]>
Commit | Line | Data |
---|---|---|
93816ec8 | 1 | How to use smartcards with OpenSSH? |
2 | ||
8a547250 | 3 | OpenSSH contains experimental support for authentication using |
4 | Cyberflex smartcards and TODOS card readers. To enable this you | |
5 | need to: | |
6877d8b9 | 6 | |
8a547250 | 7 | (1) enable SMARTCARD support in OpenSSH: |
6877d8b9 | 8 | |
8a547250 | 9 | $ ./configure --with-smartcard [...] |
10 | and rebuild | |
93816ec8 | 11 | |
8a547250 | 12 | (2) If you have used a previous version of ssh with your card, you |
13 | must remove the old applet and keys. | |
93816ec8 | 14 | |
15 | $ sectok | |
16 | sectok> login -d | |
8a547250 | 17 | sectok> junload Ssh.bin |
18 | sectok> delete 0012 | |
19 | sectok> delete sh | |
93816ec8 | 20 | sectok> quit |
21 | ||
8a547250 | 22 | (3) load the Java Cardlet to the Cyberflex card and set card passphrase: |
93816ec8 | 23 | |
24 | $ sectok | |
25 | sectok> login -d | |
8a547250 | 26 | sectok> jload /usr/libdata/ssh/Ssh.bin |
93816ec8 | 27 | sectok> setpass |
8a547250 | 28 | Enter new AUT0 passphrase: |
29 | Re-enter passphrase: | |
93816ec8 | 30 | sectok> quit |
31 | ||
93816ec8 | 32 | Do not forget the passphrase. There is no way to |
33 | recover if you do. | |
34 | ||
35 | IMPORTANT WARNING: If you attempt to login with the | |
36 | wrong passphrase three times in a row, you will | |
37 | destroy your card. | |
38 | ||
8a547250 | 39 | (4) load a RSA key to the card: |
49ef62db | 40 | |
8a547250 | 41 | $ ssh-keygen -f /path/to/rsakey -U 1 |
42 | (where 1 is the reader number, you can also try 0) | |
49ef62db | 43 | |
8a547250 | 44 | In spite of the name, this does not generate a key. |
45 | It just loads an already existing key on to the card. | |
49ef62db | 46 | |
8a547250 | 47 | (5) tell the ssh client to use the card reader: |
49ef62db | 48 | |
8a547250 | 49 | $ ssh -I 1 otherhost |
49ef62db | 50 | |
8a547250 | 51 | (6) or tell the agent (don't forget to restart) to use the smartcard: |
49ef62db | 52 | |
8a547250 | 53 | $ ssh-add -s 1 |
93816ec8 | 54 | |
8a547250 | 55 | (7) Optional: If you don't want to use a card passphrase, change the |
56 | acl on the private key file: | |
93816ec8 | 57 | |
8a547250 | 58 | $ sectok |
59 | sectok> login -d | |
60 | sectok> acl 0012 world: w | |
61 | world: w | |
62 | AUT0: w inval | |
63 | sectok> quit | |
93816ec8 | 64 | |
8a547250 | 65 | If you do this, anyone who has access to your card |
66 | can assume your identity. This is not recommended. | |
93816ec8 | 67 | |
68 | -markus, | |
8a547250 | 69 | Tue Jul 17 23:54:51 CEST 2001 |
70 | ||
71 | $OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $ |