freebsd_amp_hwpstate/crypto/openssh/README.smartcard

How to use smartcards with OpenSSH?

OpenSSH contains experimental support for authentication using
Cyberflex smartcards and TODOS card readers, in addition to the cards
with PKCS#15 structure supported by OpenSC. To enable this you
need to:

Using libsectok:

(1) enable sectok support in OpenSSH:

	$ ./configure --with-sectok

(2) If you have used a previous version of ssh with your card, you
    must remove the old applet and keys.

	$ sectok
	sectok> login -d
	sectok> junload Ssh.bin
	sectok> delete 0012
	sectok> delete sh
	sectok> quit

(3) load the Java Cardlet to the Cyberflex card and set card passphrase:

	$ sectok
	sectok> login -d
	sectok> jload /usr/libdata/ssh/Ssh.bin
	sectok> setpass
	Enter new AUT0 passphrase:
	Re-enter passphrase:
	sectok> quit

	Do not forget the passphrase.  There is no way to
	recover if you do.

	IMPORTANT WARNING: If you attempt to login with the
	wrong passphrase three times in a row, you will
	destroy your card.

(4) load a RSA key to the card:

	$ ssh-keygen -f /path/to/rsakey -U 1
	(where 1 is the reader number, you can also try 0)

	In spite of the name, this does not generate a key.
	It just loads an already existing key on to the card.

(5) Optional: If you don't want to use a card passphrase, change the
    acl on the private key file:

	$ sectok
	sectok> login -d
	sectok> acl 0012 world: w
	 world: w
	 AUT0: w inval
	sectok> quit

	If you do this, anyone who has access to your card
	can assume your identity.  This is not recommended.


Using OpenSC:

(1) install OpenSC:

	Sources and instructions are available from
	http://www.opensc.org/

(2) enable OpenSC support in OpenSSH:

	$ ./configure --with-opensc[=/path/to/opensc] [options]

(3) load a RSA key to the card:

	Not supported yet.


Common operations:

(1) tell the ssh client to use the card reader:

	$ ssh -I 1 otherhost

(2) or tell the agent (don't forget to restart) to use the smartcard:

	$ ssh-add -s 1


-markus,
Tue Jul 17 23:54:51 CEST 2001

$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00			`How to use smartcards with OpenSSH?`

Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`OpenSSH contains experimental support for authentication using`
Vendor import of OpenSSH 3.8p1. 2004-02-26 10:38:49 +00:00			`Cyberflex smartcards and TODOS card readers, in addition to the cards`
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`with PKCS#15 structure supported by OpenSC. To enable this you`
			`need to:`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`Using libsectok:`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`(1) enable sectok support in OpenSSH:`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`$ ./configure --with-sectok`
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`(2) If you have used a previous version of ssh with your card, you`
			`must remove the old applet and keys.`
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`$ sectok`
			`sectok> login -d`
			`sectok> junload Ssh.bin`
			`sectok> delete 0012`
			`sectok> delete sh`
			`sectok> quit`
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`(3) load the Java Cardlet to the Cyberflex card and set card passphrase:`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
			`$ sectok`
			`sectok> login -d`
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`sectok> jload /usr/libdata/ssh/Ssh.bin`
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`sectok> setpass`
Vendor import of OpenSSH 3.8p1. 2004-02-26 10:38:49 +00:00			`Enter new AUT0 passphrase:`
			`Re-enter passphrase:`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00			`sectok> quit`

Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`Do not forget the passphrase. There is no way to`
			`recover if you do.`
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`IMPORTANT WARNING: If you attempt to login with the`
			`wrong passphrase three times in a row, you will`
			`destroy your card.`
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`(4) load a RSA key to the card:`

			`$ ssh-keygen -f /path/to/rsakey -U 1`
			`(where 1 is the reader number, you can also try 0)`
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00
			`In spite of the name, this does not generate a key.`
			`It just loads an already existing key on to the card.`

Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`(5) Optional: If you don't want to use a card passphrase, change the`
			`acl on the private key file:`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
			`$ sectok`
			`sectok> login -d`
Vendor import of OpenSSH 3.8p1. 2004-02-26 10:38:49 +00:00			`sectok> acl 0012 world: w`
			`world: w`
			`AUT0: w inval`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00			`sectok> quit`

Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`If you do this, anyone who has access to your card`
			`can assume your identity. This is not recommended.`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00

Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`Using OpenSC:`
Vendor import of OpenSSH 3.3. 2002-06-23 14:01:54 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`(1) install OpenSC:`
Vendor import of OpenSSH 3.3. 2002-06-23 14:01:54 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`Sources and instructions are available from`
			`http://www.opensc.org/`
Vendor import of OpenSSH 3.3. 2002-06-23 14:01:54 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`(2) enable OpenSC support in OpenSSH:`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`$ ./configure --with-opensc[=/path/to/opensc] [options]`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`(3) load a RSA key to the card:`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`Not supported yet.`
Vendor import of OpenSSH 3.1 2002-03-18 09:55:03 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00
			`Common operations:`
Vendor import of OpenSSH 3.3. 2002-06-23 14:01:54 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`(1) tell the ssh client to use the card reader:`
Vendor import of OpenSSH 3.3. 2002-06-23 14:01:54 +00:00
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`$ ssh -I 1 otherhost`
Vendor import of OpenSSH 3.3. 2002-06-23 14:01:54 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`(2) or tell the agent (don't forget to restart) to use the smartcard:`

Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`$ ssh-add -s 1`

Vendor import of OpenSSH 3.3. 2002-06-23 14:01:54 +00:00
Vendor import of OpenSSH 3.3p1. 2002-06-27 22:31:32 +00:00			`-markus,`
Vendor import of OpenSSH 3.7.1p2. 2004-01-07 11:10:17 +00:00			`Tue Jul 17 23:54:51 CEST 2001`

Vendor import of OpenSSH 3.8p1. 2004-02-26 10:38:49 +00:00			$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $