1 files changed, 44 insertions, 36 deletions
diff --git a/README.smartcard b/README.smartcard
index 29bec8dc6..88810fc83 100644
--- a/README.smartcard
+++ b/README.smartcard
@@ -1,62 +1,66 @@
 How to use smartcards with OpenSSH?
-OpenSSH contains experimental support for authentication using Cyberflex
+OpenSSH contains experimental support for authentication using
-smartcards and TODOS card readers, in addition to the cards with PKCS#15
+Cyberflex smartcards and TODOS card readers, in addition to the cards 
-structure supported by OpenSC.
+with PKCS#15 structure supported by OpenSC. To enable this you
+need to:
-WARNING: Smartcard support is still in development.
+Using libsectok:
-Keyfile formats, etc are still subject to change.
-To enable sectok support:
+(1) enable sectok support in OpenSSH:
-(1) install sectok:
+        $ ./configure --with-sectok
-        Sources and instructions are available from
+(2) If you have used a previous version of ssh with your card, you
-        http://www.citi.umich.edu/projects/smartcard/sectok.html
+    must remove the old applet and keys.
-(2) enable sectok support in OpenSSH:
-        $ ./configure --with-sectok[=/path/to/libsectok] [options]
+        $ sectok
+        sectok> login -d
+        sectok> junload Ssh.bin
+        sectok> delete 0012
+        sectok> delete sh
+        sectok> quit
-(3) load the Java Cardlet to the Cyberflex card:
+(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
        $ sectok
        sectok> login -d
        sectok> jload /usr/libdata/ssh/Ssh.bin
+        sectok> setpass
+        Enter new AUT0 passphrase: 
+        Re-enter passphrase: 
        sectok> quit
-(4) load a RSA key to the card:
+        Do not forget the passphrase.  There is no way to
+        recover if you do.
-        Please don't use your production RSA keys, since
+        IMPORTANT WARNING: If you attempt to login with the
-        with the current version of sectok/ssh-keygen
+        wrong passphrase three times in a row, you will
-        the private key file is still readable.
+        destroy your card.
-        $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
+(4) load a RSA key to the card:
+        $ ssh-keygen -f /path/to/rsakey -U 1
+        (where 1 is the reader number, you can also try 0)
        In spite of the name, this does not generate a key.
        It just loads an already existing key on to the card.
-(5) optional:
+(5) Optional: If you don't want to use a card passphrase, change the
+    acl on the private key file:
-        Change the card password so that only you can
-        read the private key:
        $ sectok
        sectok> login -d
-        sectok> setpass
+        sectok> acl 0012 world: w 
+         world: w 
+         AUT0: w inval 
        sectok> quit
-        This prevents reading the key but not use of the
+        If you do this, anyone who has access to your card
-        key by the card applet.
+        can assume your identity.  This is not recommended.
-        Do not forget the passphrase.  There is no way to
-        recover if you do.
-        IMPORTANT WARNING: If you attempt to login with the
-        wrong passphrase three times in a row, you will
-        destroy your card.
-To enable OpenSC support:
+Using OpenSC:
 (1) install OpenSC:
@@ -71,15 +75,19 @@ To enable OpenSC support:
        Not supported yet.
-Common smartcard options:
+Common operations:
 (1) tell the ssh client to use the card reader:
-        $ ssh -I <readernum, eg. 0> otherhost
+        $ ssh -I 1 otherhost
 (2) or tell the agent (don't forget to restart) to use the smartcard:
-        $ ssh-add -s <readernum, eg. 0>
+        $ ssh-add -s 1
 -markus,
-Sat Apr 13 13:48:10 EEST 2002
+Tue Jul 17 23:54:51 CEST 2001
+$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $

diff --git a/README.smartcard b/README.smartcard index 29bec8dc6..88810fc83 100644 --- a/README.smartcard +++ b/README.smartcard
@@ -1,62 +1,66 @@
1	How to use smartcards with OpenSSH?	1	How to use smartcards with OpenSSH?
2		2
3	OpenSSH contains experimental support for authentication using Cyberflex	3	OpenSSH contains experimental support for authentication using
4	smartcards and TODOS card readers, in addition to the cards with PKCS#15	4	Cyberflex smartcards and TODOS card readers, in addition to the cards
5	structure supported by OpenSC.	5	with PKCS#15 structure supported by OpenSC. To enable this you
		6	need to:
6		7
7	WARNING: Smartcard support is still in development.	8	Using libsectok:
8	Keyfile formats, etc are still subject to change.
9		9
10	To enable sectok support:	10	(1) enable sectok support in OpenSSH:
11		11
12	(1) install sectok:	12	$ ./configure --with-sectok
13		13
14	Sources and instructions are available from	14	(2) If you have used a previous version of ssh with your card, you
15	http://www.citi.umich.edu/projects/smartcard/sectok.html	15	must remove the old applet and keys.
16
17	(2) enable sectok support in OpenSSH:
18		16
19	$ ./configure --with-sectok[=/path/to/libsectok] [options]	17	$ sectok
		18	sectok> login -d
		19	sectok> junload Ssh.bin
		20	sectok> delete 0012
		21	sectok> delete sh
		22	sectok> quit
20		23
21	(3) load the Java Cardlet to the Cyberflex card:	24	(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
22		25
23	$ sectok	26	$ sectok
24	sectok> login -d	27	sectok> login -d
25	sectok> jload /usr/libdata/ssh/Ssh.bin	28	sectok> jload /usr/libdata/ssh/Ssh.bin
		29	sectok> setpass
		30	Enter new AUT0 passphrase:
		31	Re-enter passphrase:
26	sectok> quit	32	sectok> quit
27		33
28	(4) load a RSA key to the card:	34	Do not forget the passphrase. There is no way to
		35	recover if you do.
29		36
30	Please don't use your production RSA keys, since	37	IMPORTANT WARNING: If you attempt to login with the
31	with the current version of sectok/ssh-keygen	38	wrong passphrase three times in a row, you will
32	the private key file is still readable.	39	destroy your card.
33		40
34	$ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>	41	(4) load a RSA key to the card:
		42
		43	$ ssh-keygen -f /path/to/rsakey -U 1
		44	(where 1 is the reader number, you can also try 0)
35		45
36	In spite of the name, this does not generate a key.	46	In spite of the name, this does not generate a key.
37	It just loads an already existing key on to the card.	47	It just loads an already existing key on to the card.
38		48
39	(5) optional:	49	(5) Optional: If you don't want to use a card passphrase, change the
40		50	acl on the private key file:
41	Change the card password so that only you can
42	read the private key:
43		51
44	$ sectok	52	$ sectok
45	sectok> login -d	53	sectok> login -d
46	sectok> setpass	54	sectok> acl 0012 world: w
		55	world: w
		56	AUT0: w inval
47	sectok> quit	57	sectok> quit
48		58
49	This prevents reading the key but not use of the	59	If you do this, anyone who has access to your card
50	key by the card applet.	60	can assume your identity. This is not recommended.
51
52	Do not forget the passphrase. There is no way to
53	recover if you do.
54		61
55	IMPORTANT WARNING: If you attempt to login with the
56	wrong passphrase three times in a row, you will
57	destroy your card.
58		62
59	To enable OpenSC support:	63	Using OpenSC:
60		64
61	(1) install OpenSC:	65	(1) install OpenSC:
62		66
@@ -71,15 +75,19 @@ To enable OpenSC support:
71		75
72	Not supported yet.	76	Not supported yet.
73		77
74	Common smartcard options:	78
		79	Common operations:
75		80
76	(1) tell the ssh client to use the card reader:	81	(1) tell the ssh client to use the card reader:
77		82
78	$ ssh -I <readernum, eg. 0> otherhost	83	$ ssh -I 1 otherhost
79		84
80	(2) or tell the agent (don't forget to restart) to use the smartcard:	85	(2) or tell the agent (don't forget to restart) to use the smartcard:
81		86
82	$ ssh-add -s <readernum, eg. 0>	87	$ ssh-add -s 1
		88
83		89
84	-markus,	90	-markus,
85	Sat Apr 13 13:48:10 EEST 2002	91	Tue Jul 17 23:54:51 CEST 2001
		92
		93	$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $