mirror of git://anongit.mindrot.org/openssh.git
- (djm) Sync README.smartcard with OpenBSD -current
This commit is contained in:
parent
400b8786d6
commit
c18c06e131
|
@ -1,3 +1,6 @@
|
|||
20030609
|
||||
- (djm) Sync README.smartcard with OpenBSD -current
|
||||
|
||||
20030606
|
||||
- (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@
|
||||
|
||||
|
@ -476,4 +479,4 @@
|
|||
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
|
||||
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
|
||||
|
||||
$Id: ChangeLog,v 1.2790 2003/06/06 00:46:04 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.2791 2003/06/10 08:55:22 djm Exp $
|
||||
|
|
|
@ -1,54 +1,34 @@
|
|||
How to use smartcards with OpenSSH?
|
||||
|
||||
OpenSSH contains experimental support for authentication using Cyberflex
|
||||
smartcards and TODOS card readers, in addition to the cards with PKCS#15
|
||||
structure supported by OpenSC.
|
||||
OpenSSH contains experimental support for authentication using
|
||||
Cyberflex smartcards and TODOS card readers. To enable this you
|
||||
need to:
|
||||
|
||||
WARNING: Smartcard support is still in development.
|
||||
Keyfile formats, etc are still subject to change.
|
||||
(1) enable SMARTCARD support in OpenSSH:
|
||||
|
||||
To enable sectok support:
|
||||
$ ./configure --with-smartcard [...]
|
||||
and rebuild
|
||||
|
||||
(1) install sectok:
|
||||
(2) If you have used a previous version of ssh with your card, you
|
||||
must remove the old applet and keys.
|
||||
|
||||
Sources and instructions are available from
|
||||
http://www.citi.umich.edu/projects/smartcard/sectok.html
|
||||
$ sectok
|
||||
sectok> login -d
|
||||
sectok> junload Ssh.bin
|
||||
sectok> delete 0012
|
||||
sectok> delete sh
|
||||
sectok> quit
|
||||
|
||||
(2) enable sectok support in OpenSSH:
|
||||
|
||||
$ ./configure --with-sectok[=/path/to/libsectok] [options]
|
||||
|
||||
(3) load the Java Cardlet to the Cyberflex card:
|
||||
(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
|
||||
|
||||
$ sectok
|
||||
sectok> login -d
|
||||
sectok> jload /usr/libdata/ssh/Ssh.bin
|
||||
sectok> quit
|
||||
|
||||
(4) load a RSA key to the card:
|
||||
|
||||
Please don't use your production RSA keys, since
|
||||
with the current version of sectok/ssh-keygen
|
||||
the private key file is still readable.
|
||||
|
||||
$ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
|
||||
|
||||
In spite of the name, this does not generate a key.
|
||||
It just loads an already existing key on to the card.
|
||||
|
||||
(5) optional:
|
||||
|
||||
Change the card password so that only you can
|
||||
read the private key:
|
||||
|
||||
$ sectok
|
||||
sectok> login -d
|
||||
sectok> setpass
|
||||
Enter new AUT0 passphrase:
|
||||
Re-enter passphrase:
|
||||
sectok> quit
|
||||
|
||||
This prevents reading the key but not use of the
|
||||
key by the card applet.
|
||||
|
||||
Do not forget the passphrase. There is no way to
|
||||
recover if you do.
|
||||
|
||||
|
@ -56,30 +36,36 @@ To enable sectok support:
|
|||
wrong passphrase three times in a row, you will
|
||||
destroy your card.
|
||||
|
||||
To enable OpenSC support:
|
||||
(4) load a RSA key to the card:
|
||||
|
||||
(1) install OpenSC:
|
||||
$ ssh-keygen -f /path/to/rsakey -U 1
|
||||
(where 1 is the reader number, you can also try 0)
|
||||
|
||||
Sources and instructions are available from
|
||||
http://www.opensc.org/
|
||||
In spite of the name, this does not generate a key.
|
||||
It just loads an already existing key on to the card.
|
||||
|
||||
(2) enable OpenSC support in OpenSSH:
|
||||
(5) tell the ssh client to use the card reader:
|
||||
|
||||
$ ./configure --with-opensc[=/path/to/opensc] [options]
|
||||
$ ssh -I 1 otherhost
|
||||
|
||||
(3) load a RSA key to the card:
|
||||
(6) or tell the agent (don't forget to restart) to use the smartcard:
|
||||
|
||||
Not supported yet.
|
||||
$ ssh-add -s 1
|
||||
|
||||
Common smartcard options:
|
||||
(7) Optional: If you don't want to use a card passphrase, change the
|
||||
acl on the private key file:
|
||||
|
||||
(1) tell the ssh client to use the card reader:
|
||||
$ sectok
|
||||
sectok> login -d
|
||||
sectok> acl 0012 world: w
|
||||
world: w
|
||||
AUT0: w inval
|
||||
sectok> quit
|
||||
|
||||
$ ssh -I <readernum, eg. 0> otherhost
|
||||
|
||||
(2) or tell the agent (don't forget to restart) to use the smartcard:
|
||||
|
||||
$ ssh-add -s <readernum, eg. 0>
|
||||
If you do this, anyone who has access to your card
|
||||
can assume your identity. This is not recommended.
|
||||
|
||||
-markus,
|
||||
Sat Apr 13 13:48:10 EEST 2002
|
||||
Tue Jul 17 23:54:51 CEST 2001
|
||||
|
||||
$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $
|
||||
|
|
Loading…
Reference in New Issue