Provided by: yubikey-personalization_1.6.3-1_amd64 bug

NAME

       ykpersonalize - personalize YubiKey OTP tokens

SYNOPSIS

       ykpersonalize [-1 | -2] [-sfile] [-ifile] [-axxx] [-cxxx] [-ooption] [-v] [-h]

OPTIONS

       Set the AES key, user ID and other settings in a YubiKey.  For the complete explanation of
       the meaning of all parameters, see the reference manual: YubiKey manual ⟨http://
       yubico.com/files/YubiKey_manual-2.0.pdf⟩

       -1     change  the first configuration.  This is the default and is normally used for true
              OTP generation.  In this configuration, TKTFLAG_APPEND_CR is set by default.

       -2     change the second configuration.  This is for YubiKey II only and is then  normally
              used   for  static  key  generation.   In  this  configuration,  TKTFLAG_APPEND_CR,
              CFGFLAG_STATIC_TICKET,       CFGFLAG_STRONG_PW1,       CFGFLAG_STRONG_PW2       and
              CFGFLAG_MAN_UPDATE are set by default.

       -sfile save configuration to file instead of key.  (if file is -, send to stdout)

       -ifile read configuration from file.  (if file is -, read from stdin)

       -axxx  A  32 char (40 for OATH-HOTP and HMAC challenge-response) hex value (not modhex) of
              a fixed AES key to use.

       -cxxx  A 12 char hex value (not modhex) to use as access code for programming.  NOTE: this
              does NOT SET the access code, that's done with -oaccess=.

       -ooption
              change configuration option.  Possible option arguments are

              salt=ssssssss
                     Salt  to  be  used  when  deriving key from a password.  If none is given, a
                     unique random one will be generated.

              fixed=fffffffffff
                     The modhex public identity of  the  YubiKey,  0-16  characters  long.   It's
                     possible  to  give  the identity in hex as well, just prepend the value with
                     `h:'. The fixed part is emitted before  the  OTP  when  the  button  on  the
                     YubiKey  is  pressed.  It  can  be  used  as an identifier for the user, for
                     example.

              uid=uuuuuu
                     The uid part of the generated OTP, in hex.  Must be 12 characters long.  The
                     uid is 6 bytes of static data that is included (encrypted) in every OTP, and
                     is used to validate that an OTP was in  fact  encrypted  with  the  AES  key
                     shared  between the YubiKey and the validation service. It cannot be used to
                     identify the YubiKey as it is only readable to those that know the AES key.

              access=fffffffffff
                     New hex access code to set. Must be 12 characters long.  If an  access  code
                     is set, it will be required for subsequent reprogramming of the YubiKey.

              oath-imf=xxx
                     Set  OATH  Initial  Moving Factor. This is the initial counter value for the
                     YubiKey.  This should be a value between 0 and 1048560, evenly dividable  by
                     16.

              [-]ticket-flag
                     Set/clear ticket flag, see the section `Ticket flags'

              [-]configuration-flag
                     Set/clear ticket flag, see the section `Configuration flags'

       -y     always commit without prompting

       -v     Be more verbose

       -h     Help

Ticket flags

       [-]tab-first
              Send  a  tab character as the first character.  This is usually used to move to the
              next input field.

       [-]append-tab1
              Send a tab character between the fixed part and the one-time password part. This is
              useful  if  you  have the fixed portion equal to the user name and two input fields
              that you navigate between using tab.

       [-]append-tab2
              Send a tab character as the last character.

       [-]append-delay1
              Add a half-second delay before sending the one-time password part.

       [-]append-delay2
              Add a half-second delay after sending the one-time password part.

       [-]append-cr
              Send a carriage return after sending the one-time password part.

       YubiKey 2.0 firmware and above

       [-]protect-cfg2
              When written to configuration 1, block later  updates  to  configuration  2.   When
              written to configuration 2, prevent configuration 1 from having the lock bit set.

       YubiKey 2.1 firmware and above

       [-]oath-hotp
              Set  OATH-HOTP  mode  rather  than YubiKey mode.  In this mode, the token functions
              according to the OATH-HOTP standard.

       YubiKey 2.2 firmware and above

       [-]chal-resp
              Set challenge-response mode.

Configuration flags

       [-]send-ref Send a reference string of all 16 modhex characters  before  the  fixed  part.
       This can not be combined with the strong-pw2 flag.

       [-]pacing-10ms
              Add a 10ms delay between key presses.

       [-]pacing-20ms
              Add a 20ms delay between key presses.

       [-]static-ticket
              Output a fixed string rather than a one-time password.  The password is still based
              on the AES key and should be hard to guess and impossible to remember.

       YubiKey 1.x firmware only

       [-]ticket-first
              Send the one-time password rather than the fixed part first.

       [-]allow-hidtrig
              Allow trigger through HID/keyboard by pressing caps-,  num  or  scroll-lock  twice.
              Not recommended for security reasons.

       YubiKey 2.0 firmware and above

       [-]short-ticket
              Limit the length of the static string to max 16 digits.  This flag only makes sense
              with the -ostatic-ticket option.

       [-]strong-pw1
              Upper-case the two first letters of the output string.  This is  for  compatibility
              with  legacy  systems  that  enforce  both  uppercase and lowercase characters in a
              password and does not add any security.

       [-]strong-pw2
              Replace the first eight characters of the modhex alphabet with the numbers 0 to  7.
              Like strong-pw1, this is intended to support legacy systems.

       [-]man-update
              Enable  user-initiated  update  of  the static password.  Only makes sense with the
              -ostatic-ticket option.

       YubiKey 2.1 firmware and above

       [-]oath-hotp8
              When set, generate an 8-digit HOTP rather than a 6-digit one.

       [-]oath-fixed-modhex1
              When set, the first byte of the fixed part is sent as modhex.

       [-]oath-fixed-modhex2
              When set, the first two bytes of the fixed part is sent as modhex.

       [-]oath-fixed-modhex
              When set, the fixed part is sent as modhex.

       YubiKey 2.2 firmware and above

       [-]chal-yubico
              Yubico OTP challenge-response mode.

       [-]chal-hmac
              Generate HMAC-SHA1 challenge responses.

       [-]hmac-lt64
              Calculate HMAC on less than 64 bytes input.  Whatever is in the last  byte  of  the
              challenge is used as end of input marker (backtracking from end of payload).

       [-]chal-btn-trig
              The  YubiKey  will  wait  for  the user to press the key (within 15 seconds) before
              answering the challenge.

       [-]serial-btn-visible
              The YubiKey will emit it's serial number if the button is pressed during power-up.

       [-]serial-usb-visible
              The YubiKey will indicate it's serial number in the USB iSerial field.

       [-]serial-api-visible
              The YubiKey will allow it's serial number to be read using an API call.

OATH-HOTP Mode

       When using OATH-HOTP mode, a HMAC key of 160 bits (20 bytes,  40  chars  of  hex)  can  be
       supplied with -a.

       The  token identifier can be set with the -ofixed= option.  See section "5.3.4 - OATH-HOTP
       Token Identifier" of the YubiKey  manual  ⟨http://yubico.com/files/YubiKey_manual-2.0.pdf⟩
       for  details,  but  in  short the token identifier is 2 bytes manufacturer prefix, 2 bytes
       token type and then 8 bytes manufacturer unique ID.

Challenge-response Mode

       In CHAL-RESP mode, the token will NOT generate any keypresses when the button  is  pressed
       (although   it  is  perfectly  possible  to  have  one  slot  with  a  keypress-generating
       configuration, and the other in challenge-response mode).  Instead, a program  capable  of
       sending USB HID feature reports to the token must be used to send it a challenge, and read
       the response.

Modhex

       Modhex is a way of writing hex digits where the “digits” are chosen for being in the  same
       place on most keyboard layouts.

       To convert from hex to modhex, you can use
              tr "[0123456789abcdef]" "[cbdefghijklnrtuv]"

       To convert the other way, use
              tr "[cbdefghijklnrtuv]" "[0123456789abcdef]"

BUGS

       Report ykpersonalize bugs in the issue tracker ⟨https://github.com/Yubico/
       yubikey-personalization/issues⟩

SEE ALSO

       The ykpersonalize home page ⟨http://code.google.com/p/yubikey-personalization/⟩

       YubiKeys can be obtained from Yubico ⟨http://www.yubico.com/⟩.