summaryrefslogtreecommitdiff
path: root/README.smartcard
diff options
context:
space:
mode:
Diffstat (limited to 'README.smartcard')
-rw-r--r--README.smartcard88
1 files changed, 37 insertions, 51 deletions
diff --git a/README.smartcard b/README.smartcard
index 29bec8dc6..7bbb0753b 100644
--- a/README.smartcard
+++ b/README.smartcard
@@ -1,54 +1,34 @@
1How to use smartcards with OpenSSH? 1How to use smartcards with OpenSSH?
2 2
3OpenSSH contains experimental support for authentication using Cyberflex 3OpenSSH contains experimental support for authentication using
4smartcards and TODOS card readers, in addition to the cards with PKCS#15 4Cyberflex smartcards and TODOS card readers. To enable this you
5structure supported by OpenSC. 5need to:
6 6
7WARNING: Smartcard support is still in development. 7(1) enable SMARTCARD support in OpenSSH:
8Keyfile formats, etc are still subject to change.
9 8
10To enable sectok support: 9 $ ./configure --with-smartcard [...]
10 and rebuild
11 11
12(1) install sectok: 12(2) If you have used a previous version of ssh with your card, you
13 13 must remove the old applet and keys.
14 Sources and instructions are available from
15 http://www.citi.umich.edu/projects/smartcard/sectok.html
16
17(2) enable sectok support in OpenSSH:
18
19 $ ./configure --with-sectok[=/path/to/libsectok] [options]
20
21(3) load the Java Cardlet to the Cyberflex card:
22 14
23 $ sectok 15 $ sectok
24 sectok> login -d 16 sectok> login -d
25 sectok> jload /usr/libdata/ssh/Ssh.bin 17 sectok> junload Ssh.bin
18 sectok> delete 0012
19 sectok> delete sh
26 sectok> quit 20 sectok> quit
27 21
28(4) load a RSA key to the card: 22(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
29
30 Please don't use your production RSA keys, since
31 with the current version of sectok/ssh-keygen
32 the private key file is still readable.
33
34 $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
35
36 In spite of the name, this does not generate a key.
37 It just loads an already existing key on to the card.
38
39(5) optional:
40
41 Change the card password so that only you can
42 read the private key:
43 23
44 $ sectok 24 $ sectok
45 sectok> login -d 25 sectok> login -d
26 sectok> jload /usr/libdata/ssh/Ssh.bin
46 sectok> setpass 27 sectok> setpass
28 Enter new AUT0 passphrase:
29 Re-enter passphrase:
47 sectok> quit 30 sectok> quit
48 31
49 This prevents reading the key but not use of the
50 key by the card applet.
51
52 Do not forget the passphrase. There is no way to 32 Do not forget the passphrase. There is no way to
53 recover if you do. 33 recover if you do.
54 34
@@ -56,30 +36,36 @@ To enable sectok support:
56 wrong passphrase three times in a row, you will 36 wrong passphrase three times in a row, you will
57 destroy your card. 37 destroy your card.
58 38
59To enable OpenSC support: 39(4) load a RSA key to the card:
60
61(1) install OpenSC:
62
63 Sources and instructions are available from
64 http://www.opensc.org/
65 40
66(2) enable OpenSC support in OpenSSH: 41 $ ssh-keygen -f /path/to/rsakey -U 1
42 (where 1 is the reader number, you can also try 0)
67 43
68 $ ./configure --with-opensc[=/path/to/opensc] [options] 44 In spite of the name, this does not generate a key.
45 It just loads an already existing key on to the card.
69 46
70(3) load a RSA key to the card: 47(5) tell the ssh client to use the card reader:
71 48
72 Not supported yet. 49 $ ssh -I 1 otherhost
73 50
74Common smartcard options: 51(6) or tell the agent (don't forget to restart) to use the smartcard:
75 52
76(1) tell the ssh client to use the card reader: 53 $ ssh-add -s 1
77 54
78 $ ssh -I <readernum, eg. 0> otherhost 55(7) Optional: If you don't want to use a card passphrase, change the
56 acl on the private key file:
79 57
80(2) or tell the agent (don't forget to restart) to use the smartcard: 58 $ sectok
59 sectok> login -d
60 sectok> acl 0012 world: w
61 world: w
62 AUT0: w inval
63 sectok> quit
81 64
82 $ ssh-add -s <readernum, eg. 0> 65 If you do this, anyone who has access to your card
66 can assume your identity. This is not recommended.
83 67
84-markus, 68-markus,
85Sat Apr 13 13:48:10 EEST 2002 69Tue Jul 17 23:54:51 CEST 2001
70
71$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $