- (djm) Sync README.smartcard with OpenBSD -current

author: Damien Miller <djm@mindrot.org> 2003-06-10 18:55:22 +1000
committer: Damien Miller <djm@mindrot.org> 2003-06-10 18:55:22 +1000
commit: c18c06e131f7b3660fdab6c0d4b6b087274ffb50 (patch)
tree: c720d85f483514b13a2f617b9f1a884f33ededb8
parent: 400b8786d6d184675152a2f04d3fe806f7c954ae (diff)
2 files changed, 41 insertions, 52 deletions
diff --git a/ChangeLog b/ChangeLog
index 6dfba99b2..e2b5de86b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+20030609
+ - (djm) Sync README.smartcard with OpenBSD -current
 20030606
 - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@
@@ -476,4 +479,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.2790 2003/06/06 00:46:04 dtucker Exp $
+$Id: ChangeLog,v 1.2791 2003/06/10 08:55:22 djm Exp $
diff --git a/README.smartcard b/README.smartcard
index 29bec8dc6..7bbb0753b 100644
--- a/README.smartcard
+++ b/README.smartcard
@@ -1,54 +1,34 @@
 How to use smartcards with OpenSSH?
-OpenSSH contains experimental support for authentication using Cyberflex
+OpenSSH contains experimental support for authentication using
-smartcards and TODOS card readers, in addition to the cards with PKCS#15
+Cyberflex smartcards and TODOS card readers. To enable this you
-structure supported by OpenSC.
+need to:
-WARNING: Smartcard support is still in development.
+(1) enable SMARTCARD support in OpenSSH:
-Keyfile formats, etc are still subject to change.
-To enable sectok support:
+        $ ./configure --with-smartcard [...]
+        and rebuild
-(1) install sectok:
+(2) If you have used a previous version of ssh with your card, you
+    must remove the old applet and keys.
-        Sources and instructions are available from
-        http://www.citi.umich.edu/projects/smartcard/sectok.html
-(2) enable sectok support in OpenSSH:
-        $ ./configure --with-sectok[=/path/to/libsectok] [options]
-(3) load the Java Cardlet to the Cyberflex card:
        $ sectok
        sectok> login -d
-        sectok> jload /usr/libdata/ssh/Ssh.bin
+        sectok> junload Ssh.bin
+        sectok> delete 0012
+        sectok> delete sh
        sectok> quit
-(4) load a RSA key to the card:
+(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
-        Please don't use your production RSA keys, since
-        with the current version of sectok/ssh-keygen
-        the private key file is still readable.
-        $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
-        In spite of the name, this does not generate a key.
-        It just loads an already existing key on to the card.
-(5) optional:
-        Change the card password so that only you can
-        read the private key:
        $ sectok
        sectok> login -d
+        sectok> jload /usr/libdata/ssh/Ssh.bin
        sectok> setpass
+        Enter new AUT0 passphrase: 
+        Re-enter passphrase: 
        sectok> quit
-        This prevents reading the key but not use of the
-        key by the card applet.
        Do not forget the passphrase.  There is no way to
        recover if you do.
@@ -56,30 +36,36 @@ To enable sectok support:
        wrong passphrase three times in a row, you will
        destroy your card.
-To enable OpenSC support:
+(4) load a RSA key to the card:
-(1) install OpenSC:
-        Sources and instructions are available from
-        http://www.opensc.org/
-(2) enable OpenSC support in OpenSSH:
+        $ ssh-keygen -f /path/to/rsakey -U 1
+        (where 1 is the reader number, you can also try 0)
-        $ ./configure --with-opensc[=/path/to/opensc] [options]
+        In spite of the name, this does not generate a key.
+        It just loads an already existing key on to the card.
-(3) load a RSA key to the card:
+(5) tell the ssh client to use the card reader:
-        Not supported yet.
+        $ ssh -I 1 otherhost
-Common smartcard options:
+(6) or tell the agent (don't forget to restart) to use the smartcard:
-(1) tell the ssh client to use the card reader:
+        $ ssh-add -s 1
-        $ ssh -I <readernum, eg. 0> otherhost
+(7) Optional: If you don't want to use a card passphrase, change the
+    acl on the private key file:
-(2) or tell the agent (don't forget to restart) to use the smartcard:
+        $ sectok
+        sectok> login -d
+        sectok> acl 0012 world: w 
+         world: w 
+         AUT0: w inval 
+        sectok> quit
-        $ ssh-add -s <readernum, eg. 0>
+        If you do this, anyone who has access to your card
+        can assume your identity.  This is not recommended.
 -markus,
-Sat Apr 13 13:48:10 EEST 2002
+Tue Jul 17 23:54:51 CEST 2001
+$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $
author	Damien Miller <djm@mindrot.org>	2003-06-10 18:55:22 +1000
committer	Damien Miller <djm@mindrot.org>	2003-06-10 18:55:22 +1000
commit	c18c06e131f7b3660fdab6c0d4b6b087274ffb50 (patch)
tree	c720d85f483514b13a2f617b9f1a884f33ededb8
parent	400b8786d6d184675152a2f04d3fe806f7c954ae (diff)

diff --git a/ChangeLog b/ChangeLog index 6dfba99b2..e2b5de86b 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,3 +1,6 @@
		1	20030609
		2	- (djm) Sync README.smartcard with OpenBSD -current
		3
1	20030606	4	20030606
2	- (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@	5	- (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@
3		6
@@ -476,4 +479,4 @@
476	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.	479	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
477	Report from murple@murple.net, diagnosis from dtucker@zip.com.au	480	Report from murple@murple.net, diagnosis from dtucker@zip.com.au
478		481
479	$Id: ChangeLog,v 1.2790 2003/06/06 00:46:04 dtucker Exp $	482	$Id: ChangeLog,v 1.2791 2003/06/10 08:55:22 djm Exp $


diff --git a/README.smartcard b/README.smartcard index 29bec8dc6..7bbb0753b 100644 --- a/README.smartcard +++ b/README.smartcard
@@ -1,54 +1,34 @@
1	How to use smartcards with OpenSSH?	1	How to use smartcards with OpenSSH?
2		2
3	OpenSSH contains experimental support for authentication using Cyberflex	3	OpenSSH contains experimental support for authentication using
4	smartcards and TODOS card readers, in addition to the cards with PKCS#15	4	Cyberflex smartcards and TODOS card readers. To enable this you
5	structure supported by OpenSC.	5	need to:
6		6
7	WARNING: Smartcard support is still in development.	7	(1) enable SMARTCARD support in OpenSSH:
8	Keyfile formats, etc are still subject to change.
9		8
10	To enable sectok support:	9	$ ./configure --with-smartcard [...]
		10	and rebuild
11		11
12	(1) install sectok:	12	(2) If you have used a previous version of ssh with your card, you
13		13	must remove the old applet and keys.
14	Sources and instructions are available from
15	http://www.citi.umich.edu/projects/smartcard/sectok.html
16
17	(2) enable sectok support in OpenSSH:
18
19	$ ./configure --with-sectok[=/path/to/libsectok] [options]
20
21	(3) load the Java Cardlet to the Cyberflex card:
22		14
23	$ sectok	15	$ sectok
24	sectok> login -d	16	sectok> login -d
25	sectok> jload /usr/libdata/ssh/Ssh.bin	17	sectok> junload Ssh.bin
		18	sectok> delete 0012
		19	sectok> delete sh
26	sectok> quit	20	sectok> quit
27		21
28	(4) load a RSA key to the card:	22	(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
29
30	Please don't use your production RSA keys, since
31	with the current version of sectok/ssh-keygen
32	the private key file is still readable.
33
34	$ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
35
36	In spite of the name, this does not generate a key.
37	It just loads an already existing key on to the card.
38
39	(5) optional:
40
41	Change the card password so that only you can
42	read the private key:
43		23
44	$ sectok	24	$ sectok
45	sectok> login -d	25	sectok> login -d
		26	sectok> jload /usr/libdata/ssh/Ssh.bin
46	sectok> setpass	27	sectok> setpass
		28	Enter new AUT0 passphrase:
		29	Re-enter passphrase:
47	sectok> quit	30	sectok> quit
48		31
49	This prevents reading the key but not use of the
50	key by the card applet.
51
52	Do not forget the passphrase. There is no way to	32	Do not forget the passphrase. There is no way to
53	recover if you do.	33	recover if you do.
54		34
@@ -56,30 +36,36 @@ To enable sectok support:
56	wrong passphrase three times in a row, you will	36	wrong passphrase three times in a row, you will
57	destroy your card.	37	destroy your card.
58		38
59	To enable OpenSC support:	39	(4) load a RSA key to the card:
60
61	(1) install OpenSC:
62
63	Sources and instructions are available from
64	http://www.opensc.org/
65		40
66	(2) enable OpenSC support in OpenSSH:	41	$ ssh-keygen -f /path/to/rsakey -U 1
		42	(where 1 is the reader number, you can also try 0)
67		43
68	$ ./configure --with-opensc[=/path/to/opensc] [options]	44	In spite of the name, this does not generate a key.
		45	It just loads an already existing key on to the card.
69		46
70	(3) load a RSA key to the card:	47	(5) tell the ssh client to use the card reader:
71		48
72	Not supported yet.	49	$ ssh -I 1 otherhost
73		50
74	Common smartcard options:	51	(6) or tell the agent (don't forget to restart) to use the smartcard:
75		52
76	(1) tell the ssh client to use the card reader:	53	$ ssh-add -s 1
77		54
78	$ ssh -I <readernum, eg. 0> otherhost	55	(7) Optional: If you don't want to use a card passphrase, change the
		56	acl on the private key file:
79		57
80	(2) or tell the agent (don't forget to restart) to use the smartcard:	58	$ sectok
		59	sectok> login -d
		60	sectok> acl 0012 world: w
		61	world: w
		62	AUT0: w inval
		63	sectok> quit
81		64
82	$ ssh-add -s <readernum, eg. 0>	65	If you do this, anyone who has access to your card
		66	can assume your identity. This is not recommended.
83		67
84	-markus,	68	-markus,
85	Sat Apr 13 13:48:10 EEST 2002	69	Tue Jul 17 23:54:51 CEST 2001
		70
		71	$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $