]>
Commit | Line | Data |
---|---|---|
1 | How to use smartcards with OpenSSH? | |
2 | ||
3 | OpenSSH contains experimental support for authentication using | |
4 | Cyberflex smartcards and TODOS card readers, in addition to the cards | |
5 | with PKCS#15 structure supported by OpenSC. To enable this you | |
6 | need to: | |
7 | ||
8 | Using libsectok: | |
9 | ||
10 | (1) enable sectok support in OpenSSH: | |
11 | ||
12 | $ ./configure --with-sectok | |
13 | ||
14 | (2) If you have used a previous version of ssh with your card, you | |
15 | must remove the old applet and keys. | |
16 | ||
17 | $ sectok | |
18 | sectok> login -d | |
19 | sectok> junload Ssh.bin | |
20 | sectok> delete 0012 | |
21 | sectok> delete sh | |
22 | sectok> quit | |
23 | ||
24 | (3) load the Java Cardlet to the Cyberflex card and set card passphrase: | |
25 | ||
26 | $ sectok | |
27 | sectok> login -d | |
28 | sectok> jload /usr/libdata/ssh/Ssh.bin | |
29 | sectok> setpass | |
30 | Enter new AUT0 passphrase: | |
31 | Re-enter passphrase: | |
32 | sectok> quit | |
33 | ||
34 | Do not forget the passphrase. There is no way to | |
35 | recover if you do. | |
36 | ||
37 | IMPORTANT WARNING: If you attempt to login with the | |
38 | wrong passphrase three times in a row, you will | |
39 | destroy your card. | |
40 | ||
41 | (4) load a RSA key to the card: | |
42 | ||
43 | $ ssh-keygen -f /path/to/rsakey -U 1 | |
44 | (where 1 is the reader number, you can also try 0) | |
45 | ||
46 | In spite of the name, this does not generate a key. | |
47 | It just loads an already existing key on to the card. | |
48 | ||
49 | (5) Optional: If you don't want to use a card passphrase, change the | |
50 | acl on the private key file: | |
51 | ||
52 | $ sectok | |
53 | sectok> login -d | |
54 | sectok> acl 0012 world: w | |
55 | world: w | |
56 | AUT0: w inval | |
57 | sectok> quit | |
58 | ||
59 | If you do this, anyone who has access to your card | |
60 | can assume your identity. This is not recommended. | |
61 | ||
62 | ||
63 | Using OpenSC: | |
64 | ||
65 | (1) install OpenSC: | |
66 | ||
67 | Sources and instructions are available from | |
68 | http://www.opensc.org/ | |
69 | ||
70 | (2) enable OpenSC support in OpenSSH: | |
71 | ||
72 | $ ./configure --with-opensc[=/path/to/opensc] [options] | |
73 | ||
74 | (3) load a RSA key to the card: | |
75 | ||
76 | Not supported yet. | |
77 | ||
78 | ||
79 | Common operations: | |
80 | ||
81 | (1) tell the ssh client to use the card reader: | |
82 | ||
83 | $ ssh -I 1 otherhost | |
84 | ||
85 | (2) or tell the agent (don't forget to restart) to use the smartcard: | |
86 | ||
87 | $ ssh-add -s 1 | |
88 | ||
89 | ||
90 | -markus, | |
91 | Tue Jul 17 23:54:51 CEST 2001 | |
92 | ||
93 | $OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $ |