1YKNEOMGR(1) User Commands YKNEOMGR(1)
2
3
4
6 ykneomgr - YubiKey NEO management tool
7
9 ykneomgr [OPTIONS]...
10
12 ykneomgr 0.1.8
13
14 YubiKey NEO management tool.
15
16 -h, --help
17 Print help and exit
18
19 -V, --version
20 Print version and exit
21
22 -m, --get-mode
23 Output mode of YubiKey NEO (default=off)
24
25 -w, --get-version
26 Output firmware version for YubiKey NEO (default=off)
27
28 -s, --get-serialno
29 Output serial number (default=off)
30
31 -l, --list-readers
32 List all connected PCSC devices (default=off)
33
34 -a, --applet-list
35 List applets on device (default=off)
36
37 -D, --applet-delete=STRING
38 Delete given applet AID from device
39
40 -i, --applet-install=FILE
41 Install applets on device from CAP file
42
43 -M, --set-mode=STRING
44 Set the USB operation mode of the YubiKey NEO. The possible
45 MODE arguments are: 0 for HID device only, 1 for CCID device
46 only, 81 for CCID device with touch eject, 2 for HID/CCID com‐
47 posite device, 3 for U2F device only, 4 for OTP/U2F composite
48 device, 5 for U2F/CCID composite device, 6 for OTP/U2F/CCID com‐
49 posite device.
50
51 -S, --send-apdu=STRING
52 Send an arbitrary APDU to the device
53
54 -r, --reader=STRING
55 Use only a matching card reader
56
57 -d, --debug
58 Print debug information to standard error (default=off)
59
61 Debug messages are printed if you pass the --debug parameter, which can
62 be useful for debugging or deeper analysis.
63
64 The error "No device found" can be because a number of reasons. The
65 simplest, of course, is that the device really is not connected to the
66 machine (USB or NFC). Another reason may be that it is in a mode where
67 "ykneomgr" cannot talk to it. This can happen if the device is in OTP‐
68 only mode (mode 0), where you must use the "ykpersonalize" tool to mode
69 switch it from the OTP‐only mode. It can also happen if the device is
70 in a MODE_FLAG_EJECT mode (i.e., 81 or 82). If that is the case, you
71 must touch the button in order to "insert" the virtual smartcard before
72 you can invoke "ykneomgr".
73
75 To display the firmware version of a connected YubiKey NEO you use the
76 --get-version or -w parameter. Typical output would be the string
77 "3.0.4".
78
79 ykneomgr --get-version
80
81 To display the serial number you would use the --get-serialno or -s
82 parameter.
83
84 ykneomgr --get-serialno
85
86 To display the device mode you use the --get-mode or -m parameter.
87
88 ykneomgr --get-mode
89
90 The possible modes are 0 for HID device only, 1 for CCID device only, 2
91 for HID/CCID composite device. For the CCID modes (i.e., 1 and 2), you
92 can add 80 to enable MODE_FLAG_EJECT which means that touching the
93 YubiKey button will trigger eject/insert of the smartcard. That is, 81
94 means CCID device only with touch eject/insert, and 82 means HID/CCID
95 composite device with touch eject/insert.
96
97 To mode switch the NEO into OTP‐only mode, you use the --set-mode or -M
98 parameter with mode 0. Note that you have to eject the YubiKey NEO and
99 re‐insert it before it changes mode.
100
101 ykneomgr --set-mode 0
102
103 To mode switch the NEO into CCID‐only mode, you use the --set-mode or
104 -M parameter with mode 1. Note that you have to eject the YubiKey NEO
105 and re‐insert it before it changes mode.
106
107 ykneomgr --set-mode 1
108
109 To mode switch the NEO into hybrid OTP/CCID composite mode, you use the
110 --set-mode or -M parameter with mode 2. Note that you have to eject
111 the YubiKey NEO and re‐insert it before it changes mode.
112
113 ykneomgr --set-mode 2
114
115 To mode switch the NEO into CCID‐only mode, with the touch button act‐
116 ing as eject/insert of the card, you use the --set-mode or -M parameter
117 with mode 81. Note that you have to eject the YubiKey NEO and re‐
118 insert it before it changes mode.
119
120 ykneomgr --set-mode 81
121
122 To mode switch the NEO into hybrid OTP/CCID composite mode, with the
123 touch button acting as eject/insert of the card, you use the --set-mode
124 or -M parameter with mode 82. Note that you have to eject the YubiKey
125 NEO and re‐insert it before it changes mode.
126
127 ykneomgr --set-mode 82
128
129 To list the connected readers you use the --list-readers or -l parame‐
130 ter.
131
132 ykneomgr --list-readers
133
134 To list the available applets on the device you use the --applet-list
135 or -a parameter. The output is a list of AIDs identifying applets.
136 For example, d27600012401 means the OpenPGP applet.
137
138 ykneomgr --applet-list
139
140 To delete an applet you use the --applet-delete or -D parameter, giving
141 it the applet AID as an parameter. Note that deleting an applet may
142 take a second or two to complete. Warning! Deleting an applet will
143 destroy all storage associated with that applet, including any private
144 keys or other credentials.
145
146 ykneomgr --applet-delete d27600012401
147
148 To install a CAP file as an applet you use the --applet-install or -i
149 parameter, giving it the filename of the CAP file applet as a parame‐
150 ter. Note that loading can take several seconds, for typical CAP file
151 sizes it takes around 5 seconds.
152
153 ykneomgr --applet-install path/to/applet.cap
154
155 To work with multiple card readers use the --reader or -r parameter,
156 giving it a substring of the card reader name to use. Consider a sys‐
157 tem which has three card readers, one YubiKey NEO in CCID mode, one
158 YubiKey NEO in OTP+CCID mode, and one Gemalto GemPC Express reader.
159 Running ykneomgr -l results in the following output:
160
161 0: Gemalto GemPC Express 00 00
162 1: Yubico Yubikey NEO CCID 01 00
163 2: Yubico Yubikey NEO OTP+CCID 02 00
164
165 To use the second NEO, you could use -r OTP+CCID as follows:
166
167 ykneomgr --reader OTP+CCID --applet-list
168
169 To use the first NEO, you could match on the trailing digits which is
170 the device number. For example:
171
172 ykneomgr --reader 01 --applet-list
173
175 Report bugs at <yubico-devel@googlegroups.com>.
176
177
178
179ykneomgr 0.1.8 February 2019 YKNEOMGR(1)