ykpersonalize

Langue: en

Autres versions - même langue

Version: August 2009 (fedora - 01/12/10)

Section: 1 (Commandes utilisateur)

NAME

ykpersonalize - personalize Yubikey OTP tokens

SYNOPSIS

ykpersonalize [-1 | -2] [-sfile] [-ifile] [-axxx] [-cxxx] [-ooption] [-v] [-h]

OPTIONS

Set the AES key, user ID and other settings in a Yubikey. For the complete explanation of the meaning of all parameters, see the reference manual: http://yubico.com/files/YubiKey_manual-2.0.pdf

-1
change the first configuration. This is the default and is normally used for true OTP generation. In this configuration, TKTFLAG_APPEND_CR is set by default.
-2
change the second configuration. This is for Yubikey II only and is then normally used for static key generation. In this configuration, TKTFLAG_APPEND_CR, CFGFLAG_STATIC_TICKET, CFGFLAG_STRONG_PW1, CFGFLAG_STRONG_PW2 and CFGFLAG_MAN_UPDATE are set by default.
-sfile
save configuration to file instead of key. (if file is -, send to stdout)
-ifile
read configuration from file. (if file is -, read from stdin)
-axxx
A 32 char hex value (not modhex) of a fixed AES key to use.
-cxxx
A 12 char hex value (not modhex) to use as access code for programming. NOTE: this does NOT SET the access code, that's done with -oaccess=.
-ooption
change configuration option. Possible option arguments are
salt=ssssssss
Salt to be used for key generation. If none is given, a unique random one will be generated.
fixed=fffffffffff
The public modhex identity of key, 0-16 characters long. It's possible to give the identity in hex as well, just prepend the value with `h:'.
uid=uuuuuu
The uid part of the generated ticket, in hex. Must be 12 characters long.
access=fffffffffff
New hex access code to set. Must be 12 characters long.
[-]ticket-flag
Set/clear ticket flag, see the section `Ticket flags'
[-]configuration-flag
Set/clear ticket flag, see the section `Configuration flags'
-y
always commit without prompting
-v
Be more verbose
-h
Help

Ticket flags

[-]tab-first
Send a tab character as the first character. This is usually used to move to the next input field.
[-]append-tab1
Send a tab character between the fixed part and the one-time password part. This is useful if you have the fixed portion equal to the user name and two input fields that you navigate between using tab.
[-]append-tab2
Send a tab character as the last character.
[-]append-delay1
Add a half-second delay before sending the one-time password part.
[-]append-delay2
Add a half-second delay after sending the one-time password part.
[-]append-cr
Send a carriage return after sending the one-time password part.
Yubikey 2.0 firmware and above
[-]protect-cfg2
When written to configuration 1, block later updates to configuration 2. When written to configuration 2, prevent configuration 1 from having the lock bit set.
Yubikey 2.1 firmware and above
[-]oath-hotp
Set OATH-HOTP mode rather than Yubikey mode. In this mode, the token functions according to the OATH-HOTP standard.

Configuration flags

[-]send-ref Send a reference string of all 16 modhex characters before the fixed part. This can not be combined with the strong-pw2 flag.
[-]pacing-10ms
Add a 10ms delay between key presses.
[-]pacing-20ms
Add a 20ms delay between key presses.
[-]static-ticket
Output a fixed string rather than a one-time password. The password is still based on the AES key and should be hard to guess and impossible to remember.
Yubikey 1.x firmware only
[-]ticket-first
Send the one-time password rather than the fixed part first.
[-]allow-hidtrig
Allow trigger through HID/keyboard by pressing caps-, num or scroll-lock twice. Not recommended for security reasons.
Yubikey 2.0 firmware and above
[-]short-ticket
Limit the length of the static string to max 16 digits. This flag only makes sense with the -ostatic-ticket option.
[-]strong-pw1
Upper-case the two first letters of the output string. This is for compatibility with legacy systems that enforce both uppercase and lowercase characters in a password and does not add any security.
[-]strong-pw2
Replace the first eight characters of the modhex alphabet with the numbers 0 to 7. Like strong-pw1, this is intended to support legacy systems.
[-]man-update
Enable user-initiated update of the static password. Only makes sense with the -ostatic-ticket option.
Yubikey 2.1 firmware and above
[-]oath-hotp8
When set, generate an 8-digit HOTP rather than a 6-digit one.
[-]oath-fixed-modhex1
When set, the first byte of the fixed part is sent as modhex.
[-]oath-fixed-modhex2
When set, the first two bytes of the fixed part is sent as modhex.
[-]oath-fixed-modhex
When set, the fixed part is sent as modhex.

OATH-HOTP Mode

When using OATH-HOTP mode, the key that is shared with the server consists of the AES key plus the first four bytes (eight hex characters) of the UID. The token identifier is defined by the fixed prefix.

BUGS

Report ykpersonalize bugs in http://code.google.com/p/yubikey-personalization/issues/list laURL: L rathe issue tracker

SEE ALSO

The http://code.google.com/p/yubikey-personalization/ laURL: L raykpersonalize home page
Yubikeys can be obtained from http://www.yubico.com/products/yubikey/ laURL: L raYubico