How to use smartcards with OpenSSH?

OpenSSH contains experimental support for authentication using
Cyberflex smartcards and TODOS card readers. To enable this you
need to:

(1) enable SMARTCARD support in OpenSSH:

	$ vi /usr/src/usr.bin/ssh/Makefile.inc
	and uncomment
		CFLAGS+=	-DSMARTCARD
		LDADD+=	-lsectok

(2) load the Java Cardlet to the Cyberflex card and set card passphrase:

	$ sectok
	sectok> login -d
	sectok> junload Ssh.bin
	sectok> jload /usr/libdata/ssh/Ssh.bin
	sectok> setpass
	Enter new AUT0 passphrase: 
	Re-enter passphrase: 
	sectok> quit

	Do not forget the passphrase.  There is no way to
	recover if you do.

	IMPORTANT WARNING: If you attempt to login with the
	wrong passphrase three times in a row, you will
	destroy your card.

	If you have loaded an older version of Ssh.bin on
	your card previously, you must unload it and load
	the new one.

(3) load a RSA key to the card:

	please don't use your production RSA keys, since
	with the current version of sectok/ssh-keygen
	the private key file is still readable

	$ ssh-keygen -f /path/to/rsakey -U 1
	(where 1 is the reader number, you can also try 0)

	In spite of the name, this does not generate a key.
	It just loads an already existing key on to the card.

(4) tell the ssh client to use the card reader:

	$ ssh -I 1 otherhost

(5) or tell the agent (don't forget to restart) to use the smartcard:

	$ ssh-add -s 1

-markus,
Tue Jul 17 23:54:51 CEST 2001