Return to README.smartcard CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.5.2.1

1.1       markus      1: How to use smartcards with OpenSSH?
                      2:
                      3: OpenSSH contains experimental support for authentication using
                      4: Cyberflex smartcards and TODOS card readers. To enable this you
                      5: need to:
                      6:
                      7: (1) install sectok
                      8:
                      9:        $ cd /usr/src/lib/libsectok
                     10:        $ make obj depend all install includes
                     11:        $ cd /usr/src/usr.bin/sectok
                     12:        $ make obj depend all install
                     13:
                     14: (2) enable SMARTCARD support in OpenSSH:
                     15:
                     16:        $ vi /usr/src/usr.bin/ssh/Makefile.inc
                     17:        and uncomment
                     18:                CFLAGS+=        -DSMARTCARD
                     19:                LDADD+= -lsectok
                     20:
                     21: (3) load the Java Cardlet to the Cyberflex card:
                     22:
                     23:        $ sectok
1.2       rees       24:        sectok> login -d
1.1       markus     25:        sectok> jload /usr/libdata/ssh/Ssh.bin
                     26:        sectok> quit
                     27:
                     28: (4) load a RSA key to the card:
                     29:
                     30:        please don't use your production RSA keys, since
                     31:        with the current version of sectok/ssh-keygen
                     32:        the private key file is still readable
                     33:
1.5       jakob      34:        $ ssh-keygen -f /path/to/rsakey -U 1
1.1       markus     35:        (where 1 is the reader number, you can also try 0)
                     36:
1.2       rees       37:        In spite of the name, this does not generate a key.
                     38:        It just loads an already existing key on to the card.
1.1       markus     39:
1.3       rees       40: (5) optional:
                     41:
                     42:        Change the card password so that only you can
                     43:        read the private key:
                     44:
                     45:        $ sectok
                     46:        sectok> login -d
                     47:        sectok> setpass
                     48:        sectok> quit
                     49:
                     50:        This prevents reading the key but not use of the
                     51:        key by the card applet.
                     52:
                     53:        Do not forget the passphrase.  There is no way to
                     54:        recover if you do.
                     55:
1.4       rees       56:        IMPORTANT WARNING: If you attempt to login with the
                     57:        wrong passphrase three times in a row, you will
                     58:        destroy your card.
                     59:
1.3       rees       60: (6) tell the ssh client to use the card reader:
1.1       markus     61:
                     62:        $ ssh -I 1 otherhost
                     63:
1.3       rees       64: (7) or tell the agent (don't forget to restart) to use the smartcard:
1.1       markus     65:
                     66:        $ ssh-add -s 1
                     67:
                     68: -markus,
                     69: Tue Jul 17 23:54:51 CEST 2001