summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/README.smartcard
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/README.smartcard')
-rw-r--r--crypto/openssh/README.smartcard90
1 files changed, 51 insertions, 39 deletions
diff --git a/crypto/openssh/README.smartcard b/crypto/openssh/README.smartcard
index 4112e12..29bec8d 100644
--- a/crypto/openssh/README.smartcard
+++ b/crypto/openssh/README.smartcard
@@ -1,36 +1,54 @@
How to use smartcards with OpenSSH?
-OpenSSH contains experimental support for authentication using
-Cyberflex smartcards and TODOS card readers. To enable this you
-need to:
+OpenSSH contains experimental support for authentication using Cyberflex
+smartcards and TODOS card readers, in addition to the cards with PKCS#15
+structure supported by OpenSC.
-(1) enable SMARTCARD support in OpenSSH:
+WARNING: Smartcard support is still in development.
+Keyfile formats, etc are still subject to change.
- $ vi /usr/src/usr.bin/ssh/Makefile.inc
- and uncomment
- CFLAGS+= -DSMARTCARD
- LDADD+= -lsectok
+To enable sectok support:
-(2) If you have used a previous version of ssh with your card, you
- must remove the old applet and keys.
+(1) install sectok:
+
+ Sources and instructions are available from
+ http://www.citi.umich.edu/projects/smartcard/sectok.html
+
+(2) enable sectok support in OpenSSH:
+
+ $ ./configure --with-sectok[=/path/to/libsectok] [options]
+
+(3) load the Java Cardlet to the Cyberflex card:
$ sectok
sectok> login -d
- sectok> junload Ssh.bin
- sectok> delete 0012
- sectok> delete sh
+ sectok> jload /usr/libdata/ssh/Ssh.bin
sectok> quit
-(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
+(4) load a RSA key to the card:
+
+ Please don't use your production RSA keys, since
+ with the current version of sectok/ssh-keygen
+ the private key file is still readable.
+
+ $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
+
+ In spite of the name, this does not generate a key.
+ It just loads an already existing key on to the card.
+
+(5) optional:
+
+ Change the card password so that only you can
+ read the private key:
$ sectok
sectok> login -d
- sectok> jload /usr/libdata/ssh/Ssh.bin
sectok> setpass
- Enter new AUT0 passphrase:
- Re-enter passphrase:
sectok> quit
+ This prevents reading the key but not use of the
+ key by the card applet.
+
Do not forget the passphrase. There is no way to
recover if you do.
@@ -38,36 +56,30 @@ need to:
wrong passphrase three times in a row, you will
destroy your card.
-(4) load a RSA key to the card:
+To enable OpenSC support:
- $ ssh-keygen -f /path/to/rsakey -U 1
- (where 1 is the reader number, you can also try 0)
+(1) install OpenSC:
- In spite of the name, this does not generate a key.
- It just loads an already existing key on to the card.
+ Sources and instructions are available from
+ http://www.opensc.org/
-(5) tell the ssh client to use the card reader:
+(2) enable OpenSC support in OpenSSH:
- $ ssh -I 1 otherhost
+ $ ./configure --with-opensc[=/path/to/opensc] [options]
-(6) or tell the agent (don't forget to restart) to use the smartcard:
+(3) load a RSA key to the card:
- $ ssh-add -s 1
+ Not supported yet.
-(7) Optional: If you don't want to use a card passphrase, change the
- acl on the private key file:
+Common smartcard options:
- $ sectok
- sectok> login -d
- sectok> acl 0012 world: w
- world: w
- AUT0: w inval
- sectok> quit
+(1) tell the ssh client to use the card reader:
- If you do this, anyone who has access to your card
- can assume your identity. This is not recommended.
+ $ ssh -I <readernum, eg. 0> otherhost
--markus,
-Tue Jul 17 23:54:51 CEST 2001
+(2) or tell the agent (don't forget to restart) to use the smartcard:
+
+ $ ssh-add -s <readernum, eg. 0>
-$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $
+-markus,
+Sat Apr 13 13:48:10 EEST 2002
OpenPOWER on IntegriCloud