blob: 3017452c4943c078acfaf6d2c2c2d894b5e9133f [file] [log] [blame]
Damien Millerd97c2ce2001-09-18 15:06:21 +10001How to use smartcards with OpenSSH?
2
3OpenSSH contains experimental support for authentication using
Ben Lindstrom34b73202002-04-08 18:37:07 +00004Cyberflex smartcards and TODOS card readers, in addition to the cards with
5PKCS #15 structure supported by OpenSC.
Damien Miller8124e1a2001-09-25 10:21:28 +10006
7WARNING: Smartcard support is still in development. Keyfile formats, etc
8are still subject to change.
9
10To enable this you need to:
Damien Millerd97c2ce2001-09-18 15:06:21 +100011
Ben Lindstrom34b73202002-04-08 18:37:07 +000012(1) install sectok or OpenSC
Damien Millerd97c2ce2001-09-18 15:06:21 +100013
Damien Miller7a62b772001-09-18 15:44:34 +100014 Sources are instructions are available from
15 http://www.citi.umich.edu/projects/smartcard/sectok.html
Damien Millerd97c2ce2001-09-18 15:06:21 +100016
Ben Lindstroma42694f2002-04-05 16:11:45 +000017 or
18
19 http://www.opensc.org/
20
Damien Millerd97c2ce2001-09-18 15:06:21 +100021(2) enable SMARTCARD support in OpenSSH:
22
Ben Lindstroma42694f2002-04-05 16:11:45 +000023 $ ./configure --with-sectok[=/path/to/libsectok] [options]
Damien Miller7a62b772001-09-18 15:44:34 +100024
Ben Lindstroma42694f2002-04-05 16:11:45 +000025 or
Damien Miller7a62b772001-09-18 15:44:34 +100026
Ben Lindstroma42694f2002-04-05 16:11:45 +000027 $ ./configure --with-opensc[=/path/to/opensc] [options]
Damien Millerd97c2ce2001-09-18 15:06:21 +100028
29(3) load the Java Cardlet to the Cyberflex card:
30
31 $ sectok
32 sectok> login -d
33 sectok> jload /usr/libdata/ssh/Ssh.bin
34 sectok> quit
35
36(4) load a RSA key to the card:
37
38 please don't use your production RSA keys, since
39 with the current version of sectok/ssh-keygen
40 the private key file is still readable
41
42 $ ssh-keygen -f /path/to/rsakey -U 1
43 (where 1 is the reader number, you can also try 0)
44
45 In spite of the name, this does not generate a key.
46 It just loads an already existing key on to the card.
47
48(5) optional:
49
50 Change the card password so that only you can
51 read the private key:
52
53 $ sectok
54 sectok> login -d
55 sectok> setpass
56 sectok> quit
57
58 This prevents reading the key but not use of the
59 key by the card applet.
60
61 Do not forget the passphrase. There is no way to
62 recover if you do.
63
64 IMPORTANT WARNING: If you attempt to login with the
65 wrong passphrase three times in a row, you will
66 destroy your card.
67
68(6) tell the ssh client to use the card reader:
69
70 $ ssh -I 1 otherhost
71
72(7) or tell the agent (don't forget to restart) to use the smartcard:
73
74 $ ssh-add -s 1
75
76-markus,
77Tue Jul 17 23:54:51 CEST 2001