Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.5.6.1
1.1 markus 1: How to use smartcards with OpenSSH?
2:
3: OpenSSH contains experimental support for authentication using
4: Cyberflex smartcards and TODOS card readers. To enable this you
5: need to:
6:
1.5.6.1 ! miod 7: (1) enable SMARTCARD support in OpenSSH:
1.1 markus 8:
9: $ vi /usr/src/usr.bin/ssh/Makefile.inc
10: and uncomment
11: CFLAGS+= -DSMARTCARD
12: LDADD+= -lsectok
13:
1.5.6.1 ! miod 14: (2) If you have used a previous version of ssh with your card, you
! 15: must remove the old applet and keys.
1.1 markus 16:
17: $ sectok
1.2 rees 18: sectok> login -d
1.5.6.1 ! miod 19: sectok> junload Ssh.bin
! 20: sectok> delete 0012
! 21: sectok> delete sh
1.1 markus 22: sectok> quit
23:
1.5.6.1 ! miod 24: (3) load the Java Cardlet to the Cyberflex card and set card passphrase:
1.3 rees 25:
26: $ sectok
27: sectok> login -d
1.5.6.1 ! miod 28: sectok> jload /usr/libdata/ssh/Ssh.bin
1.3 rees 29: sectok> setpass
1.5.6.1 ! miod 30: Enter new AUT0 passphrase:
! 31: Re-enter passphrase:
1.3 rees 32: sectok> quit
33:
34: Do not forget the passphrase. There is no way to
35: recover if you do.
36:
1.4 rees 37: IMPORTANT WARNING: If you attempt to login with the
38: wrong passphrase three times in a row, you will
39: destroy your card.
40:
1.5.6.1 ! miod 41: (4) load a RSA key to the card:
! 42:
! 43: $ ssh-keygen -f /path/to/rsakey -U 1
! 44: (where 1 is the reader number, you can also try 0)
! 45:
! 46: In spite of the name, this does not generate a key.
! 47: It just loads an already existing key on to the card.
! 48:
! 49: (5) tell the ssh client to use the card reader:
1.1 markus 50:
51: $ ssh -I 1 otherhost
52:
1.5.6.1 ! miod 53: (6) or tell the agent (don't forget to restart) to use the smartcard:
1.1 markus 54:
55: $ ssh-add -s 1
56:
1.5.6.1 ! miod 57: (7) Optional: If you don't want to use a card passphrase, change the
! 58: acl on the private key file:
! 59:
! 60: $ sectok
! 61: sectok> login -d
! 62: sectok> acl 0012 world: w
! 63: world: w
! 64: AUT0: w inval
! 65: sectok> quit
! 66:
! 67: If you do this, anyone who has access to your card
! 68: can assume your identity. This is not recommended.
! 69:
1.1 markus 70: -markus,
71: Tue Jul 17 23:54:51 CEST 2001
1.5.6.1 ! miod 72:
! 73: $OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $