===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/Attic/README.smartcard,v
retrieving revision 1.5.4.1
retrieving revision 1.5.4.2
diff -u -r1.5.4.1 -r1.5.4.2
--- src/usr.bin/ssh/Attic/README.smartcard	2001/09/27 19:03:54	1.5.4.1
+++ src/usr.bin/ssh/Attic/README.smartcard	2002/06/02 22:56:09	1.5.4.2
@@ -4,52 +4,33 @@
 Cyberflex smartcards and TODOS card readers. To enable this you
 need to:
 
-(1) install sectok
+(1) enable SMARTCARD support in OpenSSH:
 
-	$ cd /usr/src/lib/libsectok
-	$ make obj depend all install includes
-	$ cd /usr/src/usr.bin/sectok
-	$ make obj depend all install
-
-(2) enable SMARTCARD support in OpenSSH:
-
 	$ vi /usr/src/usr.bin/ssh/Makefile.inc
 	and uncomment
 		CFLAGS+=	-DSMARTCARD
 		LDADD+=	-lsectok
 
-(3) load the Java Cardlet to the Cyberflex card:
+(2) If you have used a previous version of ssh with your card, you
+    must remove the old applet and keys.
 
 	$ sectok
 	sectok> login -d
-	sectok> jload /usr/libdata/ssh/Ssh.bin
+	sectok> junload Ssh.bin
+	sectok> delete 0012
+	sectok> delete sh
 	sectok> quit
 
-(4) load a RSA key to the card:
+(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
 
-	please don't use your production RSA keys, since
-	with the current version of sectok/ssh-keygen
-	the private key file is still readable
-
-	$ ssh-keygen -f /path/to/rsakey -U 1
-	(where 1 is the reader number, you can also try 0)
-
-	In spite of the name, this does not generate a key.
-	It just loads an already existing key on to the card.
-
-(5) optional:
-
-	Change the card password so that only you can
-	read the private key:
-
 	$ sectok
 	sectok> login -d
+	sectok> jload /usr/libdata/ssh/Ssh.bin
 	sectok> setpass
+	Enter new AUT0 passphrase: 
+	Re-enter passphrase: 
 	sectok> quit
 
-	This prevents reading the key but not use of the
-	key by the card applet.
-
 	Do not forget the passphrase.  There is no way to
 	recover if you do.
 
@@ -57,13 +38,36 @@
 	wrong passphrase three times in a row, you will
 	destroy your card.
 
-(6) tell the ssh client to use the card reader:
+(4) load a RSA key to the card:
 
+	$ ssh-keygen -f /path/to/rsakey -U 1
+	(where 1 is the reader number, you can also try 0)
+
+	In spite of the name, this does not generate a key.
+	It just loads an already existing key on to the card.
+
+(5) tell the ssh client to use the card reader:
+
 	$ ssh -I 1 otherhost
 
-(7) or tell the agent (don't forget to restart) to use the smartcard:
+(6) or tell the agent (don't forget to restart) to use the smartcard:
 
 	$ ssh-add -s 1
 
+(7) Optional: If you don't want to use a card passphrase, change the
+    acl on the private key file:
+
+	$ sectok
+	sectok> login -d
+	sectok> acl 0012 world: w 
+	 world: w 
+	 AUT0: w inval 
+	sectok> quit
+
+	If you do this, anyone who has access to your card
+	can assume your identity.  This is not recommended.
+
 -markus,
 Tue Jul 17 23:54:51 CEST 2001
+
+$OpenBSD: README.smartcard,v 1.5.4.2 2002/06/02 22:56:09 miod Exp $