Return to README.smartcard CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.7

1.1       markus      1: How to use smartcards with OpenSSH?
                      2:
                      3: OpenSSH contains experimental support for authentication using
                      4: Cyberflex smartcards and TODOS card readers. To enable this you
                      5: need to:
                      6:
1.6       rees        7: (1) enable SMARTCARD support in OpenSSH:
1.1       markus      8:
                      9:        $ vi /usr/src/usr.bin/ssh/Makefile.inc
                     10:        and uncomment
                     11:                CFLAGS+=        -DSMARTCARD
                     12:                LDADD+= -lsectok
                     13:
1.7     ! rees       14: (2) If you have used a previous version of ssh with your card, you
        !            15:     must remove the old applet and keys.
1.1       markus     16:
                     17:        $ sectok
1.2       rees       18:        sectok> login -d
1.6       rees       19:        sectok> junload Ssh.bin
1.7     ! rees       20:        sectok> delete 0012
        !            21:        sectok> delete sh
        !            22:        sectok> quit
        !            23:
        !            24: (3) load the Java Cardlet to the Cyberflex card and set card passphrase:
        !            25:
        !            26:        $ sectok
        !            27:        sectok> login -d
1.1       markus     28:        sectok> jload /usr/libdata/ssh/Ssh.bin
1.6       rees       29:        sectok> setpass
                     30:        Enter new AUT0 passphrase:
                     31:        Re-enter passphrase:
1.1       markus     32:        sectok> quit
                     33:
1.6       rees       34:        Do not forget the passphrase.  There is no way to
                     35:        recover if you do.
                     36:
                     37:        IMPORTANT WARNING: If you attempt to login with the
                     38:        wrong passphrase three times in a row, you will
                     39:        destroy your card.
                     40:
1.7     ! rees       41: (4) load a RSA key to the card:
1.1       markus     42:
1.5       jakob      43:        $ ssh-keygen -f /path/to/rsakey -U 1
1.1       markus     44:        (where 1 is the reader number, you can also try 0)
                     45:
1.2       rees       46:        In spite of the name, this does not generate a key.
                     47:        It just loads an already existing key on to the card.
1.1       markus     48:
1.7     ! rees       49: (5) tell the ssh client to use the card reader:
1.1       markus     50:
                     51:        $ ssh -I 1 otherhost
                     52:
1.7     ! rees       53: (6) or tell the agent (don't forget to restart) to use the smartcard:
1.1       markus     54:
                     55:        $ ssh-add -s 1
                     56:
                     57: -markus,
                     58: Tue Jul 17 23:54:51 CEST 2001
1.7     ! rees       59:
        !            60: $OpenBSD: $