PIVKey and PuTTY-CAC for SSH on Windows

Avatar
Taglio Support
Follow

To use PIVKey to authenticate with SSH and a smart card on Windows you can use a utility called PuTTY-CAC by Dan Risacher. PuTTY-CAC supports the Windows CAPI interface, and so can support PIVKey without the installation of middleware.

It can be found here: https://risacher.org/putty-cac/

It works with the default PIVKey certificate, or with your own certificate.  Note that you may need to enable and configure SSH on your server if it is not already set up.

Configure PuTTY-CAC

Start up PuTTY-CAC and select Connection/SSH/Certificate

If you want to authenticate directly through PuTTY, select  "Set CAPI Cert" (or use Pageant as shown below).

Select the Browse button, and select the PIVKey Certificate you want to use.

putty2.jpg

 

Copy the SSH Keystring. Make sure you copy the entire string. It should look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4bxT3Gr/EVgU1tky67suIE08n8suP+EYoZIOuokgVzkO
YtYqkizcEk0w8GSUktdNJcVSpZXyTjpuY1Qi0zdrhz1zJSl4j3Kv0PxKsSalxM1lggsVG1QhDxLy2ec03
GHCIPlH9BnmW4+MD9DWHrosW0e2Lws4TvsyddWPtWomk0D5WAMzhtMHks5TMG8TbowehM65
xAn2g9OPABs1af+4bfh6bvmroKZXMgkaVEHHKEcJcFz6I/9ZjSrmwcL5/ViivN88PB34c4+BvvFZezN67amZDIQXtYMHh611DHY9SNaHi/j882wQHpFNo/vEx+XWPo7DDgqhC0VfGZbjiQYu5 CAPI:User\MY\9F28CDF20F8D2188B3765BC5F5977CE4758F5C36

Add this to the public key file on your server, typically found here at $home/.ssh/authorized_keys  or $home/username/.ssh/authorized_keys

Set up Pageant

Pageant.exe is an authentication agent that will authenticate on behalf of the PuTTY application and other applications like WinSCP. PuTTY-CAC comes with a version of Pageant that supports Smart Card Certificates. You can configure Pageant by right-clicking it in the system tray, choose "View Keys & Certs", then the "Add CAPI Cert" button, and selecting the PIVKey Cert you want to use.

pageant1.jpg

To use it, just set the application to use Pageant for authentication.  For PuTTY-CAC, select Connection/SSH/Auth and select "Attempt authentication using Pageant".

For WinSCP, from the Login screen, select the site, select Edit for an existing site, then Advanced, SSH/Authentication and check "Attempt authentication with Pageant".

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk