Yubikey NEO + Ubuntu1604 + VMware

I asked a similar question before

but was managing with software OTP tokens just fine… Until now, that is.

I can’t figure out how to make the Yubikey NEO work as OTP with privacyIDEA.

I follow the manual…
Start with downloading the Yubico Personalization Tool (on Windows) and configure Slot 2.
Essentially, generate 3 hex numbers - 6, 6 and 16 bytes long.
Called Public Identity, Private Identity and Secret Key, respectively…Write them onto the key…

Then point the browser to the server, pick a user and assign a new token to him.
Select Yubikey AES mode as the type of the token, push the NEO button to populate the first field.
After that I’m told the OTP length is 44 characters and I enter the second and third generated keys in the OTP Key field… Unless those are the right keys (stripped spaces) the Enroll Token on the bottom of the page stays grayed out…

All good so far… I have a new token assigned to a new user.
Now I click the new Yubikey token to test it, “Test OTP only”. And it does NOT work…
The popup message says “AES key must be either 16, 24, or 32 bytes long”…

The first question I have:
All manuals tell me the Yubikey OTP is 44 characters long, aka 22 bytes (6+16).
Why is privacyIDEA expecting an AES key of a different length?

Since this is a virtual machine (with no internet access) I had troubles passing USB to it.
And that means I can’t use the (recommended) command line personalization tool…

I must be missing something, plain and simple… but can’t figure it out.

Anybody has any pointers?


Writing things down sometimes helps…
I think I understand it better but it still does NOT work.

When pressed, the NEO generates a 44-character long key.
The first 12 characters (6 bytes) are actually the Public Identity.
So, I keep the check-mark in the emit UID box (meaning the 12 characters get attached in front of the secret key.

Now I just put the secret key - last generated, 32 characters long - in the OTP Key field (16 bytes, AES compliant).
This is enough for the token to be allowed to enroll… Private Identity key is not used…

It does make sense. But still an error when testing. This time the message says “OTP verification failed”…

I too had trouble enrolling a manually (with the personalization tool) configured yubikey into privacyidea.

I suggest using the privacyidea admin cli on your laptop/workstation. No need to get USB
to you VM…

$ privacyidea token yubikey_mass_enroll --help
usage: privacyidea token yubikey_mass_enroll [-h] [--yubiprefix YUBIPREFIX]
                                             [--yubiprefixrandom NUMBER]
                                             [--yubimode {OATH,YUBICO,STATIC}]
                                             [--filename FILENAME]
                                             [--yubislot {1,2}] [--yubiCR]
                                             [--description DESCRIPTION]
                                             [--access ACCESS]
                                             [--newaccess NEWACCESS]

Something like that should work:

privacyidea token yubikey_mass_enroll --yubislot=2 --yubimode=YUBUCO --yubiprefix=6

Another (probably easier) thing to check is what the yubikey sends - slot 1 or slot 2?
Open a Terminal or an editor, press the key like you did when checking in privacyidea.

Locally programmed token should sent a prefix starting with “vv”, if slot 1 is still factory
programmed the prefix is “cc”. You should be able to get the keys from Yubico, if you
want to use the factory programmed token in privacyidea, but I’s suggest to just
reprogram slot 1.

On my Yubikey I have:

  1. yubico token self programmed with privacyidea, authenticates against my local server
  2. Challenge Response (used with keepass and pam)

I follow the manual…

Can you please provide a link, so that we can improve this very part of the manual?
Thanks a lot


i also tested this with a yubikey Neo with NO problems. After initializing your yubikey with ykpersonalize, you will have an output of your pub id, private id, and aes key(otp secret). The one you should enter in the ‘OTP’ field in the enrollment page using the WebUI is the AES key. Its the longest one 32 hex. You can even leave the other values empty. After enrollment, test your OTP using the test box with OTP only. Or you could use the command privacyidea token yubikey_mass_enroll as stated from above comment. The only thing i noticed using the command in my case is that it only accepts admin accounts created with the pi-manage admin command. But thats another story.

For the docs/html:
Maybe it would help if the placeholder would be something like ‘Enter your AES (yubikey otp secret key) here’ or something? ^.^

PS. Also tried this in xenial with 2.18.1 and 2.19


Can you please provide a link to the manual you used, so that we can improve it?
On the other hand you are also welcome to issue a pull request.

Thanks a lot.



Would it be helpful if the label ‘OTP key’ with the placeholder ‘Enter OTP key…’ be replaced with something else? But this would also mean a change in the html. If this is ok with you:

Shared Secret (AES Key)

Or just the docs?


Which 32 byte generated characters did you pass as OTP key?

Of course you must not enter this what the yubikey outputs as otpkey. But you need to enter that, what the yubikey-personalizatoin-gui generated at “secret key”!

Hi @diogenconsulting, @foot3print

I just pushed a bit more documentation, so it might be clearer.
I think here are some confusions between the OTP value, that the yubikey emits (44 chars) and the OTP secret aka OTP key, which is 32 chars (16 bytes).

Hope this helps.

Thanks a lot for bringing this up.
Kind regards