version 1.5, 2001/08/02 08:58:35 |
version 1.6, 2002/03/21 22:44:05 |
|
|
Cyberflex smartcards and TODOS card readers. To enable this you |
Cyberflex smartcards and TODOS card readers. To enable this you |
need to: |
need to: |
|
|
(1) install sectok |
(1) enable SMARTCARD support in OpenSSH: |
|
|
$ cd /usr/src/lib/libsectok |
|
$ make obj depend all install includes |
|
$ cd /usr/src/usr.bin/sectok |
|
$ make obj depend all install |
|
|
|
(2) enable SMARTCARD support in OpenSSH: |
|
|
|
$ vi /usr/src/usr.bin/ssh/Makefile.inc |
$ vi /usr/src/usr.bin/ssh/Makefile.inc |
and uncomment |
and uncomment |
CFLAGS+= -DSMARTCARD |
CFLAGS+= -DSMARTCARD |
LDADD+= -lsectok |
LDADD+= -lsectok |
|
|
(3) load the Java Cardlet to the Cyberflex card: |
(2) load the Java Cardlet to the Cyberflex card and set card passphrase: |
|
|
$ sectok |
$ sectok |
sectok> login -d |
sectok> login -d |
|
sectok> junload Ssh.bin |
sectok> jload /usr/libdata/ssh/Ssh.bin |
sectok> jload /usr/libdata/ssh/Ssh.bin |
|
sectok> setpass |
|
Enter new AUT0 passphrase: |
|
Re-enter passphrase: |
sectok> quit |
sectok> quit |
|
|
(4) load a RSA key to the card: |
Do not forget the passphrase. There is no way to |
|
recover if you do. |
|
|
|
IMPORTANT WARNING: If you attempt to login with the |
|
wrong passphrase three times in a row, you will |
|
destroy your card. |
|
|
|
If you have loaded an older version of Ssh.bin on |
|
your card previously, you must unload it and load |
|
the new one. |
|
|
|
(3) load a RSA key to the card: |
|
|
please don't use your production RSA keys, since |
please don't use your production RSA keys, since |
with the current version of sectok/ssh-keygen |
with the current version of sectok/ssh-keygen |
the private key file is still readable |
the private key file is still readable |
|
|
In spite of the name, this does not generate a key. |
In spite of the name, this does not generate a key. |
It just loads an already existing key on to the card. |
It just loads an already existing key on to the card. |
|
|
(5) optional: |
(4) tell the ssh client to use the card reader: |
|
|
Change the card password so that only you can |
|
read the private key: |
|
|
|
$ sectok |
|
sectok> login -d |
|
sectok> setpass |
|
sectok> quit |
|
|
|
This prevents reading the key but not use of the |
|
key by the card applet. |
|
|
|
Do not forget the passphrase. There is no way to |
|
recover if you do. |
|
|
|
IMPORTANT WARNING: If you attempt to login with the |
|
wrong passphrase three times in a row, you will |
|
destroy your card. |
|
|
|
(6) tell the ssh client to use the card reader: |
|
|
|
$ ssh -I 1 otherhost |
$ ssh -I 1 otherhost |
|
|
(7) or tell the agent (don't forget to restart) to use the smartcard: |
(5) or tell the agent (don't forget to restart) to use the smartcard: |
|
|
$ ssh-add -s 1 |
$ ssh-add -s 1 |
|
|