| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 1 | How to use smartcards with OpenSSH? |
| 2 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 3 | OpenSSH contains experimental support for authentication using |
| Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 4 | Cyberflex smartcards and TODOS card readers, in addition to the cards |
| Damien Miller | 78f2e5c | 2003-06-10 21:09:09 +1000 | [diff] [blame] | 5 | with PKCS#15 structure supported by OpenSC. To enable this you |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 6 | need to: |
| Damien Miller | 8124e1a | 2001-09-25 10:21:28 +1000 | [diff] [blame] | 7 | |
| Damien Miller | 78f2e5c | 2003-06-10 21:09:09 +1000 | [diff] [blame] | 8 | Using libsectok: |
| Damien Miller | 8124e1a | 2001-09-25 10:21:28 +1000 | [diff] [blame] | 9 | |
| Damien Miller | 78f2e5c | 2003-06-10 21:09:09 +1000 | [diff] [blame] | 10 | (1) enable sectok support in OpenSSH: |
| 11 | |
| 12 | $ ./configure --with-sectok |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 13 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 14 | (2) If you have used a previous version of ssh with your card, you |
| 15 | must remove the old applet and keys. |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 16 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 17 | $ sectok |
| 18 | sectok> login -d |
| 19 | sectok> junload Ssh.bin |
| 20 | sectok> delete 0012 |
| 21 | sectok> delete sh |
| 22 | sectok> quit |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 23 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 24 | (3) load the Java Cardlet to the Cyberflex card and set card passphrase: |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 25 | |
| 26 | $ sectok |
| 27 | sectok> login -d |
| 28 | sectok> jload /usr/libdata/ssh/Ssh.bin |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 29 | sectok> setpass |
| Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 30 | Enter new AUT0 passphrase: |
| 31 | Re-enter passphrase: |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 32 | sectok> quit |
| 33 | |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 34 | Do not forget the passphrase. There is no way to |
| 35 | recover if you do. |
| 36 | |
| 37 | IMPORTANT WARNING: If you attempt to login with the |
| 38 | wrong passphrase three times in a row, you will |
| 39 | destroy your card. |
| 40 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 41 | (4) load a RSA key to the card: |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 42 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 43 | $ ssh-keygen -f /path/to/rsakey -U 1 |
| 44 | (where 1 is the reader number, you can also try 0) |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 45 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 46 | In spite of the name, this does not generate a key. |
| 47 | It just loads an already existing key on to the card. |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 48 | |
| Damien Miller | 78f2e5c | 2003-06-10 21:09:09 +1000 | [diff] [blame] | 49 | (5) Optional: If you don't want to use a card passphrase, change the |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 50 | acl on the private key file: |
| Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 51 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 52 | $ sectok |
| 53 | sectok> login -d |
| Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 54 | sectok> acl 0012 world: w |
| 55 | world: w |
| 56 | AUT0: w inval |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 57 | sectok> quit |
| Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 58 | |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 59 | If you do this, anyone who has access to your card |
| 60 | can assume your identity. This is not recommended. |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 61 | |
| Damien Miller | 78f2e5c | 2003-06-10 21:09:09 +1000 | [diff] [blame] | 62 | |
| 63 | Using OpenSC: |
| 64 | |
| 65 | (1) install OpenSC: |
| 66 | |
| 67 | Sources and instructions are available from |
| 68 | http://www.opensc.org/ |
| 69 | |
| 70 | (2) enable OpenSC support in OpenSSH: |
| 71 | |
| 72 | $ ./configure --with-opensc[=/path/to/opensc] [options] |
| 73 | |
| 74 | (3) load a RSA key to the card: |
| 75 | |
| 76 | Not supported yet. |
| 77 | |
| 78 | |
| 79 | Common operations: |
| 80 | |
| 81 | (1) tell the ssh client to use the card reader: |
| 82 | |
| 83 | $ ssh -I 1 otherhost |
| 84 | |
| 85 | (2) or tell the agent (don't forget to restart) to use the smartcard: |
| 86 | |
| 87 | $ ssh-add -s 1 |
| 88 | |
| 89 | |
| Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 90 | -markus, |
| Damien Miller | c18c06e | 2003-06-10 18:55:22 +1000 | [diff] [blame] | 91 | Tue Jul 17 23:54:51 CEST 2001 |
| 92 | |
| Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 93 | $OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $ |