Return to README.smartcard CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.8.6.1

1.1       markus      1: How to use smartcards with OpenSSH?
                      2:
                      3: OpenSSH contains experimental support for authentication using
                      4: Cyberflex smartcards and TODOS card readers. To enable this you
                      5: need to:
                      6:
1.6       rees        7: (1) enable SMARTCARD support in OpenSSH:
1.1       markus      8:
                      9:        $ vi /usr/src/usr.bin/ssh/Makefile.inc
                     10:        and uncomment
                     11:                CFLAGS+=        -DSMARTCARD
                     12:                LDADD+= -lsectok
                     13:
1.7       rees       14: (2) If you have used a previous version of ssh with your card, you
                     15:     must remove the old applet and keys.
1.1       markus     16:
                     17:        $ sectok
1.2       rees       18:        sectok> login -d
1.6       rees       19:        sectok> junload Ssh.bin
1.7       rees       20:        sectok> delete 0012
                     21:        sectok> delete sh
                     22:        sectok> quit
                     23:
                     24: (3) load the Java Cardlet to the Cyberflex card and set card passphrase:
                     25:
                     26:        $ sectok
                     27:        sectok> login -d
1.1       markus     28:        sectok> jload /usr/libdata/ssh/Ssh.bin
1.6       rees       29:        sectok> setpass
1.8.6.1 ! brad       30:        Enter new AUT0 passphrase:
        !            31:        Re-enter passphrase:
1.1       markus     32:        sectok> quit
                     33:
1.6       rees       34:        Do not forget the passphrase.  There is no way to
                     35:        recover if you do.
                     36:
                     37:        IMPORTANT WARNING: If you attempt to login with the
                     38:        wrong passphrase three times in a row, you will
                     39:        destroy your card.
                     40:
1.7       rees       41: (4) load a RSA key to the card:
1.1       markus     42:
1.5       jakob      43:        $ ssh-keygen -f /path/to/rsakey -U 1
1.1       markus     44:        (where 1 is the reader number, you can also try 0)
                     45:
1.2       rees       46:        In spite of the name, this does not generate a key.
                     47:        It just loads an already existing key on to the card.
1.1       markus     48:
1.7       rees       49: (5) tell the ssh client to use the card reader:
1.1       markus     50:
                     51:        $ ssh -I 1 otherhost
                     52:
1.7       rees       53: (6) or tell the agent (don't forget to restart) to use the smartcard:
1.1       markus     54:
                     55:        $ ssh-add -s 1
                     56:
1.8       rees       57: (7) Optional: If you don't want to use a card passphrase, change the
                     58:     acl on the private key file:
                     59:
                     60:        $ sectok
                     61:        sectok> login -d
1.8.6.1 ! brad       62:        sectok> acl 0012 world: w
        !            63:         world: w
        !            64:         AUT0: w inval
1.8       rees       65:        sectok> quit
                     66:
                     67:        If you do this, anyone who has access to your card
                     68:        can assume your identity.  This is not recommended.
                     69:
1.1       markus     70: -markus,
                     71: Tue Jul 17 23:54:51 CEST 2001
1.7       rees       72:
1.8.6.1 ! brad       73: $OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $