Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.7
1.1 markus 1: How to use smartcards with OpenSSH?
2:
3: OpenSSH contains experimental support for authentication using
4: Cyberflex smartcards and TODOS card readers. To enable this you
5: need to:
6:
1.6 rees 7: (1) enable SMARTCARD support in OpenSSH:
1.1 markus 8:
9: $ vi /usr/src/usr.bin/ssh/Makefile.inc
10: and uncomment
11: CFLAGS+= -DSMARTCARD
12: LDADD+= -lsectok
13:
1.7 ! rees 14: (2) If you have used a previous version of ssh with your card, you
! 15: must remove the old applet and keys.
1.1 markus 16:
17: $ sectok
1.2 rees 18: sectok> login -d
1.6 rees 19: sectok> junload Ssh.bin
1.7 ! rees 20: sectok> delete 0012
! 21: sectok> delete sh
! 22: sectok> quit
! 23:
! 24: (3) load the Java Cardlet to the Cyberflex card and set card passphrase:
! 25:
! 26: $ sectok
! 27: sectok> login -d
1.1 markus 28: sectok> jload /usr/libdata/ssh/Ssh.bin
1.6 rees 29: sectok> setpass
30: Enter new AUT0 passphrase:
31: Re-enter passphrase:
1.1 markus 32: sectok> quit
33:
1.6 rees 34: Do not forget the passphrase. There is no way to
35: recover if you do.
36:
37: IMPORTANT WARNING: If you attempt to login with the
38: wrong passphrase three times in a row, you will
39: destroy your card.
40:
1.7 ! rees 41: (4) load a RSA key to the card:
1.1 markus 42:
1.5 jakob 43: $ ssh-keygen -f /path/to/rsakey -U 1
1.1 markus 44: (where 1 is the reader number, you can also try 0)
45:
1.2 rees 46: In spite of the name, this does not generate a key.
47: It just loads an already existing key on to the card.
1.1 markus 48:
1.7 ! rees 49: (5) tell the ssh client to use the card reader:
1.1 markus 50:
51: $ ssh -I 1 otherhost
52:
1.7 ! rees 53: (6) or tell the agent (don't forget to restart) to use the smartcard:
1.1 markus 54:
55: $ ssh-add -s 1
56:
57: -markus,
58: Tue Jul 17 23:54:51 CEST 2001
1.7 ! rees 59:
! 60: $OpenBSD: $