OATH Commands

Acronyms and their definitions are listed at the bottom of the Base ykman Command page.

ykman oath [OPTIONS] COMMAND [ARGS]…

Manage OATH application.

Examples

Generate codes for accounts starting with yubi:
```
$ ykman oath accounts code yubi
```
Add an account that requires touch, the secret key f5up4ub3dw, and the name yubico:
```
$ ykman oath accounts add yubico f5up4ub3dw --touch
```
Set a password for the OATH application:
```
$ ykman oath access change-password
```

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`access`	Manage password protection for OATH.
`accounts`	Manage and use OATH accounts.
`info`	Display general status of OATH application.
`reset`	Reset all OATH data.

ykman oath access [OPTIONS] COMMAND [ARGS]…

Manage password protection for OATH.

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`change`	Change the password used to protect OATH accounts.
`forget`	Remove a stored password from this computer.
`remember`	Store YubiKeys passwords on this computer to avoid having to enter it on each use.

ykman oath access change [OPTIONS]

Change the password used to protect OATH accounts. Allows you to set or change a password that is required to access the OATH accounts stored on the YubiKey.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-c, --clear`	Clear the current password.
`-n, --new-password TEXT`	Provide a new password as an argument.
`-p, --password TEXT`	Provide a password to unlock the YubiKey.
`-r, --remember`	Remember the password on this machine.

ykman oath access forget [OPTIONS]

Remove a stored password from this computer.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-a, --all`	Remove all stored passwords.

ykman oath access remember [OPTIONS]

Store the YubiKey password on this computer to avoid entering it on each use.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-p, --password TEXT`	Provide a password to unlock the YubiKey.

ykman oath accounts [OPTIONS] COMMAND [ARGS]…

Manage and use OATH accounts.

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`add`	Add a new account.
`code`	Generate codes.
`delete`	Delete an account.
`import`	Add new account(s) from a PSKC file. Requires YubiKey 5.9 or later.
`list`	List all accounts.
`rename`	Rename an account. Requires YubiKey 5.3 or later.
`uri`	Add a new account from an `otpauth://` URI.

ykman oath accounts add [OPTIONS] NAME [SECRET]

Add a new OATH account to the YubiKey.

Arguments

Argument	Description
`NAME`	Human readable name for this account, such as username or email address.
`SECRET`	Optional. Base32-encoded secret/key value provided by the server.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-a, --algorithm` `[SHA1\|SHA256\|SHA512]`	Algorithm to use for code generation. Default: SHA1
`-c, --counter INTEGER`	Initial counter value for HOTP accounts.
`-d, --digits [6\|7\|8]`	Number of digits in generated code. Default: 6
`-f, --force`	Confirm the action without prompting.
`-g, --generate`	Generate a random credential key. Cannot be used with SECRET. Requires YubiKey 5.9 or later.
`-i, --issuer TEXT`	Optional. Issuer of the account.
`o, --oath-type [HOTP\|TOTP]`	Time-based (TOTP) or counter-based (HOTP) account. Default: TOTP
`-O, --output FILENAME`	Write the credential to a PSKC file in addition to adding it to the YubiKey. Requires YubiKey 5.9 or later.
`-p, --password TEXT`	Provide a password to unlock the YubiKey.
`-P, --period INTEGER`	Number of seconds a TOTP code is valid. Default: 30
`--pskc-key TEXT`	Encrypt the PSKC file with a pre-shared key (hex). Requires YubiKey 5.9 or later.
`--pskc-passphrase TEXT`	Encrypt the PSKC file with a passphrase. Requires YubiKey 5.9 or later.
`-r, --remember`	Remember the password on this machine.
`-t, --touch`	Require touch on YubiKey to generate code.

ykman oath accounts code [OPTIONS] [QUERY]

Generate codes from OATH accounts stored on the YubiKey. Accounts of type HOTP or those that require touch, also require a single match to be triggered.

Arguments

Argument	Description
`QUERY`	Provide a query string to match one or more specific accounts.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-H, --show-hidden`	Include hidden accounts.
`-p, --password TEXT`	Provide a password to unlock the YubiKey.
`-r, --remember`	Remember the password on this machine.
`-s, --single`	Ensure only a single match, and output only the code.

ykman oath accounts delete [OPTIONS] QUERY

Delete an account from the YubiKey.

Arguments

Argument	Description
`QUERY`	Provide a query string to match a single account, as shown in ykman oath accounts list.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm deletion without prompting
`-p, --password TEXT`	Provide a password to unlock the YubiKey.
`-r, --remember`	Remember the password on this machine.

ykman oath accounts import [OPTIONS] FILE

Add new account(s) from a PSKC file. This requires YubiKey 5.9 or later.

Reads credentials from a PSKC file, adding them to the YubiKey. The file can contain multiple credentials, and you will be prompted to confirm each one before it is added, unless –force is used, in which case all valid credentials will be added without prompting, overwriting any existing accounts with the same name.

Arguments

Argument	Description
`FILE`	PSKC file to import.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm the action without prompting
`-p, --password TEXT`	Provide a password to unlock the YubiKey.
`-r, --remember`	Remember the password on this machine.
`-t, --touch`	Require touch on YubiKey to generate code.

ykman oath accounts list [OPTIONS]

List all accounts stored on the YubiKey.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-H, --show-hidden`	Include hidden accounts.
`-o, --oath-type`	Display the OATH type.
`-p, --password TEXT`	Provide a password to unlock the YubiKey.
`-P, --period`	Display the period.
`-r, --remember`	Remember the password on this machine.

ykman oath accounts rename [OPTIONS] QUERY NAME

Rename an account. Requires YubiKey 5.3 or later.

Arguments

Argument	Description
`QUERY`	A query to match a single account, as shown in ykman oath accounts list.
`NAME`	The name of the account. Use format `<issuer>:<name>` to specify the issuer.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm rename without prompting.
`-p, --password TEXT`	Provide a password to unlock the YubiKey.
`-r, --remember`	Remember the password on this machine.

ykman oath accounts uri [OPTIONS] URI

Add a new account from an otpauth:// URI. Use a URI to add a new account to the YubiKey.

Arguments

Argument	Description
`URI`	Specify URI path for account.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm the action without prompting.
`-p, --password TEXT`	Provide a password to unlock the YubiKey.
`-r, --remember`	Remember the password on this machine.
`-t, --touch`	Require touch on YubiKey to generate code.

ykman oath info [OPTIONS]

Display status of OATH application.

Options

Option	Description
`-h, --help`	Show this message and exit.

ykman oath reset [OPTIONS]

Reset all OATH data. This action deletes all accounts and restores factory settings for the OATH application on the YubiKey.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm the action without prompting.