How to use smartcards with OpenSSH?
OpenSSH contains experimental support for authentication using
-Cyberflex smartcards and TODOS card readers, in addition to the cards
-with PKCS#15 structure supported by OpenSC. To enable this you
-need to:
+Cyberflex smartcards and TODOS card readers.
-Using libsectok:
+WARNING: Smartcard support is still in development. Keyfile formats, etc
+are still subject to change.
-(1) enable sectok support in OpenSSH:
+To enable this you need to:
- $ ./configure --with-sectok
+(1) install sectok
-(2) If you have used a previous version of ssh with your card, you
- must remove the old applet and keys.
+ Sources are instructions are available from
+ http://www.citi.umich.edu/projects/smartcard/sectok.html
- $ sectok
- sectok> login -d
- sectok> junload Ssh.bin
- sectok> delete 0012
- sectok> delete sh
- sectok> quit
+(2) enable SMARTCARD support in OpenSSH:
+
+ $ ./configure --with-smartcard [options]
-(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
+ You can also specify a path to libsectok:
+
+ $ ./configure --with-smartcard=/path/to/libsectok [options]
+
+(3) load the Java Cardlet to the Cyberflex card:
$ sectok
sectok> login -d
sectok> jload /usr/libdata/ssh/Ssh.bin
- sectok> setpass
- Enter new AUT0 passphrase:
- Re-enter passphrase:
sectok> quit
- Do not forget the passphrase. There is no way to
- recover if you do.
-
- IMPORTANT WARNING: If you attempt to login with the
- wrong passphrase three times in a row, you will
- destroy your card.
-
(4) load a RSA key to the card:
+ please don't use your production RSA keys, since
+ with the current version of sectok/ssh-keygen
+ the private key file is still readable
+
$ ssh-keygen -f /path/to/rsakey -U 1
(where 1 is the reader number, you can also try 0)
In spite of the name, this does not generate a key.
It just loads an already existing key on to the card.
-(5) Optional: If you don't want to use a card passphrase, change the
- acl on the private key file:
+(5) optional:
+
+ Change the card password so that only you can
+ read the private key:
$ sectok
sectok> login -d
- sectok> acl 0012 world: w
- world: w
- AUT0: w inval
+ sectok> setpass
sectok> quit
- If you do this, anyone who has access to your card
- can assume your identity. This is not recommended.
-
-
-Using OpenSC:
-
-(1) install OpenSC:
-
- Sources and instructions are available from
- http://www.opensc.org/
-
-(2) enable OpenSC support in OpenSSH:
-
- $ ./configure --with-opensc[=/path/to/opensc] [options]
-
-(3) load a RSA key to the card:
-
- Not supported yet.
+ This prevents reading the key but not use of the
+ key by the card applet.
+ Do not forget the passphrase. There is no way to
+ recover if you do.
-Common operations:
+ IMPORTANT WARNING: If you attempt to login with the
+ wrong passphrase three times in a row, you will
+ destroy your card.
-(1) tell the ssh client to use the card reader:
+(6) tell the ssh client to use the card reader:
$ ssh -I 1 otherhost
-(2) or tell the agent (don't forget to restart) to use the smartcard:
+(7) or tell the agent (don't forget to restart) to use the smartcard:
$ ssh-add -s 1
-
-markus,
Tue Jul 17 23:54:51 CEST 2001
-
-$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $