CITI Previous | Index | Next

scard.c and libsectok

Now let's look at scard.c to see how ssh talks to the card.

First it opens a connection to the card reader by calling sectok_friendly_open. The arguments are the name of the reader, a flag that tells the reader not to wait for a card to be inserted, and the address of a word for status return.

Next, it calls sectok_reset to reset the card, and calls a function that returns the application class of the card (the first byte of each APDU).

Finally, it calls sectok_apdu and sends a select APDU to the card to select the applet. The argument to this is an AID, which is a 5 to 32 byte string used to name applets.

When ssh wants to decrypt a challenge, it sends the challenge to the card by sending a DECRYPT APDU.

If you want to know how the key got stored on the card, take a look at ssh-keygen.c and search for "sectok_".