| blob | faeb641cd6a97663196b4179aa891d67d80c0b2d |
1 How to use smartcards with OpenSSH?
3 OpenSSH contains experimental support for authentication using
4 Cyberflex smartcards and TODOS card readers. To enable this you
5 need to:
7 (1) enable SMARTCARD support in OpenSSH:
9 $ vi /usr/src/usr.bin/ssh/Makefile.inc
10 and uncomment
11 CFLAGS+= -DSMARTCARD
12 LDADD+= -lsectok
14 (2) If you have used a previous version of ssh with your card, you
15 must remove the old applet and keys.
17 $ sectok
18 sectok> login -d
19 sectok> junload Ssh.bin
20 sectok> delete 0012
21 sectok> delete sh
22 sectok> quit
24 (3) load the Java Cardlet to the Cyberflex card and set card passphrase:
26 $ sectok
27 sectok> login -d
28 sectok> jload /usr/libdata/ssh/Ssh.bin
29 sectok> setpass
30 Enter new AUT0 passphrase:
31 Re-enter passphrase:
32 sectok> quit
34 Do not forget the passphrase. There is no way to
35 recover if you do.
37 IMPORTANT WARNING: If you attempt to login with the
38 wrong passphrase three times in a row, you will
39 destroy your card.
41 (4) load a RSA key to the card:
43 $ ssh-keygen -f /path/to/rsakey -U 1
44 (where 1 is the reader number, you can also try 0)
46 In spite of the name, this does not generate a key.
47 It just loads an already existing key on to the card.
49 (5) tell the ssh client to use the card reader:
51 $ ssh -I 1 otherhost
53 (6) or tell the agent (don't forget to restart) to use the smartcard:
55 $ ssh-add -s 1
57 (7) Optional: If you don't want to use a card passphrase, change the
58 acl on the private key file:
60 $ sectok
61 sectok> login -d
62 sectok> acl 0012 world: w
63 world: w
64 AUT0: w inval
65 sectok> quit
67 If you do this, anyone who has access to your card
68 can assume your identity. This is not recommended.
70 -markus,
71 Tue Jul 17 23:54:51 CEST 2001
73 $OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $