1
How to use smartcards with OpenSSH?
3
OpenSSH contains experimental support for authentication using
4
Cyberflex smartcards and TODOS card readers, in addition to the cards
5
with PKCS#15 structure supported by OpenSC. To enable this you
10
(1) enable sectok support in OpenSSH:
12
$ ./configure --with-sectok
14
(2) If you have used a previous version of ssh with your card, you
15
must remove the old applet and keys.
19
sectok> junload Ssh.bin
24
(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
28
sectok> jload /usr/libdata/ssh/Ssh.bin
30
Enter new AUT0 passphrase:
34
Do not forget the passphrase. There is no way to
37
IMPORTANT WARNING: If you attempt to login with the
38
wrong passphrase three times in a row, you will
41
(4) load a RSA key to the card:
43
$ ssh-keygen -f /path/to/rsakey -U 1
44
(where 1 is the reader number, you can also try 0)
46
In spite of the name, this does not generate a key.
47
It just loads an already existing key on to the card.
49
(5) Optional: If you don't want to use a card passphrase, change the
50
acl on the private key file:
54
sectok> acl 0012 world: w
59
If you do this, anyone who has access to your card
60
can assume your identity. This is not recommended.
67
Sources and instructions are available from
68
http://www.opensc.org/
70
(2) enable OpenSC support in OpenSSH:
72
$ ./configure --with-opensc[=/path/to/opensc] [options]
74
(3) load a RSA key to the card:
81
(1) tell the ssh client to use the card reader:
85
(2) or tell the agent (don't forget to restart) to use the smartcard:
91
Tue Jul 17 23:54:51 CEST 2001
93
$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $