1ykpersonalize(1)            General Commands Manual           ykpersonalize(1)
2
3
4

NAME

6       ykpersonalize - personalize Yubikey OTP tokens
7

SYNOPSIS

9       ykpersonalize  [-1  |  -2] [-sfile] [-ifile] [-axxx] [-cxxx] [-ooption]
10       [-v] [-h]
11

OPTIONS

13       Set the AES key, user ID and other settings in a Yubikey.  For the com‐
14       plete  explanation  of the meaning of all parameters, see the reference
15       manual: http://yubico.com/files/YubiKey_manual-2.0.pdf
16
17       -1     change the first configuration.  This is the default and is nor‐
18              mally used for true OTP generation.  In this configuration, TKT‐
19              FLAG_APPEND_CR is set by default.
20
21       -2     change the second configuration.  This is for  Yubikey  II  only
22              and  is  then  normally used for static key generation.  In this
23              configuration,     TKTFLAG_APPEND_CR,     CFGFLAG_STATIC_TICKET,
24              CFGFLAG_STRONG_PW1,  CFGFLAG_STRONG_PW2  and  CFGFLAG_MAN_UPDATE
25              are set by default.
26
27       -sfile save configuration to file instead of key.  (if file is -,  send
28              to stdout)
29
30       -ifile read configuration from file.  (if file is -, read from stdin)
31
32       -axxx  A 32 char hex value (not modhex) of a fixed AES key to use.
33
34       -cxxx  A  12 char hex value (not modhex) to use as access code for pro‐
35              gramming.  NOTE: this does NOT SET the access code, that's  done
36              with -oaccess=.
37
38       -ooption
39              change configuration option.  Possible option arguments are
40
41              salt=ssssssss
42                     Salt  to  be  used when deriving key from a password.  If
43                     none is given, a unique random one will be generated.
44
45              fixed=fffffffffff
46                     The public modhex identity of key, 0-16 characters  long.
47                     It's  possible  to give the identity in hex as well, just
48                     prepend the value with `h:'.
49
50              uid=uuuuuu
51                     The uid part of the generated ticket, in hex.  Must be 12
52                     characters long.
53
54              access=fffffffffff
55                     New hex access code to set.  Must be 12 characters long.
56
57              [-]ticket-flag
58                     Set/clear ticket flag, see the section `Ticket flags'
59
60              [-]configuration-flag
61                     Set/clear  ticket  flag,  see  the section `Configuration
62                     flags'
63
64       -y     always commit without prompting
65
66       -v     Be more verbose
67
68       -h     Help
69

Ticket flags

71       [-]tab-first
72              Send a tab character as the first character.   This  is  usually
73              used to move to the next input field.
74
75       [-]append-tab1
76              Send  a  tab  character  between the fixed part and the one-time
77              password part. This is useful if  you  have  the  fixed  portion
78              equal  to  the  user name and two input fields that you navigate
79              between using tab.
80
81       [-]append-tab2
82              Send a tab character as the last character.
83
84       [-]append-delay1
85              Add a half-second delay before  sending  the  one-time  password
86              part.
87
88       [-]append-delay2
89              Add  a  half-second  delay  after  sending the one-time password
90              part.
91
92       [-]append-cr
93              Send a carriage return after sending the one-time password part.
94
95       Yubikey 2.0 firmware and above
96
97       [-]protect-cfg2
98              When written to configuration 1, block later updates to configu‐
99              ration  2.   When written to configuration 2, prevent configura‐
100              tion 1 from having the lock bit set.
101
102       Yubikey 2.1 firmware and above
103
104       [-]oath-hotp
105              Set OATH-HOTP mode rather than Yubikey mode.  In this mode,  the
106              token functions according to the OATH-HOTP standard.
107

Configuration flags

109       [-]send-ref  Send a reference string of all 16 modhex characters before
110       the fixed part.  This can not be combined with the strong-pw2 flag.
111
112       [-]pacing-10ms
113              Add a 10ms delay between key presses.
114
115       [-]pacing-20ms
116              Add a 20ms delay between key presses.
117
118       [-]static-ticket
119              Output a fixed string rather  than  a  one-time  password.   The
120              password  is  still  based  on the AES key and should be hard to
121              guess and impossible to remember.
122
123       Yubikey 1.x firmware only
124
125       [-]ticket-first
126              Send the one-time password rather than the fixed part first.
127
128       [-]allow-hidtrig
129              Allow trigger through HID/keyboard by  pressing  caps-,  num  or
130              scroll-lock twice.  Not recommended for security reasons.
131
132       Yubikey 2.0 firmware and above
133
134       [-]short-ticket
135              Limit  the  length  of the static string to max 16 digits.  This
136              flag only makes sense with the -ostatic-ticket option.
137
138       [-]strong-pw1
139              Upper-case the two first letters of the output string.  This  is
140              for  compatibility  with legacy systems that enforce both upper‐
141              case and lowercase characters in a password and does not add any
142              security.
143
144       [-]strong-pw2
145              Replace  the  first eight characters of the modhex alphabet with
146              the numbers 0 to 7.  Like strong-pw1, this is intended  to  sup‐
147              port legacy systems.
148
149       [-]man-update
150              Enable user-initiated update of the static password.  Only makes
151              sense with the -ostatic-ticket option.
152
153       Yubikey 2.1 firmware and above
154
155       [-]oath-hotp8
156              When set, generate an 8-digit HOTP rather than a 6-digit one.
157
158       [-]oath-fixed-modhex1
159              When set, the first byte of the fixed part is sent as modhex.
160
161       [-]oath-fixed-modhex2
162              When set, the first two bytes of the fixed part is sent as  mod‐
163              hex.
164
165       [-]oath-fixed-modhex
166              When set, the fixed part is sent as modhex.
167

OATH-HOTP Mode

169       When  using OATH-HOTP mode, the key that is shared with the server con‐
170       sists of the AES key plus the first four bytes (eight  hex  characters)
171       of the UID.  The token identifier is defined by the fixed prefix.
172

BUGS

174       Report ykpersonalize bugs in the issue tracker ⟨http://code.google.com/
175       p/yubikey-personalization/issues/list⟩
176

SEE ALSO

178       The ykpersonalize home page ⟨http://code.google.com/p/
179       yubikey-personalization/⟩
180       Yubikeys can be obtained from Yubico ⟨http://www.yubico.com/products/
181       yubikey/⟩.
182
183
184
185yubikey-personalization           August 2009                 ykpersonalize(1)
Impressum