ykchalresp(1) Perform challenge-response operation with YubiKey


ykchalresp [-1 | -2] [-H] [-Y] [-N] [-x] [-v] [-6] [-8] [-t] [-V] [-h]


Send a challenge to a YubiKey, and read the response. The YubiKey can be configured with two different C/R modes -- the standard one is a 160 bits HMAC-SHA1, and the other is a YubiKey OTP mimicing mode, meaning two subsequent calls with the same challenge will result in different responses.


send the challenge to slot 1. This is the default.
send the challenge to slot 2.
send a 64 byte HMAC challenge. This is the default.
send a 6 byte Yubico OTP challenge.
non-blocking mode -- abort if the YubiKey is configured to require a key press before sending the response.
challenge is hex encoded.
enable verbose mode.
output the response in OATH format, 6 digits.
output the response in OATH format, 8 digits.
use current time as challenge instead of reading challenge from command line (as in default TOTP mode, seconds since 1970-01-01 00:00:00 / 30 encoded as an 8 byte challenge).
print tool version and exit.


The YubiKey challenge-response operation can be demonstrated using the NIST PUB 198 A.2 test vector.

First, program a YubiKey with the test vector :

$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -a 303132333435363738393a3b3c3d3e3f40414243
Commit? (y/n) [n]: y $
Now, send the NIST test challenge to the YubiKey and verify the result matches the expected :
$ ykchalresp -2 'Sample #2'
0922d3405faa3d194f82a45830737d5cc6c75d24 $


Report ykchalresp bugs in the issue tracker <URL: https://github.com/Yubico/yubikey-personalization/issues >