diff options
author | des <des@FreeBSD.org> | 2002-03-18 09:55:03 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2002-03-18 09:55:03 +0000 |
commit | 2fc4a488978a03338ecc65403597582c77dabeea (patch) | |
tree | 068818e7abaca45008ac24af9fb4de22815cc0eb /crypto/openssh/README.smartcard | |
parent | 8acd87ac472a182ef2d717212f2c0faba81143a5 (diff) | |
download | FreeBSD-src-2fc4a488978a03338ecc65403597582c77dabeea.zip FreeBSD-src-2fc4a488978a03338ecc65403597582c77dabeea.tar.gz |
Vendor import of OpenSSH 3.1
Diffstat (limited to 'crypto/openssh/README.smartcard')
-rw-r--r-- | crypto/openssh/README.smartcard | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/crypto/openssh/README.smartcard b/crypto/openssh/README.smartcard new file mode 100644 index 0000000..499dc8e --- /dev/null +++ b/crypto/openssh/README.smartcard @@ -0,0 +1,69 @@ +How to use smartcards with OpenSSH? + +OpenSSH contains experimental support for authentication using +Cyberflex smartcards and TODOS card readers. To enable this you +need to: + +(1) install sectok + + $ cd /usr/src/lib/libsectok + $ make obj depend all install includes + $ cd /usr/src/usr.bin/sectok + $ make obj depend all install + +(2) enable SMARTCARD support in OpenSSH: + + $ vi /usr/src/usr.bin/ssh/Makefile.inc + and uncomment + CFLAGS+= -DSMARTCARD + LDADD+= -lsectok + +(3) load the Java Cardlet to the Cyberflex card: + + $ sectok + sectok> login -d + sectok> jload /usr/libdata/ssh/Ssh.bin + sectok> quit + +(4) load a RSA key to the card: + + please don't use your production RSA keys, since + with the current version of sectok/ssh-keygen + the private key file is still readable + + $ ssh-keygen -f /path/to/rsakey -U 1 + (where 1 is the reader number, you can also try 0) + + In spite of the name, this does not generate a key. + It just loads an already existing key on to the card. + +(5) optional: + + Change the card password so that only you can + read the private key: + + $ sectok + sectok> login -d + sectok> setpass + sectok> quit + + This prevents reading the key but not use of the + key by the card applet. + + Do not forget the passphrase. There is no way to + recover if you do. + + IMPORTANT WARNING: If you attempt to login with the + wrong passphrase three times in a row, you will + destroy your card. + +(6) tell the ssh client to use the card reader: + + $ ssh -I 1 otherhost + +(7) or tell the agent (don't forget to restart) to use the smartcard: + + $ ssh-add -s 1 + +-markus, +Tue Jul 17 23:54:51 CEST 2001 |