1How to use smartcards with OpenSSH? 2 3OpenSSH contains experimental support for authentication using 4Cyberflex smartcards and TODOS card readers. To enable this you 5need to: 6 7(1) enable SMARTCARD support in OpenSSH: 8 9 $ vi /usr/src/usr.bin/ssh/Makefile.inc 10 and uncomment 11 CFLAGS+= -DSMARTCARD 12 LDADD+= -lsectok 13 14(2) If you have used a previous version of ssh with your card, you 15 must remove the old applet and keys. 16 17 $ sectok 18 sectok> login -d 19 sectok> junload Ssh.bin 20 sectok> delete 0012 21 sectok> delete sh 22 sectok> quit 23 24(3) load the Java Cardlet to the Cyberflex card and set card passphrase: 25 26 $ sectok 27 sectok> login -d 28 sectok> jload /usr/libdata/ssh/Ssh.bin 29 sectok> setpass 30 Enter new AUT0 passphrase: 31 Re-enter passphrase: 32 sectok> quit 33 34 Do not forget the passphrase. There is no way to 35 recover if you do. 36 37 IMPORTANT WARNING: If you attempt to login with the 38 wrong passphrase three times in a row, you will 39 destroy your card. 40 41(4) load a RSA key to the card: 42 43 $ ssh-keygen -f /path/to/rsakey -U 1 44 (where 1 is the reader number, you can also try 0) 45 46 In spite of the name, this does not generate a key. 47 It just loads an already existing key on to the card. 48 49(5) tell the ssh client to use the card reader: 50 51 $ ssh -I 1 otherhost 52 53(6) or tell the agent (don't forget to restart) to use the smartcard: 54 55 $ ssh-add -s 1 56 57(7) Optional: If you don't want to use a card passphrase, change the 58 acl on the private key file: 59 60 $ sectok 61 sectok> login -d 62 sectok> acl 0012 world: w 63 world: w 64 AUT0: w inval 65 sectok> quit 66 67 If you do this, anyone who has access to your card 68 can assume your identity. This is not recommended. 69 70-markus, 71Tue Jul 17 23:54:51 CEST 2001 72 73$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $ 74