|
Lines 1-31
Link Here
|
| 1 |
How to use smartcards with OpenSSH? |
1 |
How to use smartcards with OpenSSH? |
| 2 |
|
2 |
|
| 3 |
OpenSSH contains experimental support for authentication using |
3 |
OpenSSH contains experimental support for authentication using Cyberflex |
| 4 |
Cyberflex smartcards and TODOS card readers, in addition to the cards with |
4 |
smartcards and TODOS card readers, in addition to the cards with PKCS#15 |
| 5 |
PKCS #15 structure supported by OpenSC. |
5 |
structure supported by OpenSC. |
| 6 |
|
6 |
|
| 7 |
WARNING: Smartcard support is still in development. Keyfile formats, etc |
7 |
WARNING: Smartcard support is still in development. |
| 8 |
are still subject to change. |
8 |
Keyfile formats, etc are still subject to change. |
| 9 |
|
9 |
|
| 10 |
To enable this you need to: |
10 |
To enable sectok support: |
| 11 |
|
11 |
|
| 12 |
(1) install sectok or OpenSC |
12 |
(1) install sectok: |
| 13 |
|
13 |
|
| 14 |
Sources are instructions are available from |
14 |
Sources and instructions are available from |
| 15 |
http://www.citi.umich.edu/projects/smartcard/sectok.html |
15 |
http://www.citi.umich.edu/projects/smartcard/sectok.html |
| 16 |
|
16 |
|
| 17 |
or |
17 |
(2) enable sectok support in OpenSSH: |
| 18 |
|
|
|
| 19 |
http://www.opensc.org/ |
| 20 |
|
| 21 |
(2) enable SMARTCARD support in OpenSSH: |
| 22 |
|
18 |
|
| 23 |
$ ./configure --with-sectok[=/path/to/libsectok] [options] |
19 |
$ ./configure --with-sectok[=/path/to/libsectok] [options] |
| 24 |
|
20 |
|
| 25 |
or |
|
|
| 26 |
|
| 27 |
$ ./configure --with-opensc[=/path/to/opensc] [options] |
| 28 |
|
| 29 |
(3) load the Java Cardlet to the Cyberflex card: |
21 |
(3) load the Java Cardlet to the Cyberflex card: |
| 30 |
|
22 |
|
| 31 |
$ sectok |
23 |
$ sectok |
|
Lines 35-46
Link Here
|
| 35 |
|
27 |
|
| 36 |
(4) load a RSA key to the card: |
28 |
(4) load a RSA key to the card: |
| 37 |
|
29 |
|
| 38 |
please don't use your production RSA keys, since |
30 |
Please don't use your production RSA keys, since |
| 39 |
with the current version of sectok/ssh-keygen |
31 |
with the current version of sectok/ssh-keygen |
| 40 |
the private key file is still readable |
32 |
the private key file is still readable. |
| 41 |
|
33 |
|
| 42 |
$ ssh-keygen -f /path/to/rsakey -U 1 |
34 |
$ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> |
| 43 |
(where 1 is the reader number, you can also try 0) |
|
|
| 44 |
|
35 |
|
| 45 |
In spite of the name, this does not generate a key. |
36 |
In spite of the name, this does not generate a key. |
| 46 |
It just loads an already existing key on to the card. |
37 |
It just loads an already existing key on to the card. |
|
Lines 65-77
Link Here
|
| 65 |
wrong passphrase three times in a row, you will |
56 |
wrong passphrase three times in a row, you will |
| 66 |
destroy your card. |
57 |
destroy your card. |
| 67 |
|
58 |
|
| 68 |
(6) tell the ssh client to use the card reader: |
59 |
To enable OpenSC support: |
|
|
60 |
|
| 61 |
(1) install OpenSC: |
| 62 |
|
| 63 |
Sources and instructions are available from |
| 64 |
http://www.opensc.org/ |
| 65 |
|
| 66 |
(2) enable OpenSC support in OpenSSH: |
| 67 |
|
| 68 |
$ ./configure --with-opensc[=/path/to/opensc] [options] |
| 69 |
|
| 70 |
(3) load a RSA key to the card: |
| 71 |
|
| 72 |
Not supported yet. |
| 73 |
|
| 74 |
Common smartcard options: |
| 75 |
|
| 76 |
(1) tell the ssh client to use the card reader: |
| 69 |
|
77 |
|
| 70 |
$ ssh -I 1 otherhost |
78 |
$ ssh -I <readernum, eg. 0> otherhost |
| 71 |
|
79 |
|
| 72 |
(7) or tell the agent (don't forget to restart) to use the smartcard: |
80 |
(2) or tell the agent (don't forget to restart) to use the smartcard: |
| 73 |
|
81 |
|
| 74 |
$ ssh-add -s 1 |
82 |
$ ssh-add -s <readernum, eg. 0> |
| 75 |
|
83 |
|
| 76 |
-markus, |
84 |
-markus, |
| 77 |
Tue Jul 17 23:54:51 CEST 2001 |
85 |
Sat Apr 13 13:48:10 EEST 2002 |