table of contents
other versions
- wheezy 1.7.0-1
- jessie 1.16.0-1
- jessie-backports 1.17.3-1~bpo8+1
- testing 1.17.3-1
- unstable 1.17.3-1
ykpersonalize(1) | General Commands Manual | ykpersonalize(1) |
NAME¶
ykpersonalize - personalize YubiKey OTP tokensSYNOPSIS¶
ykpersonalize [ -1 | -2] [-sfile] [-ifile] [-axxx] [-cxxx] [-ooption] [ -y] [-v] [-h] [ -n] [-t] [-u] [-x]OPTIONS¶
Set the AES key, user ID and other settings in a YubiKey. For the complete explanation of the meaning of all parameters, see the reference manual: YubiKey manual ⟨URL: http://yubico.com/files/YubiKey_manual-2.0.pdf ⟩- -1
- change the first configuration. This is the default and is normally used for true OTP generation. In this configuration, TKTFLAG_APPEND_CR is set by default.
- -2
- change the second configuration. This is for YubiKey II only and is then normally used for static key generation. In this configuration, TKTFLAG_APPEND_CR, CFGFLAG_STATIC_TICKET, CFGFLAG_STRONG_PW1, CFGFLAG_STRONG_PW2 and CFGFLAG_MAN_UPDATE are set by default.
- -sfile
- save configuration to file instead of key. (if file is -, send to stdout)
- -ifile
- read configuration from file. (if file is -, read from stdin)
- -axxx
- A 32 char (40 for OATH-HOTP and HMAC challenge-response) hex value (not modhex) of a fixed AES key to use.
- -cxxx
- A 12 char hex value (not modhex) to use as access code for programming. NOTE: this does NOT SET the access code, that's done with -oaccess =.
- -ooption
- change configuration option. Possible option arguments are
- salt=ssssssss
- Salt to be used when deriving key from a password. If none is given, a unique random one will be generated.
- fixed=fffffffffff
- The modhex public identity of the YubiKey, 0-16 characters long. It's possible to give the identity in hex as well, just prepend the value with `h:'. The fixed part is emitted before the OTP when the button on the YubiKey is pressed. It can be used as an identifier for the user, for example.
- uid=uuuuuu
- The uid part of the generated OTP, in hex. Must be 12 characters long. The uid is 6 bytes of static data that is included (encrypted) in every OTP, and is used to validate that an OTP was in fact encrypted with the AES key shared between the YubiKey and the validation service. It cannot be used to identify the YubiKey as it is only readable to those that know the AES key.
- access=fffffffffff
- New hex access code to set. Must be 12 characters long. If an access code is set, it will be required for subsequent reprogramming of the YubiKey.
- oath-imf=xxx
- Set OATH Initial Moving Factor. This is the initial counter value for the YubiKey. This should be a value between 0 and 1048560, evenly dividable by 16.
- [-]ticket-flag
- Set/clear ticket flag, see the section `Ticket flags'
- [-]configuration-flag
- Set/clear ticket flag, see the section `Configuration flags'
- -y
- always commit without prompting
- -v
- Be more verbose
- -h
- Help
- YubiKey NEO only
- -n URI
- Program NFC NDEF type 2 URI
- -t text
- Program NFC NDEF type 2 text
- YubiKey 2.3 and above
- -u
- Update existing configuration, rather than overwriting
- -x
- Swap configuration slot 1 and 2 inside the YubiKey
Ticket flags¶
- [-]tab-first
- Send a tab character as the first character. This is usually used to move to the next input field.
- [-]append-tab1
- Send a tab character between the fixed part and the one-time password part. This is useful if you have the fixed portion equal to the user name and two input fields that you navigate between using tab.
- [-]append-tab2
- Send a tab character as the last character.
- [-]append-delay1
- Add a half-second delay before sending the one-time password part.
- [-]append-delay2
- Add a half-second delay after sending the one-time password part.
- [-]append-cr
- Send a carriage return after sending the one-time password part.
- YubiKey 2.0 firmware and above
- [-]protect-cfg2
- When written to configuration 1, block later updates to configuration 2. When written to configuration 2, prevent configuration 1 from having the lock bit set.
- YubiKey 2.1 firmware and above
- [-]oath-hotp
- Set OATH-HOTP mode rather than YubiKey mode. In this mode, the token functions according to the OATH-HOTP standard.
- YubiKey 2.2 firmware and above
- [-]chal-resp
- Set challenge-response mode.
Configuration flags¶
[-] send-ref Send a reference string of all 16 modhex characters before the fixed part. This can not be combined with the strong-pw2 flag.- [-]pacing-10ms
- Add a 10ms delay between key presses.
- [-]pacing-20ms
- Add a 20ms delay between key presses.
- [-]static-ticket
- Output a fixed string rather than a one-time password. The password is still based on the AES key and should be hard to guess and impossible to remember.
- YubiKey 1.x firmware only
- [-]ticket-first
- Send the one-time password rather than the fixed part first.
- [-]allow-hidtrig
- Allow trigger through HID/keyboard by pressing caps-, num or scroll-lock twice. Not recommended for security reasons.
- YubiKey 2.0 firmware and above
- [-]short-ticket
- Limit the length of the static string to max 16 digits. This flag only makes sense with the -ostatic-ticket option.
- [-]strong-pw1
- Upper-case the two first letters of the output string. This is for compatibility with legacy systems that enforce both uppercase and lowercase characters in a password and does not add any security.
- [-]strong-pw2
- Replace the first eight characters of the modhex alphabet with the numbers 0 to 7. Like strong-pw1, this is intended to support legacy systems.
- [-]man-update
- Enable user-initiated update of the static password. Only makes sense with the -ostatic-ticket option.
- YubiKey 2.1 firmware and above
- [-]oath-hotp8
- When set, generate an 8-digit HOTP rather than a 6-digit one.
- [-]oath-fixed-modhex1
- When set, the first byte of the fixed part is sent as modhex.
- [-]oath-fixed-modhex2
- When set, the first two bytes of the fixed part is sent as modhex.
- [-]oath-fixed-modhex
- When set, the fixed part is sent as modhex.
- oath-id=m:OOTTUUUUUUUU
- Configure OATH token id with a provided value. See description of this option under the 2.2 section for details, but note that a YubiKey 2.1 key can't report it's serial number and thus a token identifier value must be specified.
- YubiKey 2.2 firmware and above
- [-]chal-yubico
- Yubico OTP challenge-response mode.
- [-]chal-hmac
- Generate HMAC-SHA1 challenge responses.
- [-]hmac-lt64
- Calculate HMAC on less than 64 bytes input. Whatever is in the last byte of the challenge is used as end of input marker (backtracking from end of payload).
- [-]chal-btn-trig
- The YubiKey will wait for the user to press the key (within 15 seconds) before answering the challenge.
- [-]serial-btn-visible
- The YubiKey will emit it's serial number if the button is pressed during power-up.
- [-]serial-usb-visible
- The YubiKey will indicate it's serial number in the USB iSerial field.
- [-]serial-api-visible
- The YubiKey will allow it's serial number to be read using an API call.
- oath-id[=m:OOTTUUUUUUUU]
- Configure OATH token id with a provided value, or if used
without a value use the standard YubiKey token identifier.
- YubiKey 2.3 firmware and above
- [-]use-numeric-keypad
- Send scancodes for numeric keypad keypresses when sending digits - helps with some keyboard layouts.
- [-]fast-trig
- Faster triggering when only configuration 1 is available.
- [-]allow-update
- Allow updating of certain parameters in a configuration at a later time.
- [-]dormant
- Hides/unhides a configuration stored in a YubiKey.
OATH-HOTP Mode¶
When using OATH-HOTP mode, a HMAC key of 160 bits (20 bytes, 40 chars of hex) can be supplied with -a.Challenge-response Mode¶
In CHAL-RESP mode, the token will NOT generate any keypresses when the button is pressed (although it is perfectly possible to have one slot with a keypress-generating configuration, and the other in challenge-response mode). Instead, a program capable of sending USB HID feature reports to the token must be used to send it a challenge, and read the response.Modhex¶
Modhex is a way of writing hex digits where the “digits” are chosen for being in the same place on most keyboard layouts.- To convert from hex to modhex, you can use
tr "[0123456789abcdef]"
"[cbdefghijklnrtuv]"
- To convert the other way, use
tr "[cbdefghijklnrtuv]"
"[0123456789abcdef]"
BUGS¶
Report ykpersonalize bugs in the issue tracker ⟨URL: https://github.com/Yubico/yubikey-personalization/issues ⟩SEE ALSO¶
The ykpersonalize home page ⟨URL: http://code.google.com/p/yubikey-personalization/ ⟩ YubiKeys can be obtained from Yubico ⟨URL: http://www.yubico.com/ ⟩.August 2009 | yubikey-personalization |