2001-09-18 07:06:21 +02:00
|
|
|
How to use smartcards with OpenSSH?
|
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
OpenSSH contains experimental support for authentication using
|
|
|
|
Cyberflex smartcards and TODOS card readers. To enable this you
|
|
|
|
need to:
|
2001-09-25 02:21:28 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
(1) enable SMARTCARD support in OpenSSH:
|
2001-09-25 02:21:28 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
$ ./configure --with-smartcard [...]
|
|
|
|
and rebuild
|
2001-09-18 07:06:21 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
(2) If you have used a previous version of ssh with your card, you
|
|
|
|
must remove the old applet and keys.
|
2001-09-18 07:06:21 +02:00
|
|
|
|
|
|
|
$ sectok
|
|
|
|
sectok> login -d
|
2003-06-10 10:55:22 +02:00
|
|
|
sectok> junload Ssh.bin
|
|
|
|
sectok> delete 0012
|
|
|
|
sectok> delete sh
|
2001-09-18 07:06:21 +02:00
|
|
|
sectok> quit
|
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
|
2001-09-18 07:06:21 +02:00
|
|
|
|
|
|
|
$ sectok
|
|
|
|
sectok> login -d
|
2003-06-10 10:55:22 +02:00
|
|
|
sectok> jload /usr/libdata/ssh/Ssh.bin
|
2001-09-18 07:06:21 +02:00
|
|
|
sectok> setpass
|
2003-06-10 10:55:22 +02:00
|
|
|
Enter new AUT0 passphrase:
|
|
|
|
Re-enter passphrase:
|
2001-09-18 07:06:21 +02:00
|
|
|
sectok> quit
|
|
|
|
|
|
|
|
Do not forget the passphrase. There is no way to
|
|
|
|
recover if you do.
|
|
|
|
|
|
|
|
IMPORTANT WARNING: If you attempt to login with the
|
|
|
|
wrong passphrase three times in a row, you will
|
|
|
|
destroy your card.
|
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
(4) load a RSA key to the card:
|
2002-04-23 14:48:46 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
$ ssh-keygen -f /path/to/rsakey -U 1
|
|
|
|
(where 1 is the reader number, you can also try 0)
|
2002-04-23 14:48:46 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
In spite of the name, this does not generate a key.
|
|
|
|
It just loads an already existing key on to the card.
|
2002-04-23 14:48:46 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
(5) tell the ssh client to use the card reader:
|
2002-04-23 14:48:46 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
$ ssh -I 1 otherhost
|
2002-04-23 14:48:46 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
(6) or tell the agent (don't forget to restart) to use the smartcard:
|
2002-04-23 14:48:46 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
$ ssh-add -s 1
|
2001-09-18 07:06:21 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
(7) Optional: If you don't want to use a card passphrase, change the
|
|
|
|
acl on the private key file:
|
2001-09-18 07:06:21 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
$ sectok
|
|
|
|
sectok> login -d
|
|
|
|
sectok> acl 0012 world: w
|
|
|
|
world: w
|
|
|
|
AUT0: w inval
|
|
|
|
sectok> quit
|
2001-09-18 07:06:21 +02:00
|
|
|
|
2003-06-10 10:55:22 +02:00
|
|
|
If you do this, anyone who has access to your card
|
|
|
|
can assume your identity. This is not recommended.
|
2001-09-18 07:06:21 +02:00
|
|
|
|
|
|
|
-markus,
|
2003-06-10 10:55:22 +02:00
|
|
|
Tue Jul 17 23:54:51 CEST 2001
|
|
|
|
|
|
|
|
$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $
|