Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.8.6.1
1.1 markus 1: How to use smartcards with OpenSSH?
2:
3: OpenSSH contains experimental support for authentication using
4: Cyberflex smartcards and TODOS card readers. To enable this you
5: need to:
6:
1.6 rees 7: (1) enable SMARTCARD support in OpenSSH:
1.1 markus 8:
9: $ vi /usr/src/usr.bin/ssh/Makefile.inc
10: and uncomment
11: CFLAGS+= -DSMARTCARD
12: LDADD+= -lsectok
13:
1.7 rees 14: (2) If you have used a previous version of ssh with your card, you
15: must remove the old applet and keys.
1.1 markus 16:
17: $ sectok
1.2 rees 18: sectok> login -d
1.6 rees 19: sectok> junload Ssh.bin
1.7 rees 20: sectok> delete 0012
21: sectok> delete sh
22: sectok> quit
23:
24: (3) load the Java Cardlet to the Cyberflex card and set card passphrase:
25:
26: $ sectok
27: sectok> login -d
1.1 markus 28: sectok> jload /usr/libdata/ssh/Ssh.bin
1.6 rees 29: sectok> setpass
1.8.6.1 ! brad 30: Enter new AUT0 passphrase:
! 31: Re-enter passphrase:
1.1 markus 32: sectok> quit
33:
1.6 rees 34: Do not forget the passphrase. There is no way to
35: recover if you do.
36:
37: IMPORTANT WARNING: If you attempt to login with the
38: wrong passphrase three times in a row, you will
39: destroy your card.
40:
1.7 rees 41: (4) load a RSA key to the card:
1.1 markus 42:
1.5 jakob 43: $ ssh-keygen -f /path/to/rsakey -U 1
1.1 markus 44: (where 1 is the reader number, you can also try 0)
45:
1.2 rees 46: In spite of the name, this does not generate a key.
47: It just loads an already existing key on to the card.
1.1 markus 48:
1.7 rees 49: (5) tell the ssh client to use the card reader:
1.1 markus 50:
51: $ ssh -I 1 otherhost
52:
1.7 rees 53: (6) or tell the agent (don't forget to restart) to use the smartcard:
1.1 markus 54:
55: $ ssh-add -s 1
56:
1.8 rees 57: (7) Optional: If you don't want to use a card passphrase, change the
58: acl on the private key file:
59:
60: $ sectok
61: sectok> login -d
1.8.6.1 ! brad 62: sectok> acl 0012 world: w
! 63: world: w
! 64: AUT0: w inval
1.8 rees 65: sectok> quit
66:
67: If you do this, anyone who has access to your card
68: can assume your identity. This is not recommended.
69:
1.1 markus 70: -markus,
71: Tue Jul 17 23:54:51 CEST 2001
1.7 rees 72:
1.8.6.1 ! brad 73: $OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $