1 How to use smartcards with OpenSSH?
3 OpenSSH contains experimental support for authentication using
4 Cyberflex smartcards and TODOS card readers.
6 WARNING: Smartcard support is still in development. Keyfile formats, etc
7 are still subject to change.
9 To enable this you need to:
11 (1) install sectok or openSC
13 Sources are instructions are available from
14 http://www.citi.umich.edu/projects/smartcard/sectok.html
18 http://www.opensc.org/
20 (2) enable SMARTCARD support in OpenSSH:
22 $ ./configure --with-sectok[=/path/to/libsectok] [options]
26 $ ./configure --with-opensc[=/path/to/opensc] [options]
28 (3) load the Java Cardlet to the Cyberflex card:
32 sectok> jload /usr/libdata/ssh/Ssh.bin
35 (4) load a RSA key to the card:
37 please don't use your production RSA keys, since
38 with the current version of sectok/ssh-keygen
39 the private key file is still readable
41 $ ssh-keygen -f /path/to/rsakey -U 1
42 (where 1 is the reader number, you can also try 0)
44 In spite of the name, this does not generate a key.
45 It just loads an already existing key on to the card.
49 Change the card password so that only you can
57 This prevents reading the key but not use of the
58 key by the card applet.
60 Do not forget the passphrase. There is no way to
63 IMPORTANT WARNING: If you attempt to login with the
64 wrong passphrase three times in a row, you will
67 (6) tell the ssh client to use the card reader:
71 (7) or tell the agent (don't forget to restart) to use the smartcard:
76 Tue Jul 17 23:54:51 CEST 2001