Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 1 | How to use smartcards with OpenSSH? |
| 2 | |
| 3 | OpenSSH contains experimental support for authentication using |
Damien Miller | 8124e1a | 2001-09-25 10:21:28 +1000 | [diff] [blame] | 4 | Cyberflex smartcards and TODOS card readers. |
| 5 | |
| 6 | WARNING: Smartcard support is still in development. Keyfile formats, etc |
| 7 | are still subject to change. |
| 8 | |
| 9 | To enable this you need to: |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 10 | |
| 11 | (1) install sectok |
| 12 | |
Damien Miller | 7a62b77 | 2001-09-18 15:44:34 +1000 | [diff] [blame] | 13 | Sources are instructions are available from |
| 14 | http://www.citi.umich.edu/projects/smartcard/sectok.html |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 15 | |
| 16 | (2) enable SMARTCARD support in OpenSSH: |
| 17 | |
Damien Miller | 7a62b77 | 2001-09-18 15:44:34 +1000 | [diff] [blame] | 18 | $ ./configure --with-smartcard [options] |
| 19 | |
| 20 | You can also specify a path to libsectok: |
| 21 | |
| 22 | $ ./configure --with-smartcard=/path/to/libsectok [options] |
Damien Miller | d97c2ce | 2001-09-18 15:06:21 +1000 | [diff] [blame] | 23 | |
| 24 | (3) load the Java Cardlet to the Cyberflex card: |
| 25 | |
| 26 | $ sectok |
| 27 | sectok> login -d |
| 28 | sectok> jload /usr/libdata/ssh/Ssh.bin |
| 29 | sectok> quit |
| 30 | |
| 31 | (4) load a RSA key to the card: |
| 32 | |
| 33 | please don't use your production RSA keys, since |
| 34 | with the current version of sectok/ssh-keygen |
| 35 | the private key file is still readable |
| 36 | |
| 37 | $ ssh-keygen -f /path/to/rsakey -U 1 |
| 38 | (where 1 is the reader number, you can also try 0) |
| 39 | |
| 40 | In spite of the name, this does not generate a key. |
| 41 | It just loads an already existing key on to the card. |
| 42 | |
| 43 | (5) optional: |
| 44 | |
| 45 | Change the card password so that only you can |
| 46 | read the private key: |
| 47 | |
| 48 | $ sectok |
| 49 | sectok> login -d |
| 50 | sectok> setpass |
| 51 | sectok> quit |
| 52 | |
| 53 | This prevents reading the key but not use of the |
| 54 | key by the card applet. |
| 55 | |
| 56 | Do not forget the passphrase. There is no way to |
| 57 | recover if you do. |
| 58 | |
| 59 | IMPORTANT WARNING: If you attempt to login with the |
| 60 | wrong passphrase three times in a row, you will |
| 61 | destroy your card. |
| 62 | |
| 63 | (6) tell the ssh client to use the card reader: |
| 64 | |
| 65 | $ ssh -I 1 otherhost |
| 66 | |
| 67 | (7) or tell the agent (don't forget to restart) to use the smartcard: |
| 68 | |
| 69 | $ ssh-add -s 1 |
| 70 | |
| 71 | -markus, |
| 72 | Tue Jul 17 23:54:51 CEST 2001 |