README.smartcard - platform/external/openssh - Gitiles

 How to use smartcards with OpenSSH?

 OpenSSH contains experimental support for authentication using Cyberflex
 smartcards and TODOS card readers, in addition to the cards with PKCS#15
 structure supported by OpenSC.

 WARNING: Smartcard support is still in development.
 Keyfile formats, etc are still subject to change.

 To enable sectok support:

 (1) install sectok:

 	Sources and instructions are available from
 	http://www.citi.umich.edu/projects/smartcard/sectok.html

 (2) enable sectok support in OpenSSH:

 	$ ./configure --with-sectok[=/path/to/libsectok] [options]

 (3) load the Java Cardlet to the Cyberflex card:

 	$ sectok
 	sectok> login -d
 	sectok> jload /usr/libdata/ssh/Ssh.bin
 	sectok> quit

 (4) load a RSA key to the card:

 	Please don't use your production RSA keys, since
 	with the current version of sectok/ssh-keygen
 	the private key file is still readable.

 	$ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>

 	In spite of the name, this does not generate a key.
 	It just loads an already existing key on to the card.

 (5) optional:

 	Change the card password so that only you can
 	read the private key:

 	$ sectok
 	sectok> login -d
 	sectok> setpass
 	sectok> quit

 	This prevents reading the key but not use of the
 	key by the card applet.

 	Do not forget the passphrase.  There is no way to
 	recover if you do.

 	IMPORTANT WARNING: If you attempt to login with the
 	wrong passphrase three times in a row, you will
 	destroy your card.

 To enable OpenSC support:

 (1) install OpenSC:

 	Sources and instructions are available from
 	http://www.opensc.org/

 (2) enable OpenSC support in OpenSSH:

 	$ ./configure --with-opensc[=/path/to/opensc] [options]

 (3) load a RSA key to the card:

 	Not supported yet.

 Common smartcard options:

 (1) tell the ssh client to use the card reader:

 	$ ssh -I <readernum, eg. 0> otherhost

 (2) or tell the agent (don't forget to restart) to use the smartcard:

 	$ ssh-add -s <readernum, eg. 0>

 -markus,
 Sat Apr 13 13:48:10 EEST 2002
	How to use smartcards with OpenSSH?

	OpenSSH contains experimental support for authentication using Cyberflex
	smartcards and TODOS card readers, in addition to the cards with PKCS#15
	structure supported by OpenSC.

	WARNING: Smartcard support is still in development.
	Keyfile formats, etc are still subject to change.

	To enable sectok support:

	(1) install sectok:

	Sources and instructions are available from
	http://www.citi.umich.edu/projects/smartcard/sectok.html

	(2) enable sectok support in OpenSSH:

	$ ./configure --with-sectok[=/path/to/libsectok] [options]

	(3) load the Java Cardlet to the Cyberflex card:

	$ sectok
	sectok> login -d
	sectok> jload /usr/libdata/ssh/Ssh.bin
	sectok> quit

	(4) load a RSA key to the card:

	Please don't use your production RSA keys, since
	with the current version of sectok/ssh-keygen
	the private key file is still readable.

	$ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>

	In spite of the name, this does not generate a key.
	It just loads an already existing key on to the card.

	(5) optional:

	Change the card password so that only you can
	read the private key:

	$ sectok
	sectok> login -d
	sectok> setpass
	sectok> quit

	This prevents reading the key but not use of the
	key by the card applet.

	Do not forget the passphrase. There is no way to
	recover if you do.

	IMPORTANT WARNING: If you attempt to login with the
	wrong passphrase three times in a row, you will
	destroy your card.

	To enable OpenSC support:

	(1) install OpenSC:

	Sources and instructions are available from
	http://www.opensc.org/

	(2) enable OpenSC support in OpenSSH:

	$ ./configure --with-opensc[=/path/to/opensc] [options]

	(3) load a RSA key to the card:

	Not supported yet.

	Common smartcard options:

	(1) tell the ssh client to use the card reader:

	$ ssh -I <readernum, eg. 0> otherhost

	(2) or tell the agent (don't forget to restart) to use the smartcard:

	$ ssh-add -s <readernum, eg. 0>

	-markus,
	Sat Apr 13 13:48:10 EEST 2002