SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from Fedora 16 ykpers-1.6.0-2.fc16.i686.rpm

ykpersonalize

Section: Misc. Reference Manual Pages (1)
Updated: August 2009
Index 

NAME

ykpersonalize - personalize Yubikey OTP tokens 

SYNOPSIS

ykpersonalize[-1 | -2] [-sfile] [-ifile] [-axxx] [-cxxx] [-ooption] [-v] [-h] 

OPTIONS

Set the AES key, user ID and other settings in a Yubikey. For the completeexplanation of the meaning of all parameters, see the referencemanual:http://yubico.com/files/YubiKey_manual-2.0.pdf laURL: L raYubikey manual

-1
change the first configuration. This is the default and isnormally used for true OTP generation. In this configuration,TKTFLAG_APPEND_CR is set by default.
-2
change the second configuration. This is for Yubikey II only and isthen normally used for static key generation. In this configuration,TKTFLAG_APPEND_CR, CFGFLAG_STATIC_TICKET, CFGFLAG_STRONG_PW1,CFGFLAG_STRONG_PW2 and CFGFLAG_MAN_UPDATE are set by default.
-sfile
save configuration to file instead of key.(if file is -, send to stdout)
-ifile
read configuration from file.(if file is -, read from stdin)
-axxx
A 32 char (40 for OATH-HOTP and HMAC challenge-response) hex value (not modhex) of a fixed AES key to use.
-cxxx
A 12 char hex value (not modhex) to use as access code forprogramming.NOTE: this does NOT SET the access code, that's done with -oaccess=.
-ooption
change configuration option. Possible option arguments are
salt=ssssssss
Salt to be used when deriving key from a password.If none is given, a unique random one will be generated.
fixed=fffffffffff
The modhex public identity of the Yubikey, 0-16 characters long.It's possible to give the identity in hex as well, just prepend thevalue with `h:'. The fixed part is emitted before the OTP when thebutton on the Yubikey is pressed. It can be used as an identifier forthe user, for example.
uid=uuuuuu
The uid part of the generated OTP, in hex.Must be 12 characters long. The uid is 6 bytes of static data that is included(encrypted) in every OTP, and is used to validate that an OTP was in fact encryptedwith the AES key shared between the Yubikey and the validation service. It cannotbe used to identify the Yubikey as it is only readable to those that knowthe AES key.
access=fffffffffff
New hex access code to set. Must be 12 characters long.If an access code is set, it will be required for subsequent reprogramming of the Yubikey.
[-]ticket-flag
Set/clear ticket flag, see the section `Ticket flags'
[-]configuration-flag
Set/clear ticket flag, see the section `Configuration flags'
-y
always commit without prompting
-v
Be more verbose
-h
Help
 

Ticket flags

[-]tab-first
Send a tab character as the first character. This is usually used to moveto the next input field.
[-]append-tab1
Send a tab character between the fixed part and the one-time passwordpart. This is useful if you have the fixed portion equal to the username and two input fields that you navigate between using tab.
[-]append-tab2
Send a tab character as the last character.
[-]append-delay1
Add a half-second delay before sending the one-time password part.
[-]append-delay2
Add a half-second delay after sending the one-time password part.
[-]append-cr
Send a carriage return after sending the one-time password part.
Yubikey 2.0 firmware and above
[-]protect-cfg2
When written to configuration 1, block later updates to configuration2. When written to configuration 2, prevent configuration 1 fromhaving the lock bit set.
Yubikey 2.1 firmware and above
[-]oath-hotp
Set OATH-HOTP mode rather than Yubikey mode. In this mode, the tokenfunctions according to the OATH-HOTP standard.
Yubikey 2.2 firmware and above
[-]chal-resp
Set challenge-response mode.
 

Configuration flags

[-]send-refSend a reference string of all 16 modhex characters before the fixedpart. This can not be combined with the strong-pw2 flag.
[-]pacing-10ms
Add a 10ms delay between key presses.
[-]pacing-20ms
Add a 20ms delay between key presses.
[-]static-ticket
Output a fixed string rather than a one-time password. The passwordis still based on the AES key and should be hard to guess andimpossible to remember.
Yubikey 1.x firmware only
[-]ticket-first
Send the one-time password rather than the fixed part first.
[-]allow-hidtrig
Allow trigger through HID/keyboard by pressing caps-, num orscroll-lock twice. Not recommended for security reasons.
Yubikey 2.0 firmware and above
[-]short-ticket
Limit the length of the static string to max 16 digits. This flagonly makes sense with the -ostatic-ticket option.
[-]strong-pw1
Upper-case the two first letters of the output string. This is forcompatibility with legacy systems that enforce both uppercase andlowercase characters in a password and does not add any security.
[-]strong-pw2
Replace the first eight characters of the modhex alphabet with thenumbers 0 to 7. Like strong-pw1, this is intended to supportlegacy systems.
[-]man-update
Enable user-initiated update of the static password. Only makes sensewith the -ostatic-ticket option.
Yubikey 2.1 firmware and above
[-]oath-hotp8
When set, generate an 8-digit HOTP rather than a 6-digit one.
[-]oath-fixed-modhex1
When set, the first byte of the fixed part is sent as modhex.
[-]oath-fixed-modhex2
When set, the first two bytes of the fixed part is sent as modhex.
[-]oath-fixed-modhex
When set, the fixed part is sent as modhex.
Yubikey 2.2 firmware and above
[-]chal-yubico
Yubico OTP challenge-response mode.
[-]chal-hmac
Generate HMAC-SHA1 challenge responses.
[-]hmac-lt64
Calculate HMAC on less than 64 bytes input. Whatever is in the last byteof the challenge is used as end of input marker (backtracking from end of payload).
[-]chal-btn-trig
The Yubikey will wait for the user to press the key (within 15 seconds) beforeanswering the challenge.

 

OATH-HOTP Mode

When using OATH-HOTP mode, a HMAC key of 160 bits (20 bytes, 40 chars of hex)can be supplied with -a.

The token identifier can be set with the -ofixed= option.See section "5.3.4 - OATH-HOTP Token Identifier" of thehttp://yubico.com/files/YubiKey_manual-2.0.pdf laURL: L raYubikey manualfor details, but in short the token identifier is 2 bytes manufacturer prefix,2 bytes token type and then 8 bytes manufacturer unique ID.

 

Challenge-response Mode

In CHAL-RESP mode, the token will NOT generate any keypresses when the buttonis pressed (although it is perfectly possible to have one slot with a keypress-generatingconfiguration, and the other in challenge-response mode). Instead, a program capable ofsending USB HID feature reports to the token must be used to send it a challenge, andread the response.

 

Modhex

Modhex is a way of writing hex digits where the lqdigitsrq arechosen for being in the same place on most keyboard layouts.
To convert from hex to modhex, you can use
tr "[0123456789abcdef]" "[cbdefghijklnrtuv]"
To convert the other way, use
tr "[cbdefghijklnrtuv]" "[0123456789abcdef]"

 

BUGS

Report ykpersonalize bugs in https://github.com/Yubico/yubikey-personalization/issues laURL: L rathe issue tracker 

SEE ALSO

The http://code.google.com/p/yubikey-personalization/ laURL: L raykpersonalize home page

Yubikeys can be obtained fromhttp://www.yubico.com/ laURL: L raYubico


 

Index

NAME
SYNOPSIS
OPTIONS
Ticket flags
Configuration flags
OATH-HOTP Mode
Challenge-response Mode
Modhex
BUGS
SEE ALSO

This document was created byman2html,using the manual pages.