Return to README.smartcard CVS log

Up to [local] / src / usr.bin / ssh

Add instructions for changing acl on private key file

How to use smartcards with OpenSSH?

OpenSSH contains experimental support for authentication using
Cyberflex smartcards and TODOS card readers. To enable this you
need to:

(1) enable SMARTCARD support in OpenSSH:

	$ vi /usr/src/usr.bin/ssh/Makefile.inc
	and uncomment
		CFLAGS+=	-DSMARTCARD
		LDADD+=	-lsectok

(2) If you have used a previous version of ssh with your card, you
    must remove the old applet and keys.

	$ sectok
	sectok> login -d
	sectok> junload Ssh.bin
	sectok> delete 0012
	sectok> delete sh
	sectok> quit

(3) load the Java Cardlet to the Cyberflex card and set card passphrase:

	$ sectok
	sectok> login -d
	sectok> jload /usr/libdata/ssh/Ssh.bin
	sectok> setpass
	Enter new AUT0 passphrase: 
	Re-enter passphrase: 
	sectok> quit

	Do not forget the passphrase.  There is no way to
	recover if you do.

	IMPORTANT WARNING: If you attempt to login with the
	wrong passphrase three times in a row, you will
	destroy your card.

(4) load a RSA key to the card:

	$ ssh-keygen -f /path/to/rsakey -U 1
	(where 1 is the reader number, you can also try 0)

	In spite of the name, this does not generate a key.
	It just loads an already existing key on to the card.

(5) tell the ssh client to use the card reader:

	$ ssh -I 1 otherhost

(6) or tell the agent (don't forget to restart) to use the smartcard:

	$ ssh-add -s 1

(7) Optional: If you don't want to use a card passphrase, change the
    acl on the private key file:

	$ sectok
	sectok> login -d
	sectok> acl 0012 world: w 
	 world: w 
	 AUT0: w inval 
	sectok> quit

	If you do this, anyone who has access to your card
	can assume your identity.  This is not recommended.

-markus,
Tue Jul 17 23:54:51 CEST 2001

$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $