Cloudster

1 minute read

My lab Yubikey was slowing down due to the amount of credentials for a single domain

Disclaimer

These are very destructive procedures. I bare no responsibility for any loss of data or damage to your Yuibkey

On RP_ID

Note: RP_ID is usually the domain of the service you are using. It can also be a superdomain.

For example, you are logging in with your browser to https://www.example.com, so the RP_ID can be:

  • www.example.com
  • example.com
  • com (unlikely)

More on this topic at RP ID deep dive

Procedure

Yubikey lists the fido2 credentials in the following format:

ykman fido credentials list --csv

<long-uuid-1>,<RP_ID>,<username>,,<long-number-1>
<long-uuid-2>,<RP_ID>.<username>,,<long-number-2>

We can grep for the RP_ID and username and get a CSV output (no Json or Yaml, sadly):

ykman fido credentials list --csv | \
  grep ',some.example.com,myusername,'  | \
  awk -F ',' '{print $1}'

<long-uuid-1>
<long-uuid-2>

Finally, we can run this through xargs to mass delete the domain-user combination.

  • NOTE: You have an option to input the pin for every deletion, or run with --pin which is unsafe.
  • NOTE: Nothing is stopping you from running this for a whole domain, being more specific is safer.
ykman fido credentials list --csv --pin 1234 | \
  grep ',some.example.com,myusername,' | \
  awk -F ',' '{print $1}' | \
  xargs -n1 ykman fido credentials delete --force --pin 1234

You May Also Enjoy

ZFS Root woes

1 minute read

Documenting an issue with my machine/Fedora installation which uses ZFS Boot to boot from a ZFS root.