diff options
Diffstat (limited to 'README.smartcard')
-rw-r--r-- | README.smartcard | 88 |
1 files changed, 37 insertions, 51 deletions
diff --git a/README.smartcard b/README.smartcard index 29bec8dc6..7bbb0753b 100644 --- a/README.smartcard +++ b/README.smartcard | |||
@@ -1,54 +1,34 @@ | |||
1 | How to use smartcards with OpenSSH? | 1 | How to use smartcards with OpenSSH? |
2 | 2 | ||
3 | OpenSSH contains experimental support for authentication using Cyberflex | 3 | OpenSSH contains experimental support for authentication using |
4 | smartcards and TODOS card readers, in addition to the cards with PKCS#15 | 4 | Cyberflex smartcards and TODOS card readers. To enable this you |
5 | structure supported by OpenSC. | 5 | need to: |
6 | 6 | ||
7 | WARNING: Smartcard support is still in development. | 7 | (1) enable SMARTCARD support in OpenSSH: |
8 | Keyfile formats, etc are still subject to change. | ||
9 | 8 | ||
10 | To enable sectok support: | 9 | $ ./configure --with-smartcard [...] |
10 | and rebuild | ||
11 | 11 | ||
12 | (1) install sectok: | 12 | (2) If you have used a previous version of ssh with your card, you |
13 | 13 | must remove the old applet and keys. | |
14 | Sources and instructions are available from | ||
15 | http://www.citi.umich.edu/projects/smartcard/sectok.html | ||
16 | |||
17 | (2) enable sectok support in OpenSSH: | ||
18 | |||
19 | $ ./configure --with-sectok[=/path/to/libsectok] [options] | ||
20 | |||
21 | (3) load the Java Cardlet to the Cyberflex card: | ||
22 | 14 | ||
23 | $ sectok | 15 | $ sectok |
24 | sectok> login -d | 16 | sectok> login -d |
25 | sectok> jload /usr/libdata/ssh/Ssh.bin | 17 | sectok> junload Ssh.bin |
18 | sectok> delete 0012 | ||
19 | sectok> delete sh | ||
26 | sectok> quit | 20 | sectok> quit |
27 | 21 | ||
28 | (4) load a RSA key to the card: | 22 | (3) load the Java Cardlet to the Cyberflex card and set card passphrase: |
29 | |||
30 | Please don't use your production RSA keys, since | ||
31 | with the current version of sectok/ssh-keygen | ||
32 | the private key file is still readable. | ||
33 | |||
34 | $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> | ||
35 | |||
36 | In spite of the name, this does not generate a key. | ||
37 | It just loads an already existing key on to the card. | ||
38 | |||
39 | (5) optional: | ||
40 | |||
41 | Change the card password so that only you can | ||
42 | read the private key: | ||
43 | 23 | ||
44 | $ sectok | 24 | $ sectok |
45 | sectok> login -d | 25 | sectok> login -d |
26 | sectok> jload /usr/libdata/ssh/Ssh.bin | ||
46 | sectok> setpass | 27 | sectok> setpass |
28 | Enter new AUT0 passphrase: | ||
29 | Re-enter passphrase: | ||
47 | sectok> quit | 30 | sectok> quit |
48 | 31 | ||
49 | This prevents reading the key but not use of the | ||
50 | key by the card applet. | ||
51 | |||
52 | Do not forget the passphrase. There is no way to | 32 | Do not forget the passphrase. There is no way to |
53 | recover if you do. | 33 | recover if you do. |
54 | 34 | ||
@@ -56,30 +36,36 @@ To enable sectok support: | |||
56 | wrong passphrase three times in a row, you will | 36 | wrong passphrase three times in a row, you will |
57 | destroy your card. | 37 | destroy your card. |
58 | 38 | ||
59 | To enable OpenSC support: | 39 | (4) load a RSA key to the card: |
60 | |||
61 | (1) install OpenSC: | ||
62 | |||
63 | Sources and instructions are available from | ||
64 | http://www.opensc.org/ | ||
65 | 40 | ||
66 | (2) enable OpenSC support in OpenSSH: | 41 | $ ssh-keygen -f /path/to/rsakey -U 1 |
42 | (where 1 is the reader number, you can also try 0) | ||
67 | 43 | ||
68 | $ ./configure --with-opensc[=/path/to/opensc] [options] | 44 | In spite of the name, this does not generate a key. |
45 | It just loads an already existing key on to the card. | ||
69 | 46 | ||
70 | (3) load a RSA key to the card: | 47 | (5) tell the ssh client to use the card reader: |
71 | 48 | ||
72 | Not supported yet. | 49 | $ ssh -I 1 otherhost |
73 | 50 | ||
74 | Common smartcard options: | 51 | (6) or tell the agent (don't forget to restart) to use the smartcard: |
75 | 52 | ||
76 | (1) tell the ssh client to use the card reader: | 53 | $ ssh-add -s 1 |
77 | 54 | ||
78 | $ ssh -I <readernum, eg. 0> otherhost | 55 | (7) Optional: If you don't want to use a card passphrase, change the |
56 | acl on the private key file: | ||
79 | 57 | ||
80 | (2) or tell the agent (don't forget to restart) to use the smartcard: | 58 | $ sectok |
59 | sectok> login -d | ||
60 | sectok> acl 0012 world: w | ||
61 | world: w | ||
62 | AUT0: w inval | ||
63 | sectok> quit | ||
81 | 64 | ||
82 | $ ssh-add -s <readernum, eg. 0> | 65 | If you do this, anyone who has access to your card |
66 | can assume your identity. This is not recommended. | ||
83 | 67 | ||
84 | -markus, | 68 | -markus, |
85 | Sat Apr 13 13:48:10 EEST 2002 | 69 | Tue Jul 17 23:54:51 CEST 2001 |
70 | |||
71 | $OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $ | ||