diff options
| author | Damien Miller <djm@mindrot.org> | 2003-06-10 18:55:22 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-06-10 18:55:22 +1000 |
| commit | c18c06e131f7b3660fdab6c0d4b6b087274ffb50 (patch) | |
| tree | c720d85f483514b13a2f617b9f1a884f33ededb8 | |
| parent | 400b8786d6d184675152a2f04d3fe806f7c954ae (diff) | |
- (djm) Sync README.smartcard with OpenBSD -current
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | README.smartcard | 88 |
2 files changed, 41 insertions, 52 deletions
@@ -1,3 +1,6 @@ +20030609 + - (djm) Sync README.smartcard with OpenBSD -current + 20030606 - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@ @@ -476,4 +479,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2790 2003/06/06 00:46:04 dtucker Exp $ +$Id: ChangeLog,v 1.2791 2003/06/10 08:55:22 djm Exp $ diff --git a/README.smartcard b/README.smartcard index 29bec8dc..7bbb0753 100644 --- a/README.smartcard +++ b/README.smartcard @@ -1,54 +1,34 @@ How to use smartcards with OpenSSH? -OpenSSH contains experimental support for authentication using Cyberflex -smartcards and TODOS card readers, in addition to the cards with PKCS#15 -structure supported by OpenSC. +OpenSSH contains experimental support for authentication using +Cyberflex smartcards and TODOS card readers. To enable this you +need to: -WARNING: Smartcard support is still in development. -Keyfile formats, etc are still subject to change. +(1) enable SMARTCARD support in OpenSSH: -To enable sectok support: + $ ./configure --with-smartcard [...] + and rebuild -(1) install sectok: - - Sources and instructions are available from - http://www.citi.umich.edu/projects/smartcard/sectok.html - -(2) enable sectok support in OpenSSH: - - $ ./configure --with-sectok[=/path/to/libsectok] [options] - -(3) load the Java Cardlet to the Cyberflex card: +(2) If you have used a previous version of ssh with your card, you + must remove the old applet and keys. $ sectok sectok> login -d - sectok> jload /usr/libdata/ssh/Ssh.bin + sectok> junload Ssh.bin + sectok> delete 0012 + sectok> delete sh sectok> quit -(4) load a RSA key to the card: - - Please don't use your production RSA keys, since - with the current version of sectok/ssh-keygen - the private key file is still readable. - - $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> - - In spite of the name, this does not generate a key. - It just loads an already existing key on to the card. - -(5) optional: - - Change the card password so that only you can - read the private key: +(3) load the Java Cardlet to the Cyberflex card and set card passphrase: $ sectok sectok> login -d + sectok> jload /usr/libdata/ssh/Ssh.bin sectok> setpass + Enter new AUT0 passphrase: + Re-enter passphrase: sectok> quit - This prevents reading the key but not use of the - key by the card applet. - Do not forget the passphrase. There is no way to recover if you do. @@ -56,30 +36,36 @@ To enable sectok support: wrong passphrase three times in a row, you will destroy your card. -To enable OpenSC support: - -(1) install OpenSC: - - Sources and instructions are available from - http://www.opensc.org/ +(4) load a RSA key to the card: -(2) enable OpenSC support in OpenSSH: + $ ssh-keygen -f /path/to/rsakey -U 1 + (where 1 is the reader number, you can also try 0) - $ ./configure --with-opensc[=/path/to/opensc] [options] + In spite of the name, this does not generate a key. + It just loads an already existing key on to the card. -(3) load a RSA key to the card: +(5) tell the ssh client to use the card reader: - Not supported yet. + $ ssh -I 1 otherhost -Common smartcard options: +(6) or tell the agent (don't forget to restart) to use the smartcard: -(1) tell the ssh client to use the card reader: + $ ssh-add -s 1 - $ ssh -I <readernum, eg. 0> otherhost +(7) Optional: If you don't want to use a card passphrase, change the + acl on the private key file: -(2) or tell the agent (don't forget to restart) to use the smartcard: + $ sectok + sectok> login -d + sectok> acl 0012 world: w + world: w + AUT0: w inval + sectok> quit - $ ssh-add -s <readernum, eg. 0> + If you do this, anyone who has access to your card + can assume your identity. This is not recommended. -markus, -Sat Apr 13 13:48:10 EEST 2002 +Tue Jul 17 23:54:51 CEST 2001 + +$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $ |