1 | How to use smartcards with OpenSSH? |
---|
2 | |
---|
3 | OpenSSH contains experimental support for authentication using Cyberflex |
---|
4 | smartcards and TODOS card readers, in addition to the cards with PKCS#15 |
---|
5 | structure supported by OpenSC. |
---|
6 | |
---|
7 | WARNING: Smartcard support is still in development. |
---|
8 | Keyfile formats, etc are still subject to change. |
---|
9 | |
---|
10 | To enable sectok support: |
---|
11 | |
---|
12 | (1) install sectok: |
---|
13 | |
---|
14 | Sources and instructions are available from |
---|
15 | http://www.citi.umich.edu/projects/smartcard/sectok.html |
---|
16 | |
---|
17 | (2) enable sectok support in OpenSSH: |
---|
18 | |
---|
19 | $ ./configure --with-sectok[=/path/to/libsectok] [options] |
---|
20 | |
---|
21 | (3) load the Java Cardlet to the Cyberflex card: |
---|
22 | |
---|
23 | $ sectok |
---|
24 | sectok> login -d |
---|
25 | sectok> jload /usr/libdata/ssh/Ssh.bin |
---|
26 | sectok> quit |
---|
27 | |
---|
28 | (4) load a RSA key to the card: |
---|
29 | |
---|
30 | Please don't use your production RSA keys, since |
---|
31 | with the current version of sectok/ssh-keygen |
---|
32 | the private key file is still readable. |
---|
33 | |
---|
34 | $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> |
---|
35 | |
---|
36 | In spite of the name, this does not generate a key. |
---|
37 | It just loads an already existing key on to the card. |
---|
38 | |
---|
39 | (5) optional: |
---|
40 | |
---|
41 | Change the card password so that only you can |
---|
42 | read the private key: |
---|
43 | |
---|
44 | $ sectok |
---|
45 | sectok> login -d |
---|
46 | sectok> setpass |
---|
47 | sectok> quit |
---|
48 | |
---|
49 | This prevents reading the key but not use of the |
---|
50 | key by the card applet. |
---|
51 | |
---|
52 | Do not forget the passphrase. There is no way to |
---|
53 | recover if you do. |
---|
54 | |
---|
55 | IMPORTANT WARNING: If you attempt to login with the |
---|
56 | wrong passphrase three times in a row, you will |
---|
57 | destroy your card. |
---|
58 | |
---|
59 | To enable OpenSC support: |
---|
60 | |
---|
61 | (1) install OpenSC: |
---|
62 | |
---|
63 | Sources and instructions are available from |
---|
64 | http://www.opensc.org/ |
---|
65 | |
---|
66 | (2) enable OpenSC support in OpenSSH: |
---|
67 | |
---|
68 | $ ./configure --with-opensc[=/path/to/opensc] [options] |
---|
69 | |
---|
70 | (3) load a RSA key to the card: |
---|
71 | |
---|
72 | Not supported yet. |
---|
73 | |
---|
74 | Common smartcard options: |
---|
75 | |
---|
76 | (1) tell the ssh client to use the card reader: |
---|
77 | |
---|
78 | $ ssh -I <readernum, eg. 0> otherhost |
---|
79 | |
---|
80 | (2) or tell the agent (don't forget to restart) to use the smartcard: |
---|
81 | |
---|
82 | $ ssh-add -s <readernum, eg. 0> |
---|
83 | |
---|
84 | -markus, |
---|
85 | Sat Apr 13 13:48:10 EEST 2002 |
---|