Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
See https://blog.neilsabol.site/post/yubikey-personalization-tool-yubico-powershell-command-cli-program-random-static-password-commandline/ . This snippet uses the ykpersonalize command to generate a new static password on the Yubikey, then reset the password of the user running the PowerShell session to the new static password (requires pressin…
# Create an alias for ykpersonalize pointing the the "install" location
set-alias ykpersonalize "$env:localappdata\Programs\Yubico\bin\ykpersonalize.exe"
# Provide an opportunity to insert the yubikey before continuing
Read-Host -Prompt "Ensure Yubikey is inserted then press Enter to continue"
# Add a new line for formatting/tidiness
write-host " "
# Generate a random, 32 character hex string to serve as the randomness source for generating
# the new static password on the Yubikey. Based heavily on Forty3's POSH code from:
# https://codegolf.stackexchange.com/questions/58442/generate-random-uuid
$RandomHex = (((32)|%{((1..$_)|%{('{0:X}' -f (random(16)))})}) -Join "").ToLower()
# Run ykpersonalize to generate the static password on the Yubikey (in slot 2)
ykpersonalize -2 -a"$RandomHex" -ostatic-ticket -oshort-ticket -ostrong-pw1 -ostrong-pw2 -y
# Wait a second, then add a new line for formatting/tidiness
sleep 1
write-host " "
# Have the user enter their own password to prepend the Yubikey random, static password (improves security)
# See https://support.yubico.com/support/solutions/articles/15000006480-understanding-core-static-password-features
write-host "Resetting password for $env:username - enter a personal password and without pressing enter, long-press the button on your Yubikey to append the generated static password when prompted (twice) ..."
# Determine if the account is a local account or domain account and run the respective "net use"
# command to reset the password. In most cases, the account is local if %userdomain% and %computername% match
if($env:userdomain -like "*$env:computername") {
net user "$env:username" *
} else {
net user "$env:username" * /domain
}
# Zero out variables
$NewPassword = ""
$RandomHex = ""
# Add new lines and output for formatting/tidiness
write-host " "
write-host "DONE"
write-host " "
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.