How to use smartcards with OpenSSH?
OpenSSH contains experimental support for authentication using
Cyberflex smartcards and TODOS card readers. To enable this you
need to:
(1) enable SMARTCARD support in OpenSSH:
$ vi /usr/src/usr.bin/ssh/Makefile.inc
and uncomment
CFLAGS+= -DSMARTCARD
LDADD+= -lsectok
(2) load the Java Cardlet to the Cyberflex card and set card passphrase:
$ sectok
sectok> login -d
sectok> junload Ssh.bin
sectok> jload /usr/libdata/ssh/Ssh.bin
sectok> setpass
Enter new AUT0 passphrase:
Re-enter passphrase:
sectok> quit
Do not forget the passphrase. There is no way to
recover if you do.
IMPORTANT WARNING: If you attempt to login with the
wrong passphrase three times in a row, you will
destroy your card.
If you have loaded an older version of Ssh.bin on
your card previously, you must unload it and load
the new one.
(3) load a RSA key to the card:
please don't use your production RSA keys, since
with the current version of sectok/ssh-keygen
the private key file is still readable
$ ssh-keygen -f /path/to/rsakey -U 1
(where 1 is the reader number, you can also try 0)
In spite of the name, this does not generate a key.
It just loads an already existing key on to the card.
(4) tell the ssh client to use the card reader:
$ ssh -I 1 otherhost
(5) or tell the agent (don't forget to restart) to use the smartcard:
$ ssh-add -s 1
-markus,
Tue Jul 17 23:54:51 CEST 2001
![[BACK]](/icons/back.gif){kind=icon}
Return to README.smartcard CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh