ykneomgr (1) Linux Manual Page
ykneomgr – YubiKey NEO management tool
Synopsis
ykneomgr [OPTIONS]…Description
ykneomgr 0.1.8 YubiKey NEO management tool.
- -h, –help
- Print help and exit
- -V, –version
- Print version and exit
- -m, –get-mode
- Output mode of YubiKey NEO (default=off)
- -w, –get-version
- Output firmware version for YubiKey NEO (default=off)
- -s, –get-serialno
- Output serial number (default=off)
- -l, –list-readers
- List all connected PCSC devices (default=off)
- -a, –applet-list
- List applets on device (default=off)
- -D, –applet-delete=STRING
- Delete given applet AID from device
- -i, –applet-install=FILE
- Install applets on device from CAP file
- -M, –set-mode=STRING
- Set the USB operation mode of the YubiKey NEO. The possible MODE arguments are: 0 for HID device only, 1 for CCID device only, 81 for CCID device with touch eject, 2 for HID/CCID composite device, 3 for U2F device only, 4 for OTP/U2F composite device, 5 for U2F/CCID composite device, 6 for OTP/U2F/CCID composite device.
- -S, –send-apdu=STRING
- Send an arbitrary APDU to the device
- -r, –reader=STRING
- Use only a matching card reader
- -d, –debug
- Print debug information to standard error (default=off)
Examples
To display the firmware version of a connected YubiKey NEO you use the –get-version or -w parameter. Typical output would be the string "3.0.4".
To display the serial number you would use the –get-serialno or -s parameter.
To display the device mode you use the –get-mode or -m parameter.
The possible modes are 0 for HID device only, 1 for CCID device only, 2 for HID/CCID composite device. For the CCID modes (i.e., 1 and 2), you can add 80 to enable MODE_FLAG_EJECT which means that touching the YubiKey button will trigger eject/insert of the smartcard. That is, 81 means CCID device only with touch eject/insert, and 82 means HID/CCID composite device with touch eject/insert.
To mode switch the NEO into OTP-only mode, you use the –set-mode or -M parameter with mode 0. Note that you have to eject the YubiKey NEO and re-insert it before it changes mode.
ykneomgr –set-mode 0
To mode switch the NEO into CCID-only mode, you use the –set-mode or -M parameter with mode 1. Note that you have to eject the YubiKey NEO and re-insert it before it changes mode.
ykneomgr –set-mode 1
To mode switch the NEO into hybrid OTP/CCID composite mode, you use the –set-mode or -M parameter with mode 2. Note that you have to eject the YubiKey NEO and re-insert it before it changes mode.
ykneomgr –set-mode 2
To mode switch the NEO into CCID-only mode, with the touch button acting as eject/insert of the card, you use the –set-mode or -M parameter with mode 81. Note that you have to eject the YubiKey NEO and re-insert it before it changes mode.
ykneomgr –set-mode 81
To mode switch the NEO into hybrid OTP/CCID composite mode, with the touch button acting as eject/insert of the card, you use the –set-mode or -M parameter with mode 82. Note that you have to eject the YubiKey NEO and re-insert it before it changes mode.
ykneomgr –set-mode 82
To list the connected readers you use the –list-readers or -l parameter.
ykneomgr –list-readers
To list the available applets on the device you use the –applet-list or -a parameter. The output is a list of AIDs identifying applets. For example, d27600012401 means the OpenPGP applet.
ykneomgr –applet-list
To delete an applet you use the –applet-delete or -D parameter, giving it the applet AID as an parameter. Note that deleting an applet may take a second or two to complete. Warning! Deleting an applet will destroy all storage associated with that applet, including any private keys or other credentials.
ykneomgr –applet-delete d27600012401
To install a CAP file as an applet you use the –applet-install or -i parameter, giving it the filename of the CAP file applet as a parameter. Note that loading can take several seconds, for typical CAP file sizes it takes around 5 seconds.
ykneomgr –applet-install path/to/applet.cap
To work with multiple card readers use the –reader or -r parameter, giving it a substring of the card reader name to use. Consider a system which has three card readers, one YubiKey NEO in CCID mode, one YubiKey NEO in OTP+CCID mode, and one Gemalto GemPC Express reader. Running ykneomgr -l results in the following output:
0: Gemalto GemPC Express 00 00
1: Yubico Yubikey NEO CCID 01 00
2: Yubico Yubikey NEO OTP+CCID 02 00
To use the second NEO, you could use -r OTP+CCID as follows:
ykneomgr –reader OTP+CCID –applet-list
To use the first NEO, you could match on the trailing digits which is the device number. For example:
ykneomgr –reader 01 –applet-list
Trobleshooting
Debug messages are printed if you pass the –debug parameter, which can be useful for debugging or deeper analysis. The error "No device found" can be because a number of reasons. The simplest, of course, is that the device really is not connected to the machine (USB or NFC). Another reason may be that it is in a mode where "ykneomgr" cannot talk to it. This can happen if the device is in OTP-only mode (mode 0), where you must use the "ykpersonalize" tool to mode switch it from the OTP-only mode. It can also happen if the device is in a MODE_FLAG_EJECT mode (i.e., 81 or 82). If that is the case, you must touch the button in order to "insert" the virtual smartcard before you can invoke "ykneomgr".