, Ruby, Python, Java...) i've decided to use SimpleID a lightweight PHP-based solution which doesn't rely on any database. Here is an overview of these features :

• Support for OpenID 1.1 and 2.0
• Support for Simple Registration Extension 1.0 and 1.1 draft
• Multiple identities support

Installation

Start by downloading the archive at Sourceforge, extract it then move the cache, identities, www folders to your webserver.
Configure your Web Server (apache, lighttpd...) by adding a new virtualhost pointing to the "www" folder. For standard use, you don't need to setup any rewrite rule or anything else.
Rename config.default.inc to config.inc, then edit this file to put correct paths for the different needed folders
 

Add an Identity

Create an identity file called "yournickname.identity" in the identities folder, your apache/lighttpd user must have read access to this file.

identity=http://vhost.yourdomain.tld
pass=3408cad97ec7f9c09775da84048ecc0
[sreg]
nickname=your_nickname
email=yourmail@domain.tld
administrator=1
fullname=John Doe
dob=1957-01-02
gender=M
postcode=1234
country=ch
language=en
timezone=Europe/Zurich

As for the "pass" line, you have to put the MD5 Hash of your password.

That's all, you can now login to SimpleID using your new identity, and use this identity to login in various websites.