Yubico releases YubiKey Manager CLI 4.0

March 5, 2021 4 minute read
Person sitting at desk in front of computer screen

Today, we’re excited to share that Yubico has released YubiKey Manager CLI 4.0 (also known as “ykman”). This is a new major release version, and that means substantial changes. For this release, those changes include a few new features for end-users, and several other changes which are mostly relevant for developers.

Changes that may impact users

To be able to add new features, we’ve added a few new subcommands to the tool. In doing so we’ve seen the need to restructure the existing commands in certain places, and have also taken this opportunity to make sure we’re being consistent between different parts of the tool. In a lot of places this has resulted in one additional level of command nesting, but for the most part this doesn’t result in much more typing — though it does make things a lot nicer and tidier!

As an example of this, let’s look at the PIV section of the tool:

In ykman 3, some of the subcommands section are:

generate-key, import-key, generate-certificate, import-certificate, read-object, write-object, and so on.

In ykman 4, we  introduced an additional level of subcommands for keys, certificates, and objects.

Instead of ykman piv import-key you now use ykman piv keys import.

Instead of ykman piv write-object, you now use ykman piv objects import, and so on. 

As you can see, this typically doesn’t add a lot of extra typing, but it does give things more structure and consistency, which is really important as we add new commands.

With these added subcommands, functionality is better grouped together, and you can get relevant help information for a single group of commands by typing

ykman piv certificates –help for example. 

For convenience, we’ve added aliases for the old commands, which will continue to function for some time, though they will print a warning message containing the new command syntax when used.

Notable new features

Some of the notable new features that users will notice are:

More complete near-field communication (NFC) support

We’ve added NFC support to the fido and otp subcommands. This means that all configuration of a YubiKey can be done over NFC, in addition to USB.

To use, run ykman list –readers to list available NFC readers, then invoke a command with ykman –reader “<name of NFC reader>” <command>.

More robust device handling and troubleshooting

The code for locating and connecting to YubiKeys has been completely re-written to rely less on additional code libraries so that more is done within ykman itself. This offers us more fine-grained control to be able to deal with tricky corner-cases, as well as the ability to get more information about what has gone wrong in case of errors.

A new diagnostics command ykman –diagnose has been added to help in troubleshooting. This command will output detailed information about your system, as well as any attached YubiKeys, which can help you pinpoint the source of problems.

Changes for developers

We believe the new additions to the tool are great, but the real “meat” of this update is under the hood.

Dropping support for Python 2 / Fully embracing Python 3

Python 2 was declared end-of-life in January 2020 by the Python Foundation, and we’ve started the process of dropping support for Python 2 throughout our projects as well. This is the first version of ykman to no longer support Python 2, allowing us to clean up the codebase significantly as well as take advantage of some Python 3 features which we’ve had to avoid in the past due to maintaining Python 2 compatibility. These features include things like type annotations, data classes, and more. 

Updated object model for scripting

We’ve also taken cues from our Mobile SDKs for Android and iOS and updated a lot of the core “library” part of the tool to better follow in their structure. This has produced a much more wholly consistent codebase and a more robust platform to not only build ykman on top of, but also to allow for custom development and scripting. This will allow our more developer-savvy users to use ykman in their own Python scripts to do things like scripted configuration of YubiKeys, and so on. We hope to bring you more information about this throughout the year, with tutorials and examples.

Download YubiKey Manager CLI 4.0 here, read the YubiKey Manager (ykman) CLI & GUI Guide, and let us know what you think of these new updates. 

In the coming weeks we will be releasing an updated version of YubiKey Manager GUI which will bundle the new CLI, with easy to use installers for supported platforms.

Issues can be reported on our Github page, and our Support page can help you out with any questions.

Your feedback is important as we continue to improve our software!