mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-25 11:38:10 +08:00
f6195f2be8
Antti Tapaninen <aet@cc.hut.fi>
86 lines
1.9 KiB
Plaintext
86 lines
1.9 KiB
Plaintext
How to use smartcards with OpenSSH?
|
|
|
|
OpenSSH contains experimental support for authentication using Cyberflex
|
|
smartcards and TODOS card readers, in addition to the cards with PKCS#15
|
|
structure supported by OpenSC.
|
|
|
|
WARNING: Smartcard support is still in development.
|
|
Keyfile formats, etc are still subject to change.
|
|
|
|
To enable sectok support:
|
|
|
|
(1) install sectok:
|
|
|
|
Sources and instructions are available from
|
|
http://www.citi.umich.edu/projects/smartcard/sectok.html
|
|
|
|
(2) enable sectok support in OpenSSH:
|
|
|
|
$ ./configure --with-sectok[=/path/to/libsectok] [options]
|
|
|
|
(3) load the Java Cardlet to the Cyberflex card:
|
|
|
|
$ sectok
|
|
sectok> login -d
|
|
sectok> jload /usr/libdata/ssh/Ssh.bin
|
|
sectok> quit
|
|
|
|
(4) load a RSA key to the card:
|
|
|
|
Please don't use your production RSA keys, since
|
|
with the current version of sectok/ssh-keygen
|
|
the private key file is still readable.
|
|
|
|
$ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
|
|
|
|
In spite of the name, this does not generate a key.
|
|
It just loads an already existing key on to the card.
|
|
|
|
(5) optional:
|
|
|
|
Change the card password so that only you can
|
|
read the private key:
|
|
|
|
$ sectok
|
|
sectok> login -d
|
|
sectok> setpass
|
|
sectok> quit
|
|
|
|
This prevents reading the key but not use of the
|
|
key by the card applet.
|
|
|
|
Do not forget the passphrase. There is no way to
|
|
recover if you do.
|
|
|
|
IMPORTANT WARNING: If you attempt to login with the
|
|
wrong passphrase three times in a row, you will
|
|
destroy your card.
|
|
|
|
To enable OpenSC support:
|
|
|
|
(1) install OpenSC:
|
|
|
|
Sources and instructions are available from
|
|
http://www.opensc.org/
|
|
|
|
(2) enable OpenSC support in OpenSSH:
|
|
|
|
$ ./configure --with-opensc[=/path/to/opensc] [options]
|
|
|
|
(3) load a RSA key to the card:
|
|
|
|
Not supported yet.
|
|
|
|
Common smartcard options:
|
|
|
|
(1) tell the ssh client to use the card reader:
|
|
|
|
$ ssh -I <readernum, eg. 0> otherhost
|
|
|
|
(2) or tell the agent (don't forget to restart) to use the smartcard:
|
|
|
|
$ ssh-add -s <readernum, eg. 0>
|
|
|
|
-markus,
|
|
Sat Apr 13 13:48:10 EEST 2002
|