diff options
Diffstat (limited to 'crypto/openssh/README.smartcard')
-rw-r--r-- | crypto/openssh/README.smartcard | 80 |
1 files changed, 44 insertions, 36 deletions
diff --git a/crypto/openssh/README.smartcard b/crypto/openssh/README.smartcard index 29bec8d..88810fc 100644 --- a/crypto/openssh/README.smartcard +++ b/crypto/openssh/README.smartcard @@ -1,62 +1,66 @@ How to use smartcards with OpenSSH? -OpenSSH contains experimental support for authentication using Cyberflex -smartcards and TODOS card readers, in addition to the cards with PKCS#15 -structure supported by OpenSC. +OpenSSH contains experimental support for authentication using +Cyberflex smartcards and TODOS card readers, in addition to the cards +with PKCS#15 structure supported by OpenSC. To enable this you +need to: -WARNING: Smartcard support is still in development. -Keyfile formats, etc are still subject to change. +Using libsectok: -To enable sectok support: +(1) enable sectok support in OpenSSH: -(1) install sectok: + $ ./configure --with-sectok - Sources and instructions are available from - http://www.citi.umich.edu/projects/smartcard/sectok.html - -(2) enable sectok support in OpenSSH: +(2) If you have used a previous version of ssh with your card, you + must remove the old applet and keys. - $ ./configure --with-sectok[=/path/to/libsectok] [options] + $ sectok + sectok> login -d + sectok> junload Ssh.bin + sectok> delete 0012 + sectok> delete sh + sectok> quit -(3) load the Java Cardlet to the Cyberflex card: +(3) load the Java Cardlet to the Cyberflex card and set card passphrase: $ sectok sectok> login -d sectok> jload /usr/libdata/ssh/Ssh.bin + sectok> setpass + Enter new AUT0 passphrase: + Re-enter passphrase: sectok> quit -(4) load a RSA key to the card: + Do not forget the passphrase. There is no way to + recover if you do. - Please don't use your production RSA keys, since - with the current version of sectok/ssh-keygen - the private key file is still readable. + IMPORTANT WARNING: If you attempt to login with the + wrong passphrase three times in a row, you will + destroy your card. - $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> +(4) load a RSA key to the card: + + $ ssh-keygen -f /path/to/rsakey -U 1 + (where 1 is the reader number, you can also try 0) In spite of the name, this does not generate a key. It just loads an already existing key on to the card. -(5) optional: - - Change the card password so that only you can - read the private key: +(5) Optional: If you don't want to use a card passphrase, change the + acl on the private key file: $ sectok sectok> login -d - sectok> setpass + sectok> acl 0012 world: w + world: w + AUT0: w inval sectok> quit - This prevents reading the key but not use of the - key by the card applet. - - Do not forget the passphrase. There is no way to - recover if you do. + If you do this, anyone who has access to your card + can assume your identity. This is not recommended. - IMPORTANT WARNING: If you attempt to login with the - wrong passphrase three times in a row, you will - destroy your card. -To enable OpenSC support: +Using OpenSC: (1) install OpenSC: @@ -71,15 +75,19 @@ To enable OpenSC support: Not supported yet. -Common smartcard options: + +Common operations: (1) tell the ssh client to use the card reader: - $ ssh -I <readernum, eg. 0> otherhost + $ ssh -I 1 otherhost (2) or tell the agent (don't forget to restart) to use the smartcard: - $ ssh-add -s <readernum, eg. 0> + $ ssh-add -s 1 + -markus, -Sat Apr 13 13:48:10 EEST 2002 +Tue Jul 17 23:54:51 CEST 2001 + +$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $ |