I solved the problem: My server still uses php4, so it doesn't have the 'hash' requirement. I modified the following line:
$hmac = base64_encode(hash_hmac('sha1',$datastring,base64_decode($yubico_api_key), TRUE));
$hmac = base64_encode(mhash(MHASH_SHA1,$datastring,base64_decode($yubico_api_key)));
So that it uses mhash instead of the newer hash interface. Then it worked fine. Great! Now 'blog.josefsson.org' is a user of the yubikey/wordpress-plugin!
I would suggest that the code checks for hash+curl libraries earlier, is it possible to do this using a 'require' or similar?
I'm still curious whether it is possible to disable password authentication.
Happy You figured out the hash problem, I must admit I didn't think about testing against PHP4 as it is very very close to end of life.
I have been looking into ways of testing for Curl & Hash lib presence, but there isn't any really nice way to do it in Wordpress, you can't prevent the plugin from being installed or anything like that.
How about a solution where the plugin gets installed but the loginpage tells that the functionality has been disabled due to missing libs ?
I'm not sure there is a hook that makes it possible to disable password auth. But I'll look into it