Programming YubiKeys in OATH HOTP Mode for GreenRADIUS

1. Introduction

This document will show you how to program YubiKeys in OATH HOTP mode so OTPs are 18 characters instead of the default 44 characters.

2. Prequisites

  • Have all the YubiKeys that you want programmed with you
  • Download and install the YubiCo Personalization Tool v3.1.25 (linked here)

3. Programming the YubiKeys

  1. Open the YubiCo Personalization Tool

  2. Select the Settings menu a. Check the "Use and enforce customer prefix," and enter "ubgr" in the ModHex field. b. Select PSKC format under Log configuration output Programming YubiKeys

  3. Select the OATH-HOTP menu, and click on Advanced Programming YubiKeys

  4. You will see a screen as shown below: a. Select Configuration Slot 1 b. Select Program Multiple YubiKeys c. Select Automatically Program YubiKeys when inserted d. Under Parameter Generation Scheme, select Increment Identities; Randomize Secret e. Under OATH-HOTP Parameters select All ModHex Programming YubiKeys

  5. Set HOTP Length as 6 digits, Moving Factor Seed as "Randomize," and click on Generate to create a random Secret Key. Programming YubiKeys

  6. Insert the first YubiiKey and click on Write Configuration. Name the output file to be created and save it somewhere. This file will contain the new secrets of the programmed YubiKeys. Please keep it in a secure place until it is uploaded to GreenRADIUS.

  7. The already inserted YubiKey will be programmed, and you will see a success message. Remove the YubiKey.

  8. Without exiting the tool, insert the next YubiKey. Wait for the tool to program the inserted YubiKey (you will see a success message), then remove it. Continue to insert, have YubiKey programmed, then remove for the rest of your YubiKeys.

  9. After all YubiKeys are programmed, click on Stop, and close the tool.

4. Importing the New Secrets File into GreenRADIUS

  1. Open a new browser tab and navigate to GreenRADIUS web admin console.
  2. Make sure the validation server is set to "Local Validation Server on GreenRADIUS." You can set this under the Global Configuration tab, Validation Server.
  3. Also in the Global Configuration tab, in the General settings, set the "YubiKey (OATH-HOTP Mode) Configuration - OTP Length" to 6, then click the Save button.
  4. Go to Import Secrets tab.
  5. Select "Import OATH Tokens (PSKC Container)." Then click on "Browse..."
  6. Select the new secrets file.
  7. Click on Upload. Do not navigate away from the page. Wait for a success message to appear.
  8. After the upload is complete, you can see the newly imported tokens in the List Tokens tab.

Web Analytics Made Easy - StatCounter

Updated 2025-11-15
© 2025 Green Rocket Security Inc. All rights reserved.