- (djm) Sync README.smartcard with OpenBSD -current

[openssh.git] / README.smartcard

How to use smartcards with OpenSSH?

OpenSSH contains experimental support for authentication using
Cyberflex smartcards and TODOS card readers. To enable this you
need to:

(1) enable SMARTCARD support in OpenSSH:

        $ ./configure --with-smartcard [...]
        and rebuild

(2) If you have used a previous version of ssh with your card, you
    must remove the old applet and keys.

        $ sectok
        sectok> login -d
        sectok> junload Ssh.bin
        sectok> delete 0012
        sectok> delete sh
        sectok> quit

(3) load the Java Cardlet to the Cyberflex card and set card passphrase:

        $ sectok
        sectok> login -d
        sectok> jload /usr/libdata/ssh/Ssh.bin
        sectok> setpass
        Enter new AUT0 passphrase: 
        Re-enter passphrase: 
        sectok> quit

        Do not forget the passphrase.  There is no way to
        recover if you do.

        IMPORTANT WARNING: If you attempt to login with the
        wrong passphrase three times in a row, you will
        destroy your card.

(4) load a RSA key to the card:

        $ ssh-keygen -f /path/to/rsakey -U 1
        (where 1 is the reader number, you can also try 0)

        In spite of the name, this does not generate a key.
        It just loads an already existing key on to the card.

(5) tell the ssh client to use the card reader:

        $ ssh -I 1 otherhost

(6) or tell the agent (don't forget to restart) to use the smartcard:

        $ ssh-add -s 1

(7) Optional: If you don't want to use a card passphrase, change the
    acl on the private key file:

        $ sectok
        sectok> login -d
        sectok> acl 0012 world: w 
         world: w 
         AUT0: w inval 
        sectok> quit

        If you do this, anyone who has access to your card
        can assume your identity.  This is not recommended.

-markus,
Tue Jul 17 23:54:51 CEST 2001

$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $