source: trunk/third/openssh/README.smartcard @ 18759

Revision 18759, 1.9 KB checked in by zacheiss, 22 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r18758, which included commits to RCS files with non-trunk default branches.
Line 
1How to use smartcards with OpenSSH?
2
3OpenSSH contains experimental support for authentication using Cyberflex
4smartcards and TODOS card readers, in addition to the cards with PKCS#15
5structure supported by OpenSC.
6
7WARNING: Smartcard support is still in development.
8Keyfile formats, etc are still subject to change.
9
10To enable sectok support:
11
12(1) install sectok:
13
14        Sources and instructions are available from
15        http://www.citi.umich.edu/projects/smartcard/sectok.html
16
17(2) enable sectok support in OpenSSH:
18
19        $ ./configure --with-sectok[=/path/to/libsectok] [options]
20
21(3) load the Java Cardlet to the Cyberflex card:
22
23        $ sectok
24        sectok> login -d
25        sectok> jload /usr/libdata/ssh/Ssh.bin
26        sectok> quit
27
28(4) load a RSA key to the card:
29
30        Please don't use your production RSA keys, since
31        with the current version of sectok/ssh-keygen
32        the private key file is still readable.
33
34        $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
35
36        In spite of the name, this does not generate a key.
37        It just loads an already existing key on to the card.
38
39(5) optional:
40
41        Change the card password so that only you can
42        read the private key:
43
44        $ sectok
45        sectok> login -d
46        sectok> setpass
47        sectok> quit
48
49        This prevents reading the key but not use of the
50        key by the card applet.
51
52        Do not forget the passphrase.  There is no way to
53        recover if you do.
54
55        IMPORTANT WARNING: If you attempt to login with the
56        wrong passphrase three times in a row, you will
57        destroy your card.
58
59To enable OpenSC support:
60
61(1) install OpenSC:
62
63        Sources and instructions are available from
64        http://www.opensc.org/
65
66(2) enable OpenSC support in OpenSSH:
67
68        $ ./configure --with-opensc[=/path/to/opensc] [options]
69
70(3) load a RSA key to the card:
71
72        Not supported yet.
73
74Common smartcard options:
75
76(1) tell the ssh client to use the card reader:
77
78        $ ssh -I <readernum, eg. 0> otherhost
79
80(2) or tell the agent (don't forget to restart) to use the smartcard:
81
82        $ ssh-add -s <readernum, eg. 0>
83
84-markus,
85Sat Apr 13 13:48:10 EEST 2002
Note: See TracBrowser for help on using the repository browser.