ykman-config

Enable an application over USB or NFC (--enable can be used multiple times to specify more applications)

$ ykman config [usb|nfc] [[-e|--enable]] [otp|u2f|fido2|oath|piv|openpgp|hsmauth]

$ ykman config [usb|nfc] [[-d|--disable]] [otp|u2f|fido2|oath|piv|openpgp|hsmauth]

$ ykman config nfc [[-D|--disable-all]]

ykman config subcommand [options...]

Common subcommands:
  ykman config get SETTING
  ykman config set SETTING VALUE
  ykman config fido2 set-pin-retries MAX_ATTEMPTS BLOCK_ATTEMPTS
  ykman config force-touch get APPLICATION
  ykman config usb disable APPLICATION

get
    Retrieves the current value of a specified device or global setting. Requires an additional subcommand (e.g., fido2, nfc, usb) to specify the setting category.

set
    Sets a new value for a specified device or global setting. Requires an additional subcommand and a value to set (e.g., fido2, nfc, usb).

force-touch
    Manages the force-touch policy for various YubiKey applications (e.g., FIDO2, OTP), determining when a physical touch is required.

fido2
    Manages FIDO2 (WebAuthn) specific settings, such as PIN retries, minimum PIN length, and the ability to reset FIDO2 credentials.

nfc
    Configures settings related to the YubiKey's NFC interface, including NDEF URI configuration and enabling/disabling NFC.

usb
    Configures USB interface settings, allowing the user to enable or disable specific applications (e.g., OTP, FIDO, PIV) over the USB connection.

ykman config is a powerful subcommand of the ykman (YubiKey Manager) utility, designed for managing various device-wide settings and global configurations of YubiKey hardware. It enables users to exercise fine-grained control over features such as FIDO2 (WebAuthn) settings, Universal 2nd Factor (U2F) touch policies, NDEF (NFC Data Exchange Format) capabilities, and general device information like serial number visibility or power-saving modes. This command provides a crucial interface for customizing the YubiKey's behavior to align with specific security requirements and usage scenarios, ensuring optimal performance and compliance with different protocols. It's an essential tool for administrators and advanced users who require deep control over their YubiKey's foundational settings, extending beyond typical application-specific configurations.

Using ykman config often requires the YubiKey to be connected to the system. Some configuration changes, especially security-sensitive ones like FIDO2 PIN settings or global resets, may require the management key or PIN for authentication. Changes made are permanent and device-specific. For some operations, elevated privileges (sudo) may be required to access the YubiKey device.

Some of the most frequently managed settings include enabling or disabling specific applications (like U2F) over USB or NFC, setting the maximum FIDO2 PIN retry counts, configuring the NDEF URI for NFC applications, and defining touch policies for OTP or FIDO operations. The available options depend significantly on the YubiKey model and its supported features.

The ykman config command can profoundly affect various YubiKey applications, including OTP (One-Time Password), FIDO2/U2F, PIV (Personal Identity Verification), OATH (HOTP/TOTP), and OpenPGP. Understanding which subcommand or option affects which application is crucial for effective device management.

The ykman utility, including its config subcommand, was developed by Yubico as a comprehensive command-line tool to manage their range of YubiKey devices. It emerged to provide a programmatic interface for YubiKey management, complementing the graphical YubiKey Manager application. The config subcommand specifically addresses the growing complexity of YubiKey models, which now support multiple applications (FIDO2, PIV, OATH, etc.) and require robust tools for device-wide configuration, beyond simple key generation or credential enrollment.

ykman(1), gpg(1), ssh-keygen(1)