How to use smartcards with OpenSSH?
-OpenSSH contains experimental support for authentication using Cyberflex
-smartcards and TODOS card readers, in addition to the cards with PKCS#15
-structure supported by OpenSC.
+OpenSSH contains experimental support for authentication using
+Cyberflex smartcards and TODOS card readers.
-WARNING: Smartcard support is still in development.
-Keyfile formats, etc are still subject to change.
+WARNING: Smartcard support is still in development. Keyfile formats, etc
+are still subject to change.
-To enable sectok support:
+To enable this you need to:
-(1) install sectok:
+(1) install sectok
- Sources and instructions are available from
+ Sources are instructions are available from
http://www.citi.umich.edu/projects/smartcard/sectok.html
-(2) enable sectok support in OpenSSH:
+(2) enable SMARTCARD support in OpenSSH:
- $ ./configure --with-sectok[=/path/to/libsectok] [options]
+ $ ./configure --with-smartcard [options]
+
+ You can also specify a path to libsectok:
+
+ $ ./configure --with-smartcard=/path/to/libsectok [options]
(3) load the Java Cardlet to the Cyberflex card:
(4) load a RSA key to the card:
- Please don't use your production RSA keys, since
+ please don't use your production RSA keys, since
with the current version of sectok/ssh-keygen
- the private key file is still readable.
+ the private key file is still readable
- $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
+ $ ssh-keygen -f /path/to/rsakey -U 1
+ (where 1 is the reader number, you can also try 0)
In spite of the name, this does not generate a key.
It just loads an already existing key on to the card.
wrong passphrase three times in a row, you will
destroy your card.
-To enable OpenSC support:
-
-(1) install OpenSC:
-
- Sources and instructions are available from
- http://www.opensc.org/
-
-(2) enable OpenSC support in OpenSSH:
-
- $ ./configure --with-opensc[=/path/to/opensc] [options]
-
-(3) load a RSA key to the card:
-
- Not supported yet.
-
-Common smartcard options:
-
-(1) tell the ssh client to use the card reader:
+(6) tell the ssh client to use the card reader:
- $ ssh -I <readernum, eg. 0> otherhost
+ $ ssh -I 1 otherhost
-(2) or tell the agent (don't forget to restart) to use the smartcard:
+(7) or tell the agent (don't forget to restart) to use the smartcard:
- $ ssh-add -s <readernum, eg. 0>
+ $ ssh-add -s 1
-markus,
-Sat Apr 13 13:48:10 EEST 2002
+Tue Jul 17 23:54:51 CEST 2001