]>
Commit | Line | Data |
---|---|---|
3c0ef626 | 1 | How to use smartcards with OpenSSH? |
2 | ||
3 | OpenSSH contains experimental support for authentication using | |
4 | Cyberflex smartcards and TODOS card readers. | |
5 | ||
6 | WARNING: Smartcard support is still in development. Keyfile formats, etc | |
7 | are still subject to change. | |
8 | ||
9 | To enable this you need to: | |
10 | ||
11 | (1) install sectok | |
12 | ||
13 | Sources are instructions are available from | |
14 | http://www.citi.umich.edu/projects/smartcard/sectok.html | |
15 | ||
16 | (2) enable SMARTCARD support in OpenSSH: | |
17 | ||
18 | $ ./configure --with-smartcard [options] | |
19 | ||
20 | You can also specify a path to libsectok: | |
21 | ||
22 | $ ./configure --with-smartcard=/path/to/libsectok [options] | |
23 | ||
24 | (3) load the Java Cardlet to the Cyberflex card: | |
25 | ||
26 | $ sectok | |
27 | sectok> login -d | |
28 | sectok> jload /usr/libdata/ssh/Ssh.bin | |
29 | sectok> quit | |
30 | ||
31 | (4) load a RSA key to the card: | |
32 | ||
33 | please don't use your production RSA keys, since | |
34 | with the current version of sectok/ssh-keygen | |
35 | the private key file is still readable | |
36 | ||
37 | $ ssh-keygen -f /path/to/rsakey -U 1 | |
38 | (where 1 is the reader number, you can also try 0) | |
39 | ||
40 | In spite of the name, this does not generate a key. | |
41 | It just loads an already existing key on to the card. | |
42 | ||
43 | (5) optional: | |
44 | ||
45 | Change the card password so that only you can | |
46 | read the private key: | |
47 | ||
48 | $ sectok | |
49 | sectok> login -d | |
50 | sectok> setpass | |
51 | sectok> quit | |
52 | ||
53 | This prevents reading the key but not use of the | |
54 | key by the card applet. | |
55 | ||
56 | Do not forget the passphrase. There is no way to | |
57 | recover if you do. | |
58 | ||
59 | IMPORTANT WARNING: If you attempt to login with the | |
60 | wrong passphrase three times in a row, you will | |
61 | destroy your card. | |
62 | ||
63 | (6) tell the ssh client to use the card reader: | |
64 | ||
65 | $ ssh -I 1 otherhost | |
66 | ||
67 | (7) or tell the agent (don't forget to restart) to use the smartcard: | |
68 | ||
69 | $ ssh-add -s 1 | |
70 | ||
71 | -markus, | |
72 | Tue Jul 17 23:54:51 CEST 2001 |