It takes 2 things to know and to do to successfully authenticate against
yubico-pam regardless of having a yubikey at all using some simple MITM
technique.

First, you'll need to know the username on the server to ssh into with. 
Second, hijack the traffic that would go to api.yubikey.com and craft a
response to the module with a 'status=OK' in it. It does not have to
contain a hmac or timestamp at all.

After setting this up the server proudly gains access to whatever you
protected with yubico-pam.