[openssh.git] / README.smartcard

How to use smartcards with OpenSSH?

OpenSSH contains experimental support for authentication using
Cyberflex smartcards and TODOS card readers. To enable this you
need to:

(1) enable SMARTCARD support in OpenSSH:

	$ ./configure --with-smartcard [...]
	and rebuild

(2) If you have used a previous version of ssh with your card, you
    must remove the old applet and keys.

	$ sectok
	sectok> login -d
	sectok> junload Ssh.bin
	sectok> delete 0012
	sectok> delete sh
	sectok> quit

(3) load the Java Cardlet to the Cyberflex card and set card passphrase:

	$ sectok
	sectok> login -d
	sectok> jload /usr/libdata/ssh/Ssh.bin
	sectok> setpass
	Enter new AUT0 passphrase: 
	Re-enter passphrase: 
	sectok> quit

	Do not forget the passphrase.  There is no way to
	recover if you do.

	IMPORTANT WARNING: If you attempt to login with the
	wrong passphrase three times in a row, you will
	destroy your card.

(4) load a RSA key to the card:

	$ ssh-keygen -f /path/to/rsakey -U 1
	(where 1 is the reader number, you can also try 0)

	In spite of the name, this does not generate a key.
	It just loads an already existing key on to the card.

(5) tell the ssh client to use the card reader:

	$ ssh -I 1 otherhost

(6) or tell the agent (don't forget to restart) to use the smartcard:

	$ ssh-add -s 1

(7) Optional: If you don't want to use a card passphrase, change the
    acl on the private key file:

	$ sectok
	sectok> login -d
	sectok> acl 0012 world: w 
	 world: w 
	 AUT0: w inval 
	sectok> quit

	If you do this, anyone who has access to your card
	can assume your identity.  This is not recommended.

-markus,
Tue Jul 17 23:54:51 CEST 2001

$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $
Commit	Line	Data
93816ec8	1	How to use smartcards with OpenSSH?
93816ec8	2
8a547250	3	OpenSSH contains experimental support for authentication using
	4	Cyberflex smartcards and TODOS card readers. To enable this you
	5	need to:
6877d8b9	6
8a547250	7	(1) enable SMARTCARD support in OpenSSH:
6877d8b9	8
8a547250	9	$ ./configure --with-smartcard [...]
8a547250	10	and rebuild
93816ec8	11
8a547250	12	(2) If you have used a previous version of ssh with your card, you
8a547250	13	must remove the old applet and keys.
93816ec8	14
	15	$ sectok
	16	sectok> login -d
8a547250	17	sectok> junload Ssh.bin
	18	sectok> delete 0012
	19	sectok> delete sh
93816ec8	20	sectok> quit
93816ec8	21
8a547250	22	(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
93816ec8	23
	24	$ sectok
	25	sectok> login -d
8a547250	26	sectok> jload /usr/libdata/ssh/Ssh.bin
93816ec8	27	sectok> setpass
8a547250	28	Enter new AUT0 passphrase:
8a547250	29	Re-enter passphrase:
93816ec8	30	sectok> quit
93816ec8	31
93816ec8	32	Do not forget the passphrase. There is no way to
	33	recover if you do.
	34
	35	IMPORTANT WARNING: If you attempt to login with the
	36	wrong passphrase three times in a row, you will
	37	destroy your card.
	38
8a547250	39	(4) load a RSA key to the card:
49ef62db	40
8a547250	41	$ ssh-keygen -f /path/to/rsakey -U 1
8a547250	42	(where 1 is the reader number, you can also try 0)
49ef62db	43
8a547250	44	In spite of the name, this does not generate a key.
8a547250	45	It just loads an already existing key on to the card.
49ef62db	46
8a547250	47	(5) tell the ssh client to use the card reader:
49ef62db	48
8a547250	49	$ ssh -I 1 otherhost
49ef62db	50
8a547250	51	(6) or tell the agent (don't forget to restart) to use the smartcard:
49ef62db	52
8a547250	53	$ ssh-add -s 1
93816ec8	54
8a547250	55	(7) Optional: If you don't want to use a card passphrase, change the
8a547250	56	acl on the private key file:
93816ec8	57
8a547250	58	$ sectok
	59	sectok> login -d
	60	sectok> acl 0012 world: w
	61	world: w
	62	AUT0: w inval
	63	sectok> quit
93816ec8	64
8a547250	65	If you do this, anyone who has access to your card
8a547250	66	can assume your identity. This is not recommended.
93816ec8	67
93816ec8	68	-markus,
8a547250	69	Tue Jul 17 23:54:51 CEST 2001
	70
	71	$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $