.. OTP_Commands.rst .. _opt-commands-label: ================== OTP Commands ================== Acronyms and their definitions are listed at the bottom of the :ref:`base-commands-label` page. ykman otp [OPTIONS] COMMAND [ARGS]... ====================================== Manage OTP application. The YubiKey provides two keyboard-based slots that can each be configured with a credential. Several credential types are supported. A slot configuration can be write-protected with an access code. This prevents the configuration from being overwritten without the access code provided. .. Note:: Mode-switching the YubiKey is not possible when a slot is configured with an access code. Examples -------- **Swap the configurations** between the two slots: .. code-block:: $ ykman otp swap Program a **random challenge-response** credential to slot 2: .. code-block:: $ ykman otp chalresp --generate 2 Program a Yubico **OTP credential** to slot 1, using the serial as public id: .. code-block:: $ ykman otp yubiotp 1 --serial-public-id Program a random 38 character long **static password** to slot 2: .. code-block:: $ ykman otp static --generate 2 --length 38 Options ------- .. table:: +-----------------------+---------------------------------------------------+ | Option | Description | +=======================+===================================================+ | ``-h, --help`` | Show this message and exit. | +-----------------------+---------------------------------------------------+ | ``--access-code HEX`` || A 6-byte access code. Set to empty to use a | | || prompt for input. | +-----------------------+---------------------------------------------------+ Commands -------- .. table:: +---------------+-----------------------------------------------------------+ | Command | Description | +===============+===========================================================+ | ``calculate`` | Perform a challenge-response operation. | +---------------+-----------------------------------------------------------+ | ``chalresp`` | Program a challenge-response credential. | +---------------+-----------------------------------------------------------+ | ``delete`` | Deletes the configuration stored in a slot. | +---------------+-----------------------------------------------------------+ | ``hotp`` | Program an HMAC-SHA1 OATH-HOTP credential. | +---------------+-----------------------------------------------------------+ | ``info`` | Display general status of the YubiKey OTP slots. | +---------------+-----------------------------------------------------------+ | ``ndef`` | Configure a slot to be used over NDEF (NFC). | +---------------+-----------------------------------------------------------+ | ``settings`` | Update the settings for a slot. | +---------------+-----------------------------------------------------------+ | ``static`` | Configure a static password. | +---------------+-----------------------------------------------------------+ | ``swap`` | Swaps the two slot configurations. | +---------------+-----------------------------------------------------------+ | ``yubiotp`` | Program a Yubico OTP credential. | +---------------+-----------------------------------------------------------+ ykman otp calculate [OPTIONS] {1|2} [CHALLENGE] ================================================ Perform a challenge-response operation. Send a challenge (in hex) to a YubiKey slot with a challenge-response credential, and read the response. Supports output as an OATH-TOTP code. Arguments ---------- .. table:: +----------------+----------------------------------------------------------+ | Argument | Description | +================+==========================================================+ | ``CHALLENGE`` || | +----------------+----------------------------------------------------------+ Options ------- .. table:: +-----------------------+---------------------------------------------------+ | Option | Description | +=======================+===================================================+ | ``-h, --help`` | Show this message and exit. | +-----------------------+---------------------------------------------------+ | ``-d, --digits [6|8]``|| Number of digits in generated TOTP code. | | || [Default: ``6``] | +-----------------------+---------------------------------------------------+ | ``-T, --totp`` || Generate a TOTP code, use the current time if | | || challenge is omitted. | +-----------------------+---------------------------------------------------+ ykman otp chalresp [OPTIONS] {1|2]} [KEY] ========================================== Program a challenge-response credential. Arguments ---------- .. table:: +-----------+---------------------------------------------------------------+ | Argument | Description | +===========+===============================================================+ | ``KEY`` || If ``KEY`` is not specified, an interactive prompt asks | | || for it. | +-----------+---------------------------------------------------------------+ Options ------- .. table:: +--------------------+------------------------------------------------------+ | Option | Description | +====================+======================================================+ | ``-h, --help`` | Show this message and exit. | +--------------------+------------------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +--------------------+------------------------------------------------------+ | ``-g, --generate`` || Generate a random secret key. Conflicts with ``KEY``| | || argument. | +--------------------+------------------------------------------------------+ | ``-t, --touch`` || Require touch on the YubiKey to generate a response.| +--------------------+------------------------------------------------------+ | ``-T, --totp`` | Use a base32-encoded key for TOTP credentials. | +--------------------+------------------------------------------------------+ ykman otp delete [OPTIONS] {1|2} ================================= Deletes the configuration in the specified slot. Options ------- .. table:: +--------------------+------------------------------------------------------+ | Option | Description | +====================+======================================================+ | ``-h, --help`` | Show this message and exit. | +--------------------+------------------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +--------------------+------------------------------------------------------+ ykman otp hotp [OPTIONS] {1|2} [KEY] ===================================== Program an HMAC-SHA1 OATH-HOTP credential. Arguments ---------- .. table:: +------------+--------------------------------------------------------------+ | Argument | Description | +============+==============================================================+ | ``KEY`` | | +------------+--------------------------------------------------------------+ Options ------- .. table:: +---------------------------+-----------------------------------------------+ | Option | Description | +===========================+===============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------+-----------------------------------------------+ | ``-d, --digits [6|8]`` || Number of digits in generated code. | | || [Default: ``6``] | +---------------------------+-----------------------------------------------+ | ``-c, --counter INTEGER`` | Initial counter value. | +---------------------------+-----------------------------------------------+ | ``--no-enter`` || Do not send an **Enter** keystroke after | | || outputting the code. | +---------------------------+-----------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +---------------------------+-----------------------------------------------+ ykman otp info [OPTIONS] ========================= Display general status of YubiKey OPT slots. Options ------- .. table:: +---------------------------+-----------------------------------------------+ | Option | Description | +===========================+===============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------+-----------------------------------------------+ ykman otp ndef [OPTIONS] {1|2} =============================== Configure a slot to be used over NDEF (NFC). The default prefix is used if no prefix is specified: "https://my.yubico.com/yk/#" Options ------- .. table:: +-----------------------+---------------------------------------------------+ | Option | Description | +=======================+===================================================+ | ``-h, --help`` | Show this message and exit. | +-----------------------+---------------------------------------------------+ | ``-p, --prefix TEXT`` | Added before the NDEF payload. Typically a URI. | +-----------------------+---------------------------------------------------+ ykman otp settings [OPTIONS] {1|2} =================================== Update the settings for a slot. Change the settings for a slot without changing the stored secret. All settings not specified are written with default values. Options ------- .. table:: +-------------------------------+-------------------------------------------+ | Option | Description | +===============================+===========================================+ | ``-h, --help`` | Show this message and exit. | +-------------------------------+-------------------------------------------+ | ``-A, --new-access-code HEX`` || Set a new 6-byte access code for | | || the slot. | | || Set to empty to use a prompt for input. | +-------------------------------+-------------------------------------------+ | ``--delete-access-code`` | Remove access code from the slot. | +-------------------------------+-------------------------------------------+ | ``--enter / --no-enter`` || Should send **Enter** keystroke after | | || slot output. [Default: ``True``] | +-------------------------------+-------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +-------------------------------+-------------------------------------------+ | ``-p, --pacing [0|20|40|60]`` || Throttle output speed by adding a delay | | || (in ms) between characters emitted. | | || [Default: ``0``] | +-------------------------------+-------------------------------------------+ | ``--use-numeric-keypad`` || Use scancodes for numeric keypad when | | || sending digits. Helps with some | | || keyboard layouts. [Default: ``False``] | +-------------------------------+-------------------------------------------+ ykman otp static [OPTIONS] {1|2} [PASSWORD] ============================================ Configure a static password. To avoid problems with different keyboard layouts, the following characters (upper and lower case) are allowed by default: ``c b d e f g h i j k l n r t u v`` Use the ``--keyboard-layout`` option to allow more characters based on preferred keyboard layout. Arguments ---------- .. table:: +--------------+------------------------------------------------------------+ | Argument | Description | +==============+============================================================+ | ``PASSWORD`` | Specify if required. | +--------------+------------------------------------------------------------+ Options ------- .. table:: +-------------------------------+-------------------------------------------+ | Option | Description | +===============================+===========================================+ | ``-h, --help`` | Show this message and exit. | +-------------------------------+-------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +-------------------------------+-------------------------------------------+ | ``-g, --generate`` | Generate a random password. | +-------------------------------+-------------------------------------------+ || ``-k, --keyboard-layout`` || Keyboard layout to use for the static | || ``[[MODHEX|US|UK|DE|FR|`` || password. | || ``IT|BEPO|NORMAN]`` || [Default: ``KEYBOARD_LAYOUT.MODHEX``] | +-------------------------------+-------------------------------------------+ | ``-l, --length LENGTH`` || Length of generated password. | | || [Default: 38;1<=x<=38] | +-------------------------------+-------------------------------------------+ | ``--no-enter`` || Do not send an **Enter** keystroke after | | || outputting the password. | +-------------------------------+-------------------------------------------+ ykman otp swap [OPTIONS] ========================= Swaps the two slot configurations. Options ------- .. table:: +-----------------+---------------------------------------------------------+ | Option | Description | +=================+=========================================================+ | ``-h, --help`` | Show this message and exit. | +-----------------+---------------------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +-----------------+---------------------------------------------------------+ ykman otp yubiotp [OPTIONS] {1|2} ================================== Program a Yubico OTP credential. Options ------- .. table:: +-------------------------------+-------------------------------------------+ | Option | Description | +===============================+===========================================+ | ``-h, --help`` | Show this message and exit. | +-------------------------------+-------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +-------------------------------+-------------------------------------------+ | ``-k, --key HEX`` | 16-byte secret key. | +-------------------------------+-------------------------------------------+ | ``-g, --generate-private-id`` || Generate a random private ID. Conflicts | | || with ``--private-id``. | +-------------------------------+-------------------------------------------+ | ``-G, --generate-key`` || Generate a random secret key. Conflicts | | || with ``--key``. | +-------------------------------+-------------------------------------------+ | ``--no-enter`` || Do not send an **Enter** keystroke after | | || emitting the OTP. | +-------------------------------+-------------------------------------------+ | ``-P, --public-id MODHEX`` || Public identifier prefix. | +-------------------------------+-------------------------------------------+ | ``-p, --private-id HEX`` || 6-byte private identifier. | +-------------------------------+-------------------------------------------+ | ``-S, --serial-public-id`` || Use YubiKey serial number as public ID. | | || Conflicts with ``--public-id``. | +-------------------------------+-------------------------------------------+ | ``-u, --upload`` || Upload credential to YubiCloud. This | | || opens in browser. If you are running as | | || an elevated user, the browser may also | | || be elevated. Conflicts with ``--force``. | +-------------------------------+-------------------------------------------+ ---- Click for `Yubico Support `_.