diff options
Diffstat (limited to 'crypto/openssh/README.smartcard')
| -rw-r--r-- | crypto/openssh/README.smartcard | 66 |
1 files changed, 35 insertions, 31 deletions
diff --git a/crypto/openssh/README.smartcard b/crypto/openssh/README.smartcard index 499dc8e..4112e12 100644 --- a/crypto/openssh/README.smartcard +++ b/crypto/openssh/README.smartcard @@ -4,52 +4,33 @@ OpenSSH contains experimental support for authentication using Cyberflex smartcards and TODOS card readers. To enable this you need to: -(1) install sectok - - $ cd /usr/src/lib/libsectok - $ make obj depend all install includes - $ cd /usr/src/usr.bin/sectok - $ make obj depend all install - -(2) enable SMARTCARD support in OpenSSH: +(1) enable SMARTCARD support in OpenSSH: $ vi /usr/src/usr.bin/ssh/Makefile.inc and uncomment CFLAGS+= -DSMARTCARD LDADD+= -lsectok -(3) load the Java Cardlet to the Cyberflex card: +(2) If you have used a previous version of ssh with your card, you + must remove the old applet and keys. $ sectok sectok> login -d - sectok> jload /usr/libdata/ssh/Ssh.bin + sectok> junload Ssh.bin + sectok> delete 0012 + sectok> delete sh sectok> quit -(4) load a RSA key to the card: - - please don't use your production RSA keys, since - with the current version of sectok/ssh-keygen - the private key file is still readable - - $ ssh-keygen -f /path/to/rsakey -U 1 - (where 1 is the reader number, you can also try 0) - - In spite of the name, this does not generate a key. - It just loads an already existing key on to the card. - -(5) optional: - - Change the card password so that only you can - read the private key: +(3) load the Java Cardlet to the Cyberflex card and set card passphrase: $ sectok sectok> login -d + sectok> jload /usr/libdata/ssh/Ssh.bin sectok> setpass + Enter new AUT0 passphrase: + Re-enter passphrase: sectok> quit - This prevents reading the key but not use of the - key by the card applet. - Do not forget the passphrase. There is no way to recover if you do. @@ -57,13 +38,36 @@ need to: wrong passphrase three times in a row, you will destroy your card. -(6) tell the ssh client to use the card reader: +(4) load a RSA key to the card: + + $ ssh-keygen -f /path/to/rsakey -U 1 + (where 1 is the reader number, you can also try 0) + + In spite of the name, this does not generate a key. + It just loads an already existing key on to the card. + +(5) tell the ssh client to use the card reader: $ ssh -I 1 otherhost -(7) or tell the agent (don't forget to restart) to use the smartcard: +(6) or tell the agent (don't forget to restart) to use the smartcard: $ ssh-add -s 1 +(7) Optional: If you don't want to use a card passphrase, change the + acl on the private key file: + + $ sectok + sectok> login -d + sectok> acl 0012 world: w + world: w + AUT0: w inval + sectok> quit + + If you do this, anyone who has access to your card + can assume your identity. This is not recommended. + -markus, Tue Jul 17 23:54:51 CEST 2001 + +$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $ |
