diff options
Diffstat (limited to 'README.smartcard')
-rw-r--r-- | README.smartcard | 80 |
1 files changed, 44 insertions, 36 deletions
diff --git a/README.smartcard b/README.smartcard index 29bec8dc6..88810fc83 100644 --- a/README.smartcard +++ b/README.smartcard | |||
@@ -1,62 +1,66 @@ | |||
1 | How to use smartcards with OpenSSH? | 1 | How to use smartcards with OpenSSH? |
2 | 2 | ||
3 | OpenSSH contains experimental support for authentication using Cyberflex | 3 | OpenSSH contains experimental support for authentication using |
4 | smartcards and TODOS card readers, in addition to the cards with PKCS#15 | 4 | Cyberflex smartcards and TODOS card readers, in addition to the cards |
5 | structure supported by OpenSC. | 5 | with PKCS#15 structure supported by OpenSC. To enable this you |
6 | need to: | ||
6 | 7 | ||
7 | WARNING: Smartcard support is still in development. | 8 | Using libsectok: |
8 | Keyfile formats, etc are still subject to change. | ||
9 | 9 | ||
10 | To enable sectok support: | 10 | (1) enable sectok support in OpenSSH: |
11 | 11 | ||
12 | (1) install sectok: | 12 | $ ./configure --with-sectok |
13 | 13 | ||
14 | Sources and instructions are available from | 14 | (2) If you have used a previous version of ssh with your card, you |
15 | http://www.citi.umich.edu/projects/smartcard/sectok.html | 15 | must remove the old applet and keys. |
16 | |||
17 | (2) enable sectok support in OpenSSH: | ||
18 | 16 | ||
19 | $ ./configure --with-sectok[=/path/to/libsectok] [options] | 17 | $ sectok |
18 | sectok> login -d | ||
19 | sectok> junload Ssh.bin | ||
20 | sectok> delete 0012 | ||
21 | sectok> delete sh | ||
22 | sectok> quit | ||
20 | 23 | ||
21 | (3) load the Java Cardlet to the Cyberflex card: | 24 | (3) load the Java Cardlet to the Cyberflex card and set card passphrase: |
22 | 25 | ||
23 | $ sectok | 26 | $ sectok |
24 | sectok> login -d | 27 | sectok> login -d |
25 | sectok> jload /usr/libdata/ssh/Ssh.bin | 28 | sectok> jload /usr/libdata/ssh/Ssh.bin |
29 | sectok> setpass | ||
30 | Enter new AUT0 passphrase: | ||
31 | Re-enter passphrase: | ||
26 | sectok> quit | 32 | sectok> quit |
27 | 33 | ||
28 | (4) load a RSA key to the card: | 34 | Do not forget the passphrase. There is no way to |
35 | recover if you do. | ||
29 | 36 | ||
30 | Please don't use your production RSA keys, since | 37 | IMPORTANT WARNING: If you attempt to login with the |
31 | with the current version of sectok/ssh-keygen | 38 | wrong passphrase three times in a row, you will |
32 | the private key file is still readable. | 39 | destroy your card. |
33 | 40 | ||
34 | $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> | 41 | (4) load a RSA key to the card: |
42 | |||
43 | $ ssh-keygen -f /path/to/rsakey -U 1 | ||
44 | (where 1 is the reader number, you can also try 0) | ||
35 | 45 | ||
36 | In spite of the name, this does not generate a key. | 46 | In spite of the name, this does not generate a key. |
37 | It just loads an already existing key on to the card. | 47 | It just loads an already existing key on to the card. |
38 | 48 | ||
39 | (5) optional: | 49 | (5) Optional: If you don't want to use a card passphrase, change the |
40 | 50 | acl on the private key file: | |
41 | Change the card password so that only you can | ||
42 | read the private key: | ||
43 | 51 | ||
44 | $ sectok | 52 | $ sectok |
45 | sectok> login -d | 53 | sectok> login -d |
46 | sectok> setpass | 54 | sectok> acl 0012 world: w |
55 | world: w | ||
56 | AUT0: w inval | ||
47 | sectok> quit | 57 | sectok> quit |
48 | 58 | ||
49 | This prevents reading the key but not use of the | 59 | If you do this, anyone who has access to your card |
50 | key by the card applet. | 60 | can assume your identity. This is not recommended. |
51 | |||
52 | Do not forget the passphrase. There is no way to | ||
53 | recover if you do. | ||
54 | 61 | ||
55 | IMPORTANT WARNING: If you attempt to login with the | ||
56 | wrong passphrase three times in a row, you will | ||
57 | destroy your card. | ||
58 | 62 | ||
59 | To enable OpenSC support: | 63 | Using OpenSC: |
60 | 64 | ||
61 | (1) install OpenSC: | 65 | (1) install OpenSC: |
62 | 66 | ||
@@ -71,15 +75,19 @@ To enable OpenSC support: | |||
71 | 75 | ||
72 | Not supported yet. | 76 | Not supported yet. |
73 | 77 | ||
74 | Common smartcard options: | 78 | |
79 | Common operations: | ||
75 | 80 | ||
76 | (1) tell the ssh client to use the card reader: | 81 | (1) tell the ssh client to use the card reader: |
77 | 82 | ||
78 | $ ssh -I <readernum, eg. 0> otherhost | 83 | $ ssh -I 1 otherhost |
79 | 84 | ||
80 | (2) or tell the agent (don't forget to restart) to use the smartcard: | 85 | (2) or tell the agent (don't forget to restart) to use the smartcard: |
81 | 86 | ||
82 | $ ssh-add -s <readernum, eg. 0> | 87 | $ ssh-add -s 1 |
88 | |||
83 | 89 | ||
84 | -markus, | 90 | -markus, |
85 | Sat Apr 13 13:48:10 EEST 2002 | 91 | Tue Jul 17 23:54:51 CEST 2001 |
92 | |||
93 | $OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $ | ||