Warn user to remove old applet and keys

Remove warning about using production keys (we now have PIN protection)

1 files changed, 15 insertions, 12 deletions

diff --git a/usr.bin/ssh/README.smartcard b/usr.bin/ssh/README.smartcard
index 49c0cc5f031..7ba3cc42ec0 100644
--- a/usr.bin/ssh/README.smartcard
+++ b/usr.bin/ssh/README.smartcard
@@ -11,11 +11,20 @@ need to:
 		CFLAGS+=	-DSMARTCARD
 		LDADD+=	-lsectok
 
-(2) load the Java Cardlet to the Cyberflex card and set card passphrase:
+(2) If you have used a previous version of ssh with your card, you
+    must remove the old applet and keys.
 
 	$ sectok
 	sectok> login -d
 	sectok> junload Ssh.bin
+	sectok> delete 0012
+	sectok> delete sh
+	sectok> quit
+
+(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
+
+	$ sectok
+	sectok> login -d
 	sectok> jload /usr/libdata/ssh/Ssh.bin
 	sectok> setpass
 	Enter new AUT0 passphrase: 
@@ -29,15 +38,7 @@ need to:
 	wrong passphrase three times in a row, you will
 	destroy your card.
 
-	If you have loaded an older version of Ssh.bin on
-	your card previously, you must unload it and load
-	the new one.
-
-(3) load a RSA key to the card:
-
-	please don't use your production RSA keys, since
-	with the current version of sectok/ssh-keygen
-	the private key file is still readable
+(4) load a RSA key to the card:
 
 	$ ssh-keygen -f /path/to/rsakey -U 1
 	(where 1 is the reader number, you can also try 0)
@@ -45,13 +46,15 @@ need to:
 	In spite of the name, this does not generate a key.
 	It just loads an already existing key on to the card.
 
-(4) tell the ssh client to use the card reader:
+(5) tell the ssh client to use the card reader:
 
 	$ ssh -I 1 otherhost
 
-(5) or tell the agent (don't forget to restart) to use the smartcard:
+(6) or tell the agent (don't forget to restart) to use the smartcard:
 
 	$ ssh-add -s 1
 
 -markus,
 Tue Jul 17 23:54:51 CEST 2001
+
+$OpenBSD: README.smartcard,v 1.7 2002/03/25 16:47:17 rees Exp $