Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.4
1.1 markus 1: How to use smartcards with OpenSSH?
2:
3: OpenSSH contains experimental support for authentication using
4: Cyberflex smartcards and TODOS card readers. To enable this you
5: need to:
6:
7: (1) install sectok
8:
9: $ cd /usr/src/lib/libsectok
10: $ make obj depend all install includes
11: $ cd /usr/src/usr.bin/sectok
12: $ make obj depend all install
13:
14: (2) enable SMARTCARD support in OpenSSH:
15:
16: $ vi /usr/src/usr.bin/ssh/Makefile.inc
17: and uncomment
18: CFLAGS+= -DSMARTCARD
19: LDADD+= -lsectok
20:
21: (3) load the Java Cardlet to the Cyberflex card:
22:
23: $ sectok
1.2 rees 24: sectok> login -d
1.1 markus 25: sectok> jload /usr/libdata/ssh/Ssh.bin
26: sectok> quit
27:
28: (4) load a RSA key to the card:
29:
30: please don't use your production RSA keys, since
31: with the current version of sectok/ssh-keygen
32: the private key file is still readable
33:
34: $ ssh-keygen -f /path/to/rsakey -u 1
35: (where 1 is the reader number, you can also try 0)
36:
1.2 rees 37: In spite of the name, this does not generate a key.
38: It just loads an already existing key on to the card.
1.1 markus 39:
1.3 rees 40: (5) optional:
41:
42: Change the card password so that only you can
43: read the private key:
44:
45: $ sectok
46: sectok> login -d
47: sectok> setpass
48: sectok> quit
49:
50: This prevents reading the key but not use of the
51: key by the card applet.
52:
53: Do not forget the passphrase. There is no way to
54: recover if you do.
55:
1.4 ! rees 56: IMPORTANT WARNING: If you attempt to login with the
! 57: wrong passphrase three times in a row, you will
! 58: destroy your card.
! 59:
1.3 rees 60: (6) tell the ssh client to use the card reader:
1.1 markus 61:
62: $ ssh -I 1 otherhost
63:
1.3 rees 64: (7) or tell the agent (don't forget to restart) to use the smartcard:
1.1 markus 65:
66: $ ssh-add -s 1
67:
68: -markus,
69: Tue Jul 17 23:54:51 CEST 2001