Why do we care if the user exists? Ideally, you want the code to behave more or less the same whether the user is real or not. Otherwise, a remote attacker can guess valid usernames by timing a login attempt.
For safety's sake, it makes sense to reject a username with a '/' in it since the yubikey database is just a directory where each user has a file. But I don't see the need to bail early just because the user is not in the passwd database since yubikey_login() will only succeed if the user has an entry. - todd
