freebsd-skq/crypto/openssh/README.smartcard

94 lines
2.0 KiB
Plaintext
Raw Normal View History

2002-03-18 09:55:03 +00:00
How to use smartcards with OpenSSH?
2004-01-07 11:10:17 +00:00
OpenSSH contains experimental support for authentication using
2004-02-26 10:38:49 +00:00
Cyberflex smartcards and TODOS card readers, in addition to the cards
2004-01-07 11:10:17 +00:00
with PKCS#15 structure supported by OpenSC. To enable this you
need to:
2002-03-18 09:55:03 +00:00
2004-01-07 11:10:17 +00:00
Using libsectok:
2002-03-18 09:55:03 +00:00
2004-01-07 11:10:17 +00:00
(1) enable sectok support in OpenSSH:
2002-03-18 09:55:03 +00:00
2004-01-07 11:10:17 +00:00
$ ./configure --with-sectok
2002-06-27 22:31:32 +00:00
2004-01-07 11:10:17 +00:00
(2) If you have used a previous version of ssh with your card, you
must remove the old applet and keys.
2002-06-27 22:31:32 +00:00
2004-01-07 11:10:17 +00:00
$ sectok
sectok> login -d
sectok> junload Ssh.bin
sectok> delete 0012
sectok> delete sh
sectok> quit
2002-06-27 22:31:32 +00:00
2004-01-07 11:10:17 +00:00
(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
2002-03-18 09:55:03 +00:00
$ sectok
sectok> login -d
2002-06-27 22:31:32 +00:00
sectok> jload /usr/libdata/ssh/Ssh.bin
2004-01-07 11:10:17 +00:00
sectok> setpass
2004-02-26 10:38:49 +00:00
Enter new AUT0 passphrase:
Re-enter passphrase:
2002-03-18 09:55:03 +00:00
sectok> quit
2004-01-07 11:10:17 +00:00
Do not forget the passphrase. There is no way to
recover if you do.
2002-06-27 22:31:32 +00:00
2004-01-07 11:10:17 +00:00
IMPORTANT WARNING: If you attempt to login with the
wrong passphrase three times in a row, you will
destroy your card.
2002-06-27 22:31:32 +00:00
2004-01-07 11:10:17 +00:00
(4) load a RSA key to the card:
$ ssh-keygen -f /path/to/rsakey -U 1
(where 1 is the reader number, you can also try 0)
2002-06-27 22:31:32 +00:00
In spite of the name, this does not generate a key.
It just loads an already existing key on to the card.
2004-01-07 11:10:17 +00:00
(5) Optional: If you don't want to use a card passphrase, change the
acl on the private key file:
2002-03-18 09:55:03 +00:00
$ sectok
sectok> login -d
2004-02-26 10:38:49 +00:00
sectok> acl 0012 world: w
world: w
AUT0: w inval
2002-03-18 09:55:03 +00:00
sectok> quit
2004-01-07 11:10:17 +00:00
If you do this, anyone who has access to your card
can assume your identity. This is not recommended.
2002-03-18 09:55:03 +00:00
2004-01-07 11:10:17 +00:00
Using OpenSC:
2002-06-23 14:01:54 +00:00
2002-06-27 22:31:32 +00:00
(1) install OpenSC:
2002-06-23 14:01:54 +00:00
2002-06-27 22:31:32 +00:00
Sources and instructions are available from
http://www.opensc.org/
2002-06-23 14:01:54 +00:00
2002-06-27 22:31:32 +00:00
(2) enable OpenSC support in OpenSSH:
2002-03-18 09:55:03 +00:00
2002-06-27 22:31:32 +00:00
$ ./configure --with-opensc[=/path/to/opensc] [options]
2002-03-18 09:55:03 +00:00
2002-06-27 22:31:32 +00:00
(3) load a RSA key to the card:
2002-03-18 09:55:03 +00:00
2002-06-27 22:31:32 +00:00
Not supported yet.
2002-03-18 09:55:03 +00:00
2004-01-07 11:10:17 +00:00
Common operations:
2002-06-23 14:01:54 +00:00
2002-06-27 22:31:32 +00:00
(1) tell the ssh client to use the card reader:
2002-06-23 14:01:54 +00:00
2004-01-07 11:10:17 +00:00
$ ssh -I 1 otherhost
2002-06-23 14:01:54 +00:00
2002-06-27 22:31:32 +00:00
(2) or tell the agent (don't forget to restart) to use the smartcard:
2004-01-07 11:10:17 +00:00
$ ssh-add -s 1
2002-06-23 14:01:54 +00:00
2002-06-27 22:31:32 +00:00
-markus,
2004-01-07 11:10:17 +00:00
Tue Jul 17 23:54:51 CEST 2001
2004-02-26 10:38:49 +00:00
$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $