Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Load ssh-agent keys from MS-CAPI

Open iticory opened this issue 8 years ago • 13 comments

One of the major advantages of running ssh-agent on windows would be to authenticate using key material already securely stored in MS-CAPI. Please take advantage of this.

Similar functionality was created in a forked version of PuTTY called PuTTY-CAC: https://github.com/risacher/putty-cac

PuTTY-CAC was created to allow users to authenticate ssh sessions using the key material of a certificate on a smartcard. This allows them to use an agent where their private key is never even exposed to the local machine. However, it works using any certificate private key available to the user in MS-CAPI.

iticory avatar Apr 10 '16 18:04 iticory

Yes. This is in plan. Will likely come towards year end.

manojampalam avatar May 17 '16 01:05 manojampalam

Any recent movement on this? Would be nice to be able to use public keys stored on CAC card or yubikey devices. Agent would have to prompt for PIN. Like the putty cac pageant does.

kmeekva avatar May 28 '19 16:05 kmeekva

Likewise interested in this - Windows forces use of a software key in a file - even WSL2 cannot access the smartcard, so I'm going to have to reboot into Linux to get things done.

dwd avatar Aug 28 '19 18:08 dwd

Yes. This is in plan. Will likely come towards year end.

Has this plan been updated?

jamiehankins avatar Mar 02 '21 22:03 jamiehankins

Sorry for the pile-on, but there are a large number of US government customers who would benefit greatly from native MS-CAPI / ssh-agent integration on Windows for smartcard (CAC/PIV) authentication. Would love to see this happen.

chuckmilam avatar Mar 15 '21 18:03 chuckmilam

@NoMoreFood - You have deep insight into Win32-OpenSSH and putty CAC, will you be able to take this up? Once again appreciate all your contributions to Win32-OpenSSH.

bagajjal avatar Mar 16 '21 19:03 bagajjal

@chuckmilam have you tried https://github.com/cuviper/ssh-pageant ?

Essentially the flow would look like OpenSSH <> ssh-pagent (acting as ssh-agent) <> pagent (from PuTTY-CAC).

kategray avatar Apr 21 '21 22:04 kategray

@kategray I have not. Thank you for the suggestion. I may give it a try, but I'm not confident I'll be able secure approval to use it in the long run. The issue in my environment would be introducing Cygwin, which would require a whole new round of approvals and questions about maintenance and concern for potential for new vulnerabilities.

If we could just get Microsoft to support smartcards in their OpenSSH implementation, life would be great. It's easy to get approval for Microsoft-included OS features.

chuckmilam avatar Apr 22 '21 20:04 chuckmilam

@NoMoreFood - Could you please take a look at this issue.

bagajjal avatar Apr 22 '21 20:04 bagajjal

For the record, I've been in contact with @NoMoreFood, and he's been quite helpful and responsive on issues with PuTTY-CAC--but this isn't PuTTY-CAC. So, I'm confused.

chuckmilam avatar Apr 22 '21 21:04 chuckmilam

@chuckmilam if you look at the releases page, he contributes to Win32-OpenSSH as well as working on PuTTY-CAC.

kategray avatar Apr 23 '21 00:04 kategray

Oh! Got it. Thanks for clarifying.

chuckmilam avatar Apr 23 '21 00:04 chuckmilam

As a workaround until this is implemented, it's possible to use CAPI keys through a PKCS#11-CAPI bridge such as p11-capi or pvpkcs11.

I managed to connect to an SSH server using this command:

ssh -I ./p11capi_w64.dll server.example.com

To add the public key to the server's authorized_keys, I used putty-cac's "Copy to Clipboard" button: image

e6c31d avatar May 10 '22 10:05 e6c31d