yhsm-generate-keys(1) [debian man page]
yhsm-generate-keys(1) General Commands Manual yhsm-generate-keys(1) NAME
yhsm-generate-keys - Generate AEADs with secrets for YubiKeys using a YubiHSM SYNOPSIS
yhsm-generate-keys --key-handles KEY_HANDLES --start-public-id START_ID [options] DESCRIPTION
With this tool, a YubiHSM can generate random secrets (using it's internal true random number generator), and these secrets protected in AEAD files can be stored on the host computer. The AEADs will be ready to be used by for example yhsm-yubikey-ksm(1) ), as a part of a YubiKey OTP validation service. To program YubiKeys with the generated secrets, it is possible to decrypt the AEADs (knowledge of the AES key used inside the YubiHSM is required) using yhsm-decrypt-aead(1) OPTIONS
-D, --device Device file name (default: /dev/ttyACM0). -v, --verbose Enable verbose operation. --debug Enable debug printout, including all data sent to/from YubiHSM. -O dir Base output directory (default: /var/cache/yubikey-ksm/aeads). -c integer Number of AEADs to generate. --public-id-chars integer Number of chars in generated public ids (default: 12). Changing this might not work well. --key-handles kh [kh ...] Key handles to encrypt the generated secrets with. Examples : "1", "0xabcd". --start-public-id id Public id of the first generated secret, in modhex. EXIT STATUS
0 Secrets generated successfully. 1 Failed to generate secrets. BUGS
Report python-pyhsm/yhsm-generate-keys bugs in the issue tracker <https://github.com/Yubico/python-pyhsm/issues/> SEE ALSO
The python-pyhsm home page <https://github.com/Yubico/python-pyhsm/> YubiHSMs and YubiKeys can be obtained from Yubico <http://www.yubico.com/>. python-pyhsm June 2012 yhsm-generate-keys(1)
Check Out this Related Man Page
ykpamcfg(1) General Commands Manual ykpamcfg(1) NAME
ykpamcfg - Manage user settings for the Yubico PAM module. SYNOPSIS
ykpamcfg [-1 | -2] [-A] [-v] [-h] OPTIONS
-1 use slot 1. This is the default. -2 use slot 2. -A action choose action to perform. See ACTIONS below. -v enable verbose mode. ACTIONS
add_hmac_chalresp The PAM module can utilize the HMAC-SHA1 Challenge-Response mode found in YubiKeys starting with version 2.2 for offline authentica- tion. This action creates the initial state information with the C/R to be issued at the next logon. The utility currently outputs the state information to a file in the current user's home directory (~/.yubico/challenge-123456 for a YubiKey with serial number API readout enabled, and ~/.yubico/challenge for one without). The PAM module supports a system wide directory for these state files (in case the user's home directories are encrypted), but in a system wide directory, the 'challenge' part should be replaced with the username. Example : /var/yubico/challenges/alice-123456. To use the system-wide mode, you currently have to move the generated state files manually and configure the PAM module accordingly. EXAMPLE
First, program a YubiKey for challenge response on Slot 2 : $ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible ... Commit? (y/n) [n]: y $ Now, set the current user to require this YubiKey for logon : $ ykpamcfg -2 -v ... Stored initial challenge and expected response in '/home/alice/.yubico/challenge-123456'. $ Then, configure authentication with PAM for example like this (make a backup first) : /etc/pam.d/common-auth (from Ubuntu 10.10) : auth required pam_unix.so nullok_secure try_first_pass auth [success=1 new_authtok_reqd=ok ignore=ignore default=die] pam_yubico.so mode=challenge-response auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap BUGS
Report ykpamcfg bugs in the issue tracker <http://code.google.com/p/yubico-pam/issues/list> SEE ALSO
The yubico-pam home page <http://code.google.com/p/yubico-pam/> YubiKeys can be obtained from Yubico <http://www.yubico.com/>. yubico-pam March 2011 ykpamcfg(1)