PIVKey and PuTTY-CAC for SSH on Windows

To use PIVKey to authenticate with SSH and a smart card on Windows you can use a utility called PuTTY-CAC by Dan Risacher. PuTTY-CAC supports the Windows CAPI interface, and so can support PIVKey without the installation of middleware.

It can be found here: https://risacher.org/putty-cac/

It works with the default PIVKey certificate, or with your own certificate.  Note that you may need to enable and configure SSH on your server if it is not already set up.

Configure PuTTY-CAC

Start up PuTTY-CAC and select Connection/SSH/Certificate

If you want to authenticate directly through PuTTY, select  "Set CAPI Cert" (or use Pageant as shown below).

Select the Browse button, and select the PIVKey Certificate you want to use.



Copy the SSH Keystring. Make sure you copy the entire string. It should look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4bxT3Gr/EVgU1tky67suIE08n8suP+EYoZIOuokgVzkO
xAn2g9OPABs1af+4bfh6bvmroKZXMgkaVEHHKEcJcFz6I/9ZjSrmwcL5/ViivN88PB34c4+BvvFZezN67amZDIQXtYMHh611DHY9SNaHi/j882wQHpFNo/vEx+XWPo7DDgqhC0VfGZbjiQYu5 CAPI:User\MY\9F28CDF20F8D2188B3765BC5F5977CE4758F5C36

Add this to the public key file on your server, typically found here at $home/.ssh/authorized_keys  or $home/username/.ssh/authorized_keys

Set up Pageant

Pageant.exe is an authentication agent that will authenticate on behalf of the PuTTY application and other applications like WinSCP. PuTTY-CAC comes with a version of Pageant that supports Smart Card Certificates. You can configure Pageant by right-clicking it in the system tray, choose "View Keys & Certs", then the "Add CAPI Cert" button, and selecting the PIVKey Cert you want to use.


To use it, just set the application to use Pageant for authentication.  For PuTTY-CAC, select Connection/SSH/Auth and select "Attempt authentication using Pageant".

For WinSCP, from the Login screen, select the site, select Edit for an existing site, then Advanced, SSH/Authentication and check "Attempt authentication with Pageant".



Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk