Sindbad~EG File Manager
<!DOCTYPE html>
<html>
<!-- This is an automatically generated file. Do not edit.
Copyright (c) 2018-2022 Yubico AB. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SPDX-License-Identifier: BSD-2-Clause
-->
<head>
<meta charset="utf-8"/>
<link rel="stylesheet" href="style.css" type="text/css" media="all"/>
<title>FIDO2-TOKEN(1)</title>
</head>
<body>
<table class="head">
<tr>
<td class="head-ltitle">FIDO2-TOKEN(1)</td>
<td class="head-vol">FreeBSD General Commands Manual</td>
<td class="head-rtitle">FIDO2-TOKEN(1)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<code class="Nm">fido2-token</code> —
<div class="Nd">find and manage a FIDO2 authenticator</div>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-C</code> [<code class="Fl">-d</code>]
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-D</code> [<code class="Fl">-d</code>]
<code class="Fl">-i</code> <var class="Ar">cred_id</var>
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-D</code> <code class="Fl">-b</code>
[<code class="Fl">-d</code>] <code class="Fl">-k</code>
<var class="Ar">key_path</var> <var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-D</code> <code class="Fl">-b</code>
[<code class="Fl">-d</code>] <code class="Fl">-n</code>
<var class="Ar">rp_id</var> [<code class="Fl">-i</code>
<var class="Ar">cred_id</var>] <var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-D</code> <code class="Fl">-e</code>
[<code class="Fl">-d</code>] <code class="Fl">-i</code>
<var class="Ar">template_id</var> <var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-D</code> <code class="Fl">-u</code>
[<code class="Fl">-d</code>] <var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-G</code> <code class="Fl">-b</code>
[<code class="Fl">-d</code>] <code class="Fl">-k</code>
<var class="Ar">key_path</var> <var class="Ar">blob_path</var>
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-G</code> <code class="Fl">-b</code>
[<code class="Fl">-d</code>] <code class="Fl">-n</code>
<var class="Ar">rp_id</var> [<code class="Fl">-i</code>
<var class="Ar">cred_id</var>] <var class="Ar">blob_path</var>
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-I</code> [<code class="Fl">-cd</code>]
[<code class="Fl">-k</code> <var class="Ar">rp_id</var>
<code class="Fl">-i</code> <var class="Ar">cred_id</var>]
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-L</code> [<code class="Fl">-bder</code>]
[<code class="Fl">-k</code> <var class="Ar">rp_id</var>] [device]</td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-R</code> [<code class="Fl">-d</code>]
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-S</code> [<code class="Fl">-adefu</code>]
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-S</code> [<code class="Fl">-d</code>]
<code class="Fl">-i</code> <var class="Ar">template_id</var>
<code class="Fl">-n</code> <var class="Ar">template_name</var>
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-S</code> [<code class="Fl">-d</code>]
<code class="Fl">-l</code> <var class="Ar">pin_length</var>
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-S</code> <code class="Fl">-b</code>
[<code class="Fl">-d</code>] <code class="Fl">-k</code>
<var class="Ar">key_path</var> <var class="Ar">blob_path</var>
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-S</code> <code class="Fl">-b</code>
[<code class="Fl">-d</code>] <code class="Fl">-n</code>
<var class="Ar">rp_id</var> [<code class="Fl">-i</code>
<var class="Ar">cred_id</var>] <var class="Ar">blob_path</var>
<var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-S</code> <code class="Fl">-c</code>
[<code class="Fl">-d</code>] <code class="Fl">-i</code>
<var class="Ar">cred_id</var> <code class="Fl">-k</code>
<var class="Ar">user_id</var> <code class="Fl">-n</code>
<var class="Ar">name</var> <code class="Fl">-p</code>
<var class="Ar">display_name</var> <var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-S</code> <code class="Fl">-m</code>
<var class="Ar">rp_id</var> <var class="Ar">device</var></td>
</tr>
</table>
<br/>
<table class="Nm">
<tr>
<td><code class="Nm">fido2-token</code></td>
<td><code class="Fl">-V</code></td>
</tr>
</table>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<code class="Nm">fido2-token</code> manages a FIDO2 authenticator.
<p class="Pp">The options are as follows:</p>
<dl class="Bl-tag">
<dt><a class="permalink" href="#C"><code class="Fl" id="C">-C</code></a>
<var class="Ar">device</var></dt>
<dd>Changes the PIN of <var class="Ar">device</var>. The user will be prompted
for the current and new PINs.</dd>
<dt><a class="permalink" href="#D"><code class="Fl" id="D">-D</code></a>
<code class="Fl">-i</code> <var class="Ar">id</var>
<var class="Ar">device</var></dt>
<dd>Deletes the resident credential specified by <var class="Ar">id</var> from
<var class="Ar">device</var>, where <var class="Ar">id</var> is the
credential's base64-encoded id. The user will be prompted for the
PIN.</dd>
<dt><a class="permalink" href="#D_2"><code class="Fl" id="D_2">-D</code></a>
<code class="Fl">-b</code> <code class="Fl">-k</code>
<var class="Ar">key_path</var> <var class="Ar">device</var></dt>
<dd>Deletes a “largeBlob” encrypted with
<var class="Ar">key_path</var> from <var class="Ar">device</var>, where
<var class="Ar">key_path</var> holds the blob's base64-encoded 32-byte
AES-256 GCM encryption key. A PIN or equivalent user-verification gesture
is required.</dd>
<dt><a class="permalink" href="#D_3"><code class="Fl" id="D_3">-D</code></a>
<code class="Fl">-b</code> <code class="Fl">-n</code>
<var class="Ar">rp_id</var> [<code class="Fl">-i</code>
<var class="Ar">cred_id</var>] <var class="Ar">device</var></dt>
<dd>Deletes a “largeBlob” corresponding to
<var class="Ar">rp_id</var> from <var class="Ar">device</var>. If
<var class="Ar">rp_id</var> has multiple credentials enrolled on
<var class="Ar">device</var>, the credential ID must be specified using
<code class="Fl">-i</code> <var class="Ar">cred_id</var>, where
<var class="Ar">cred_id</var> is a base64-encoded blob. A PIN or
equivalent user-verification gesture is required.</dd>
<dt><a class="permalink" href="#D_4"><code class="Fl" id="D_4">-D</code></a>
<code class="Fl">-e</code> <code class="Fl">-i</code>
<var class="Ar">id</var> <var class="Ar">device</var></dt>
<dd>Deletes the biometric enrollment specified by <var class="Ar">id</var>
from <var class="Ar">device</var>, where <var class="Ar">id</var> is the
enrollment's template base64-encoded id. The user will be prompted for the
PIN.</dd>
<dt><a class="permalink" href="#D_5"><code class="Fl" id="D_5">-D</code></a>
<code class="Fl">-u</code> <var class="Ar">device</var></dt>
<dd>Disables the CTAP 2.1 “user verification always” feature on
<var class="Ar">device</var>.</dd>
<dt><a class="permalink" href="#G"><code class="Fl" id="G">-G</code></a>
<code class="Fl">-b</code> <code class="Fl">-k</code>
<var class="Ar">key_path</var> <var class="Ar">blob_path</var>
<var class="Ar">device</var></dt>
<dd>Gets a CTAP 2.1 “largeBlob” encrypted with
<var class="Ar">key_path</var> from <var class="Ar">device</var>, where
<var class="Ar">key_path</var> holds the blob's base64-encoded 32-byte
AES-256 GCM encryption key. The blob is written to
<var class="Ar">blob_path</var>. A PIN or equivalent user-verification
gesture is required.</dd>
<dt><a class="permalink" href="#G_2"><code class="Fl" id="G_2">-G</code></a>
<code class="Fl">-b</code> <code class="Fl">-n</code>
<var class="Ar">rp_id</var> [<code class="Fl">-i</code>
<var class="Ar">cred_id</var>] <var class="Ar">blob_path</var>
<var class="Ar">device</var></dt>
<dd>Gets a CTAP 2.1 “largeBlob” associated with
<var class="Ar">rp_id</var> from <var class="Ar">device</var>. If
<var class="Ar">rp_id</var> has multiple credentials enrolled on
<var class="Ar">device</var>, the credential ID must be specified using
<code class="Fl">-i</code> <var class="Ar">cred_id</var>, where
<var class="Ar">cred_id</var> is a base64-encoded blob. The blob is
written to <var class="Ar">blob_path</var>. A PIN or equivalent
user-verification gesture is required.</dd>
<dt><a class="permalink" href="#I"><code class="Fl" id="I">-I</code></a>
<var class="Ar">device</var></dt>
<dd>Retrieves information on <var class="Ar">device</var>.</dd>
<dt><a class="permalink" href="#I_2"><code class="Fl" id="I_2">-I</code></a>
<code class="Fl">-c</code> <var class="Ar">device</var></dt>
<dd>Retrieves resident credential metadata from <var class="Ar">device</var>.
The user will be prompted for the PIN.</dd>
<dt><a class="permalink" href="#I_3"><code class="Fl" id="I_3">-I</code></a>
<code class="Fl">-k</code> <var class="Ar">rp_id</var>
<code class="Fl">-i</code> <var class="Ar">cred_id</var>
<var class="Ar">device</var></dt>
<dd>Prints the credential id (base64-encoded) and public key (PEM encoded) of
the resident credential specified by <var class="Ar">rp_id</var> and
<var class="Ar">cred_id</var>, where <var class="Ar">rp_id</var> is a
UTF-8 relying party id, and <var class="Ar">cred_id</var> is a
base64-encoded credential id. The user will be prompted for the PIN.</dd>
<dt><a class="permalink" href="#L"><code class="Fl" id="L">-L</code></a></dt>
<dd>Produces a list of authenticators found by the operating system.</dd>
<dt><a class="permalink" href="#L_2"><code class="Fl" id="L_2">-L</code></a>
<code class="Fl">-b</code> <var class="Ar">device</var></dt>
<dd>Produces a list of CTAP 2.1 “largeBlobs” on
<var class="Ar">device</var>. A PIN or equivalent user-verification
gesture is required.</dd>
<dt><a class="permalink" href="#L_3"><code class="Fl" id="L_3">-L</code></a>
<code class="Fl">-e</code> <var class="Ar">device</var></dt>
<dd>Produces a list of biometric enrollments on <var class="Ar">device</var>.
The user will be prompted for the PIN.</dd>
<dt><a class="permalink" href="#L_4"><code class="Fl" id="L_4">-L</code></a>
<code class="Fl">-r</code> <var class="Ar">device</var></dt>
<dd>Produces a list of relying parties with resident credentials on
<var class="Ar">device</var>. The user will be prompted for the PIN.</dd>
<dt><a class="permalink" href="#L_5"><code class="Fl" id="L_5">-L</code></a>
<code class="Fl">-k</code> <var class="Ar">rp_id</var>
<var class="Ar">device</var></dt>
<dd>Produces a list of resident credentials corresponding to relying party
<var class="Ar">rp_id</var> on <var class="Ar">device</var>. The user will
be prompted for the PIN.</dd>
<dt><a class="permalink" href="#R"><code class="Fl" id="R">-R</code></a></dt>
<dd>Performs a reset on <var class="Ar">device</var>.
<code class="Nm">fido2-token</code> will NOT prompt for confirmation.</dd>
<dt><a class="permalink" href="#S"><code class="Fl" id="S">-S</code></a></dt>
<dd>Sets the PIN of <var class="Ar">device</var>. The user will be prompted
for the PIN.</dd>
<dt><a class="permalink" href="#S_2"><code class="Fl" id="S_2">-S</code></a>
<code class="Fl">-a</code> <var class="Ar">device</var></dt>
<dd>Enables CTAP 2.1 Enterprise Attestation on
<var class="Ar">device</var>.</dd>
<dt><a class="permalink" href="#S_3"><code class="Fl" id="S_3">-S</code></a>
<code class="Fl">-b</code> <code class="Fl">-k</code>
<var class="Ar">key_path</var> <var class="Ar">blob_path</var>
<var class="Ar">device</var></dt>
<dd>Sets a CTAP 2.1 “largeBlob” encrypted with
<var class="Ar">key_path</var> on <var class="Ar">device</var>, where
<var class="Ar">key_path</var> holds the blob's base64-encoded 32-byte
AES-256 GCM encryption key. The blob is read from
<var class="Fa">blob_path</var>. A PIN or equivalent user-verification
gesture is required.</dd>
<dt><a class="permalink" href="#S_4"><code class="Fl" id="S_4">-S</code></a>
<code class="Fl">-b</code> <code class="Fl">-n</code>
<var class="Ar">rp_id</var> [<code class="Fl">-i</code>
<var class="Ar">cred_id</var>] <var class="Ar">blob_path</var>
<var class="Ar">device</var></dt>
<dd>Sets a CTAP 2.1 “largeBlob” associated with
<var class="Ar">rp_id</var> on <var class="Ar">device</var>. The blob is
read from <var class="Fa">blob_path</var>. If <var class="Ar">rp_id</var>
has multiple credentials enrolled on <var class="Ar">device</var>, the
credential ID must be specified using <code class="Fl">-i</code>
<var class="Ar">cred_id</var>, where <var class="Ar">cred_id</var> is a
base64-encoded blob. A PIN or equivalent user-verification gesture is
required.</dd>
<dt><a class="permalink" href="#S_5"><code class="Fl" id="S_5">-S</code></a>
<code class="Fl">-c</code> <code class="Fl">-i</code>
<var class="Ar">cred_id</var> <code class="Fl">-k</code>
<var class="Ar">user_id</var> <code class="Fl">-n</code>
<var class="Ar">name</var> <code class="Fl">-p</code>
<var class="Ar">display_name</var> <var class="Ar">device</var></dt>
<dd>Sets the <var class="Ar">name</var> and <var class="Ar">display_name</var>
attributes of the resident credential identified by
<var class="Ar">cred_id</var> and <var class="Ar">user_id</var>, where
<var class="Ar">name</var> and <var class="Ar">display_name</var> are
UTF-8 strings and <var class="Ar">cred_id</var> and
<var class="Ar">user_id</var> are base64-encoded blobs. A PIN or
equivalent user-verification gesture is required.</dd>
<dt><a class="permalink" href="#S_6"><code class="Fl" id="S_6">-S</code></a>
<code class="Fl">-e</code> <var class="Ar">device</var></dt>
<dd>Performs a new biometric enrollment on <var class="Ar">device</var>. The
user will be prompted for the PIN.</dd>
<dt><a class="permalink" href="#S_7"><code class="Fl" id="S_7">-S</code></a>
<code class="Fl">-e</code> <code class="Fl">-i</code>
<var class="Ar">template_id</var> <code class="Fl">-n</code>
<var class="Ar">template_name</var> <var class="Ar">device</var></dt>
<dd>Sets the friendly name of the biometric enrollment specified by
<var class="Ar">template_id</var> to <var class="Ar">template_name</var>
on <var class="Ar">device</var>, where <var class="Ar">template_id</var>
is base64-encoded and <var class="Ar">template_name</var> is a UTF-8
string. The user will be prompted for the PIN.</dd>
<dt><a class="permalink" href="#S_8"><code class="Fl" id="S_8">-S</code></a>
<code class="Fl">-f</code> <var class="Ar">device</var></dt>
<dd>Forces a PIN change on <var class="Ar">device</var>. The user will be
prompted for the PIN.</dd>
<dt><a class="permalink" href="#S_9"><code class="Fl" id="S_9">-S</code></a>
<code class="Fl">-l</code> <var class="Ar">pin_length</var>
<var class="Ar">device</var></dt>
<dd>Sets the minimum PIN length of <var class="Ar">device</var> to
<var class="Ar">pin_length</var>. The user will be prompted for the
PIN.</dd>
<dt><a class="permalink" href="#S_10"><code class="Fl" id="S_10">-S</code></a>
<code class="Fl">-m</code> <var class="Ar">rp_id</var>
<var class="Ar">device</var></dt>
<dd>Sets the list of relying party IDs that are allowed to retrieve the
minimum PIN length of <var class="Ar">device</var>. Multiple IDs may be
specified, separated by commas. The user will be prompted for the
PIN.</dd>
<dt><a class="permalink" href="#S_11"><code class="Fl" id="S_11">-S</code></a>
<code class="Fl">-u</code> <var class="Ar">device</var></dt>
<dd>Enables the CTAP 2.1 “user verification always” feature on
<var class="Ar">device</var>.</dd>
<dt><a class="permalink" href="#V"><code class="Fl" id="V">-V</code></a></dt>
<dd>Prints version information.</dd>
<dt><a class="permalink" href="#d"><code class="Fl" id="d">-d</code></a></dt>
<dd>Causes <code class="Nm">fido2-token</code> to emit debugging output on
<i class="Em">stderr</i>.</dd>
</dl>
<p class="Pp">If a <i class="Em">tty</i> is available,
<code class="Nm">fido2-token</code> will use it to prompt for PINs.
Otherwise, <i class="Em">stdin</i> is used.</p>
<p class="Pp"><code class="Nm">fido2-token</code> exits 0 on success and 1 on
error.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<a class="Xr" href="fido2-assert.html">fido2-assert(1)</a>,
<a class="Xr" href="fido2-cred.html">fido2-cred(1)</a>
</section>
<section class="Sh">
<h1 class="Sh" id="CAVEATS"><a class="permalink" href="#CAVEATS">CAVEATS</a></h1>
The actual user-flow to perform a reset is outside the scope of the FIDO2
specification, and may therefore vary depending on the authenticator. Yubico
authenticators do not allow resets after 5 seconds from power-up, and expect a
reset to be confirmed by the user through touch within 30 seconds.
<p class="Pp">An authenticator's path may contain spaces.</p>
<p class="Pp">Resident credentials are called “discoverable
credentials” in CTAP 2.1.</p>
<p class="Pp">Whether the CTAP 2.1 “user verification always”
feature is activated or deactivated after an authenticator reset is
vendor-specific.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">April 11, 2022</td>
<td class="foot-os">Yubico AB</td>
</tr>
</table>
</body>
</html>
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists