PAM configuration is somewhat complex, but a typical use-case is to require both a password and Yubikey to allow access. This can be achieved by a PAM configuration like this:

auth requisite pam_yubico.so id=42
auth required pam_unix.so use_first_pass

The first line makes pam_yubico check the OTP. Use a ~/.yubikeys/ directory to specify which yubikeys should be allowed access.

The next line says that the password to check should be received from the earlier PAM modules ("use_first_pass") and that the module should not query for passwords.

Of course, if you use username/password verification from a SQL database or LDAP, you need to change the second line above. But the module you use needs to support "use_first_pass" for this to work. Most modules supports this.

Be sure to uncomment any other 'auth' lines in your PAM configuration, unless you want does. For example, Debian contains a '@include common-auth' which would confuse the configuration.