| version 1.5, 2001/08/02 08:58:35 |
version 1.5.4.2, 2002/06/02 22:56:09 |
|
|
| Cyberflex smartcards and TODOS card readers. To enable this you |
Cyberflex smartcards and TODOS card readers. To enable this you |
| need to: |
need to: |
| |
|
| (1) install sectok |
(1) enable SMARTCARD support in OpenSSH: |
| |
|
| $ cd /usr/src/lib/libsectok |
|
| $ make obj depend all install includes |
|
| $ cd /usr/src/usr.bin/sectok |
|
| $ make obj depend all install |
|
| |
|
| (2) enable SMARTCARD support in OpenSSH: |
|
| |
|
| $ vi /usr/src/usr.bin/ssh/Makefile.inc |
$ vi /usr/src/usr.bin/ssh/Makefile.inc |
| and uncomment |
and uncomment |
| CFLAGS+= -DSMARTCARD |
CFLAGS+= -DSMARTCARD |
| LDADD+= -lsectok |
LDADD+= -lsectok |
| |
|
| (3) load the Java Cardlet to the Cyberflex card: |
(2) If you have used a previous version of ssh with your card, you |
| |
must remove the old applet and keys. |
| |
|
| $ sectok |
$ sectok |
| sectok> login -d |
sectok> login -d |
| sectok> jload /usr/libdata/ssh/Ssh.bin |
sectok> junload Ssh.bin |
| |
sectok> delete 0012 |
| |
sectok> delete sh |
| sectok> quit |
sectok> quit |
| |
|
| (4) load a RSA key to the card: |
(3) load the Java Cardlet to the Cyberflex card and set card passphrase: |
| |
|
| please don't use your production RSA keys, since |
|
| with the current version of sectok/ssh-keygen |
|
| the private key file is still readable |
|
| |
|
| $ ssh-keygen -f /path/to/rsakey -U 1 |
|
| (where 1 is the reader number, you can also try 0) |
|
| |
|
| In spite of the name, this does not generate a key. |
|
| It just loads an already existing key on to the card. |
|
| |
|
| (5) optional: |
|
| |
|
| Change the card password so that only you can |
|
| read the private key: |
|
| |
|
| $ sectok |
$ sectok |
| sectok> login -d |
sectok> login -d |
| |
sectok> jload /usr/libdata/ssh/Ssh.bin |
| sectok> setpass |
sectok> setpass |
| |
Enter new AUT0 passphrase: |
| |
Re-enter passphrase: |
| sectok> quit |
sectok> quit |
| |
|
| This prevents reading the key but not use of the |
|
| key by the card applet. |
|
| |
|
| Do not forget the passphrase. There is no way to |
Do not forget the passphrase. There is no way to |
| recover if you do. |
recover if you do. |
| |
|
|
|
| wrong passphrase three times in a row, you will |
wrong passphrase three times in a row, you will |
| destroy your card. |
destroy your card. |
| |
|
| (6) tell the ssh client to use the card reader: |
(4) load a RSA key to the card: |
| |
|
| |
$ ssh-keygen -f /path/to/rsakey -U 1 |
| |
(where 1 is the reader number, you can also try 0) |
| |
|
| |
In spite of the name, this does not generate a key. |
| |
It just loads an already existing key on to the card. |
| |
|
| |
(5) tell the ssh client to use the card reader: |
| |
|
| $ ssh -I 1 otherhost |
$ ssh -I 1 otherhost |
| |
|
| (7) or tell the agent (don't forget to restart) to use the smartcard: |
(6) or tell the agent (don't forget to restart) to use the smartcard: |
| |
|
| $ ssh-add -s 1 |
$ ssh-add -s 1 |
| |
|
| |
(7) Optional: If you don't want to use a card passphrase, change the |
| |
acl on the private key file: |
| |
|
| |
$ sectok |
| |
sectok> login -d |
| |
sectok> acl 0012 world: w |
| |
world: w |
| |
AUT0: w inval |
| |
sectok> quit |
| |
|
| |
If you do this, anyone who has access to your card |
| |
can assume your identity. This is not recommended. |
| |
|
| -markus, |
-markus, |
| Tue Jul 17 23:54:51 CEST 2001 |
Tue Jul 17 23:54:51 CEST 2001 |
| |
|
| |
$OpenBSD$ |
![[BACK]](/icons/back.gif){kind=icon}
Return to README.smartcard CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh