putty-cac icon indicating copy to clipboard operation
putty-cac copied to clipboard
verified publisher icon NoMoreFood

Support for proxying access to smartcards using p11-kit and SSH socket forwarding

Open catfish4254 opened this issue 1 year ago • 2 comments

Support for proxying access to smartcards. However, this requires presence of p11-kit and SSH socket forwarding support on the client side. Needed for PKINIT enforcement in-order for AD users to be issue PKINIT Kerberos TGT from a FreeIPA realm in a remote connection scenario. The ssh connection is initiated from PuttyCaC to a RHEL workstation.

p11-kit: https://www.redhat.com/en/blog/smart-card-forwarding-fedora

Windows builds of p11-kit are part of both Cygwin and MSYS2:

Cygwin: https://cygwin.com/cygwin/packages/summary/p11-kit-src.html

MSYS2: https://packages.msys2.org/base/p11-kit

Various SSH clients for Windows do support socket forwarding over SSH.

macOS versions of p11-kit are available from multiple sources (MacPorts, Homebrew, etc).

catfish4254 avatar Jul 16 '24 19:07 catfish4254

This looks like a pretty heavy lift both in a development sense and a test environment. Do you know of any SSH client on Windows (paid or free) that is currently capable of doing this?

NoMoreFood avatar Jul 16 '24 22:07 NoMoreFood

So I believe that Win32-OpenSSH supports socket forwarding. The p11-kit I have only seen that in Cygwin and Mingw which are Windows projects.

MinGW-w64 Cygwin

This article gives a great overview of how this is implemented by the user.

https://www.redhat.com/en/blog/smart-card-forwarding-fedora

Thank you for taking the time to respond.

catfish4254 avatar Jul 17 '24 13:07 catfish4254