Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 1 | How to use smartcards with OpenSSH? |
| 2 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 3 | OpenSSH contains experimental support for authentication using Cyberflex |
| 4 | smartcards and TODOS card readers, in addition to the cards with PKCS#15 |
| 5 | structure supported by OpenSC. |
Damien Miller | 8124e1a | 2001-09-25 10:21:28 +1000 | [diff] [blame] | 6 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 7 | WARNING: Smartcard support is still in development. |
| 8 | Keyfile formats, etc are still subject to change. |
Damien Miller | 8124e1a | 2001-09-25 10:21:28 +1000 | [diff] [blame] | 9 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 10 | To enable sectok support: |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 11 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 12 | (1) install sectok: |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 13 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 14 | Sources and instructions are available from |
Damien Miller | 7a62b77 | 2001-09-18 15:44:34 +1000 | [diff] [blame] | 15 | http://www.citi.umich.edu/projects/smartcard/sectok.html |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 16 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 17 | (2) enable sectok support in OpenSSH: |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 18 | |
Ben Lindstrom | a42694f | 2002-04-05 16:11:45 +0000 | [diff] [blame] | 19 | $ ./configure --with-sectok[=/path/to/libsectok] [options] |
Damien Miller | 7a62b77 | 2001-09-18 15:44:34 +1000 | [diff] [blame] | 20 | |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 21 | (3) load the Java Cardlet to the Cyberflex card: |
| 22 | |
| 23 | $ sectok |
| 24 | sectok> login -d |
| 25 | sectok> jload /usr/libdata/ssh/Ssh.bin |
| 26 | sectok> quit |
| 27 | |
| 28 | (4) load a RSA key to the card: |
| 29 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 30 | Please don't use your production RSA keys, since |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 31 | with the current version of sectok/ssh-keygen |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 32 | the private key file is still readable. |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 33 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 34 | $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 35 | |
| 36 | In spite of the name, this does not generate a key. |
| 37 | It just loads an already existing key on to the card. |
| 38 | |
| 39 | (5) optional: |
| 40 | |
| 41 | Change the card password so that only you can |
| 42 | read the private key: |
| 43 | |
| 44 | $ sectok |
| 45 | sectok> login -d |
| 46 | sectok> setpass |
| 47 | sectok> quit |
| 48 | |
| 49 | This prevents reading the key but not use of the |
| 50 | key by the card applet. |
| 51 | |
| 52 | Do not forget the passphrase. There is no way to |
| 53 | recover if you do. |
| 54 | |
| 55 | IMPORTANT WARNING: If you attempt to login with the |
| 56 | wrong passphrase three times in a row, you will |
| 57 | destroy your card. |
| 58 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 59 | To enable OpenSC support: |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 60 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 61 | (1) install OpenSC: |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 62 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 63 | Sources and instructions are available from |
| 64 | http://www.opensc.org/ |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 65 | |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 66 | (2) enable OpenSC support in OpenSSH: |
| 67 | |
| 68 | $ ./configure --with-opensc[=/path/to/opensc] [options] |
| 69 | |
| 70 | (3) load a RSA key to the card: |
| 71 | |
| 72 | Not supported yet. |
| 73 | |
| 74 | Common smartcard options: |
| 75 | |
| 76 | (1) tell the ssh client to use the card reader: |
| 77 | |
| 78 | $ ssh -I <readernum, eg. 0> otherhost |
| 79 | |
| 80 | (2) or tell the agent (don't forget to restart) to use the smartcard: |
| 81 | |
| 82 | $ ssh-add -s <readernum, eg. 0> |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 83 | |
| 84 | -markus, |
Damien Miller | f6195f2 | 2002-04-23 22:48:46 +1000 | [diff] [blame] | 85 | Sat Apr 13 13:48:10 EEST 2002 |