A variant of the PAM module to support local AES key lookups is a todo item, and I'll probably work on it relatively soon.
However, if you have several machines, you probably want to set up your local server instead of using api.yubico.com. Did you see our java server? There are also at least two PHP servers posted here on the forum, they should also work.
Yeah I've looked at every bit of available source to do with the Yubikey and they all provide excellent references. Our authentication requirements are from initial logon and require PAM compatibility so the Java server won't suffice in this situation.
The specs we would be looking at implementing are:
1. minimalist database backend tracking public id, AES key
2. per user settings tracking private id and previous logon times
3. usb event actions on (detection yubikey insert and removal)
4. adminstration tool for coding a yubikey whilst syncing with the user database
If there is an available linux config tool for testing we would be happy to assist.
I think the PAM module should be enhanced with AES-decryption capabilities, and a small database. That would solve your 1 and 2.
For 3, just check for the yubikey usb id's in the output from e.g. 'lsusb'.
Regarding 4, we have some Windows LibUSB based code to program a new AES key available:http://code.google.com/p/yubico-usb-win32/
We haven't made the code public yet, so don't tell anyone.
It is possible to get this code running under linux, but for some reason in order to avoid problem with an exclusive lock from the 'usbhid' driver you will need to re-load the usb drivers if you want to program a new AES key:
rmmod usbhid && modprobe usbhid quirks=0x1050:0x0010:0x04
Either the code should be merged into 'yubico-c' or a separate project should be started, with some more linux-friendly makefiles and build scripts. There a few minor flaws in the published code, but you'll notice them for yourself.