Last active
March 19, 2020 06:36
-
-
Save daemonhorn/6aaae15184388d27e3802894f7e43bef to your computer and use it in GitHub Desktop.
Yubikey with Putty WinCrypt (PIV) for SSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Notes: | |
0) WinCryptSSHAgent - https://github.com/buptczq/WinCryptSSHAgent | |
* Supports every Windows client interface needed for most applications (pageant/auth_sock/securecrt) | |
* This interface just selects "all" certificates that it beleives are applicable | |
* At auth time, pin will be requested from windows wincrypt api as needed | |
* Notifications when PIV certificates are being used (even with downstream ssh agent passthrough if enabled, nice!) | |
1) Putty Wincrypt - https://github.com/ufrisk/puttywincrypt | |
* Supports RSA 1024/2048 Keys generated by Yubikey manager | |
* Will support Yubikey with both USB and NFC interface (with appropriate NFC reader) | |
* Version tends to lag current release version of putty a bit due to developer availability and code restructure upstream | |
* Supports new SSH->Auth->Private key file putty ui pref for cert://CN=FOO syntax and cert://thumbprint=ffbbaa syntax or combos | |
* I like to use a CN of "SSH context" when generating (where context is a year or special use case or host), then just use cert://CN=SSH which will do a substring "beginning with" search and find all CN strings that start with SSH. | |
* Pagent-Wincrypt has some helpful features for getting started | |
* Lacks some of normal pageant functionality (context of opening existing saved session names) | |
* Can be used with standard putty (does not require putty-wincrypt) | |
* Add Certificate from context menu to show CAPI ui for cert selection | |
* View Keys from context menu, then double click mouse on key will copy public key to clipboard for insertion into authorized_keys file | |
2) Yubikey Manager - https://www.yubico.com/products/services-software/download/yubikey-manager/ | |
* Generate PIV private key for SSH utilization | |
* Supports RSA1024/RSA2048 on PIV capable yubikeys for SSH | |
* After generating a new key (or importing), remove and re-insert yubikey to allow sync with CAPI cert cache listing | |
* Can be used with PIV Slot 9A, 9C, 9D, 9E | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment