diff options
Diffstat (limited to 'crypto/openssh/README.smartcard')
-rw-r--r-- | crypto/openssh/README.smartcard | 90 |
1 files changed, 51 insertions, 39 deletions
diff --git a/crypto/openssh/README.smartcard b/crypto/openssh/README.smartcard index 4112e12..29bec8d 100644 --- a/crypto/openssh/README.smartcard +++ b/crypto/openssh/README.smartcard @@ -1,36 +1,54 @@ How to use smartcards with OpenSSH? -OpenSSH contains experimental support for authentication using -Cyberflex smartcards and TODOS card readers. To enable this you -need to: +OpenSSH contains experimental support for authentication using Cyberflex +smartcards and TODOS card readers, in addition to the cards with PKCS#15 +structure supported by OpenSC. -(1) enable SMARTCARD support in OpenSSH: +WARNING: Smartcard support is still in development. +Keyfile formats, etc are still subject to change. - $ vi /usr/src/usr.bin/ssh/Makefile.inc - and uncomment - CFLAGS+= -DSMARTCARD - LDADD+= -lsectok +To enable sectok support: -(2) If you have used a previous version of ssh with your card, you - must remove the old applet and keys. +(1) install sectok: + + Sources and instructions are available from + http://www.citi.umich.edu/projects/smartcard/sectok.html + +(2) enable sectok support in OpenSSH: + + $ ./configure --with-sectok[=/path/to/libsectok] [options] + +(3) load the Java Cardlet to the Cyberflex card: $ sectok sectok> login -d - sectok> junload Ssh.bin - sectok> delete 0012 - sectok> delete sh + sectok> jload /usr/libdata/ssh/Ssh.bin sectok> quit -(3) load the Java Cardlet to the Cyberflex card and set card passphrase: +(4) load a RSA key to the card: + + Please don't use your production RSA keys, since + with the current version of sectok/ssh-keygen + the private key file is still readable. + + $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> + + In spite of the name, this does not generate a key. + It just loads an already existing key on to the card. + +(5) optional: + + Change the card password so that only you can + read the private key: $ sectok sectok> login -d - sectok> jload /usr/libdata/ssh/Ssh.bin sectok> setpass - Enter new AUT0 passphrase: - Re-enter passphrase: sectok> quit + This prevents reading the key but not use of the + key by the card applet. + Do not forget the passphrase. There is no way to recover if you do. @@ -38,36 +56,30 @@ need to: wrong passphrase three times in a row, you will destroy your card. -(4) load a RSA key to the card: +To enable OpenSC support: - $ ssh-keygen -f /path/to/rsakey -U 1 - (where 1 is the reader number, you can also try 0) +(1) install OpenSC: - In spite of the name, this does not generate a key. - It just loads an already existing key on to the card. + Sources and instructions are available from + http://www.opensc.org/ -(5) tell the ssh client to use the card reader: +(2) enable OpenSC support in OpenSSH: - $ ssh -I 1 otherhost + $ ./configure --with-opensc[=/path/to/opensc] [options] -(6) or tell the agent (don't forget to restart) to use the smartcard: +(3) load a RSA key to the card: - $ ssh-add -s 1 + Not supported yet. -(7) Optional: If you don't want to use a card passphrase, change the - acl on the private key file: +Common smartcard options: - $ sectok - sectok> login -d - sectok> acl 0012 world: w - world: w - AUT0: w inval - sectok> quit +(1) tell the ssh client to use the card reader: - If you do this, anyone who has access to your card - can assume your identity. This is not recommended. + $ ssh -I <readernum, eg. 0> otherhost --markus, -Tue Jul 17 23:54:51 CEST 2001 +(2) or tell the agent (don't forget to restart) to use the smartcard: + + $ ssh-add -s <readernum, eg. 0> -$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $ +-markus, +Sat Apr 13 13:48:10 EEST 2002 |