X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/93816ec8e39a8bc6bd24a3a9d4cfe07b1b1fb435..31b41ceb9541ae922669644dbec216630874a208:/README.smartcard diff --git a/README.smartcard b/README.smartcard index 499dc8ed..fdf83eca 100644 --- a/README.smartcard +++ b/README.smartcard @@ -1,35 +1,44 @@ How to use smartcards with OpenSSH? OpenSSH contains experimental support for authentication using -Cyberflex smartcards and TODOS card readers. To enable this you +Cyberflex smartcards and TODOS card readers, in addition to the cards +with PKCS#15 structure supported by OpenSC. To enable this you need to: -(1) install sectok +Using libsectok: - $ cd /usr/src/lib/libsectok - $ make obj depend all install includes - $ cd /usr/src/usr.bin/sectok - $ make obj depend all install +(1) enable sectok support in OpenSSH: -(2) enable SMARTCARD support in OpenSSH: + $ ./configure --with-sectok - $ vi /usr/src/usr.bin/ssh/Makefile.inc - and uncomment - CFLAGS+= -DSMARTCARD - LDADD+= -lsectok +(2) If you have used a previous version of ssh with your card, you + must remove the old applet and keys. -(3) load the Java Cardlet to the Cyberflex card: + $ sectok + sectok> login -d + sectok> junload Ssh.bin + sectok> delete 0012 + sectok> delete sh + sectok> quit + +(3) load the Java Cardlet to the Cyberflex card and set card passphrase: $ sectok sectok> login -d sectok> jload /usr/libdata/ssh/Ssh.bin + sectok> setpass + Enter new AUT0 passphrase: + Re-enter passphrase: sectok> quit -(4) load a RSA key to the card: + Do not forget the passphrase. There is no way to + recover if you do. - please don't use your production RSA keys, since - with the current version of sectok/ssh-keygen - the private key file is still readable + IMPORTANT WARNING: If you attempt to login with the + wrong passphrase three times in a row, you will + destroy your card. + +(4) load a RSA key to the card: $ ssh-keygen -f /path/to/rsakey -U 1 (where 1 is the reader number, you can also try 0) @@ -37,33 +46,48 @@ need to: In spite of the name, this does not generate a key. It just loads an already existing key on to the card. -(5) optional: - - Change the card password so that only you can - read the private key: +(5) Optional: If you don't want to use a card passphrase, change the + acl on the private key file: $ sectok sectok> login -d - sectok> setpass + sectok> acl 0012 world: w + world: w + AUT0: w inval sectok> quit - This prevents reading the key but not use of the - key by the card applet. + If you do this, anyone who has access to your card + can assume your identity. This is not recommended. - Do not forget the passphrase. There is no way to - recover if you do. - IMPORTANT WARNING: If you attempt to login with the - wrong passphrase three times in a row, you will - destroy your card. +Using OpenSC: + +(1) install OpenSC: + + Sources and instructions are available from + http://www.opensc.org/ + +(2) enable OpenSC support in OpenSSH: -(6) tell the ssh client to use the card reader: + $ ./configure --with-opensc[=/path/to/opensc] [options] + +(3) load a RSA key to the card: + + Not supported yet. + + +Common operations: + +(1) tell the ssh client to use the card reader: $ ssh -I 1 otherhost -(7) or tell the agent (don't forget to restart) to use the smartcard: +(2) or tell the agent (don't forget to restart) to use the smartcard: $ ssh-add -s 1 + -markus, Tue Jul 17 23:54:51 CEST 2001 + +$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $