version 1.5.4.2, 2002/06/02 22:56:09 |
version 1.6, 2002/03/21 22:44:05 |
|
|
CFLAGS+= -DSMARTCARD |
CFLAGS+= -DSMARTCARD |
LDADD+= -lsectok |
LDADD+= -lsectok |
|
|
(2) If you have used a previous version of ssh with your card, you |
(2) load the Java Cardlet to the Cyberflex card and set card passphrase: |
must remove the old applet and keys. |
|
|
|
$ sectok |
$ sectok |
sectok> login -d |
sectok> login -d |
sectok> junload Ssh.bin |
sectok> junload Ssh.bin |
sectok> delete 0012 |
|
sectok> delete sh |
|
sectok> quit |
|
|
|
(3) load the Java Cardlet to the Cyberflex card and set card passphrase: |
|
|
|
$ sectok |
|
sectok> login -d |
|
sectok> jload /usr/libdata/ssh/Ssh.bin |
sectok> jload /usr/libdata/ssh/Ssh.bin |
sectok> setpass |
sectok> setpass |
Enter new AUT0 passphrase: |
Enter new AUT0 passphrase: |
|
|
wrong passphrase three times in a row, you will |
wrong passphrase three times in a row, you will |
destroy your card. |
destroy your card. |
|
|
(4) load a RSA key to the card: |
If you have loaded an older version of Ssh.bin on |
|
your card previously, you must unload it and load |
|
the new one. |
|
|
|
(3) load a RSA key to the card: |
|
|
|
please don't use your production RSA keys, since |
|
with the current version of sectok/ssh-keygen |
|
the private key file is still readable |
|
|
$ ssh-keygen -f /path/to/rsakey -U 1 |
$ ssh-keygen -f /path/to/rsakey -U 1 |
(where 1 is the reader number, you can also try 0) |
(where 1 is the reader number, you can also try 0) |
|
|
In spite of the name, this does not generate a key. |
In spite of the name, this does not generate a key. |
It just loads an already existing key on to the card. |
It just loads an already existing key on to the card. |
|
|
(5) tell the ssh client to use the card reader: |
(4) tell the ssh client to use the card reader: |
|
|
$ ssh -I 1 otherhost |
$ ssh -I 1 otherhost |
|
|
(6) or tell the agent (don't forget to restart) to use the smartcard: |
(5) or tell the agent (don't forget to restart) to use the smartcard: |
|
|
$ ssh-add -s 1 |
$ ssh-add -s 1 |
|
|
(7) Optional: If you don't want to use a card passphrase, change the |
|
acl on the private key file: |
|
|
|
$ sectok |
|
sectok> login -d |
|
sectok> acl 0012 world: w |
|
world: w |
|
AUT0: w inval |
|
sectok> quit |
|
|
|
If you do this, anyone who has access to your card |
|
can assume your identity. This is not recommended. |
|
|
|
-markus, |
-markus, |
Tue Jul 17 23:54:51 CEST 2001 |
Tue Jul 17 23:54:51 CEST 2001 |
|
|
$OpenBSD$ |
|