daemonhorn/yubikey_putty_wincrypt_readme.txt

## yubikey_putty_wincrypt_readme.txt
Notes:

0) WinCryptSSHAgent - https://github.com/buptczq/WinCryptSSHAgent
  * Supports every Windows client interface needed for most applications (pageant/auth_sock/securecrt)
  * This interface just selects "all" certificates that it beleives are applicable
  * At auth time, pin will be requested from windows wincrypt api as needed
  * Notifications when PIV certificates are being used (even with downstream ssh agent passthrough if enabled, nice!)
1) Putty Wincrypt - https://github.com/ufrisk/puttywincrypt
  * Supports RSA 1024/2048 Keys generated by Yubikey manager
  * Will support Yubikey with both USB and NFC interface (with appropriate NFC reader)
  * Version tends to lag current release version of putty a bit due to developer availability and code restructure upstream
  * Supports new SSH->Auth->Private key file putty ui pref for cert://CN=FOO syntax and cert://thumbprint=ffbbaa syntax or combos
    * I like to use a CN of "SSH context" when generating (where context is a year or special use case or host), then just use cert://CN=SSH which will do a substring "beginning with" search and find all CN strings that start with SSH.
  * Pagent-Wincrypt has some helpful features for getting started
    * Lacks some of normal pageant functionality (context of opening existing saved session names)
    * Can be used with standard putty (does not require putty-wincrypt)
    * Add Certificate from context menu to show CAPI ui for cert selection
    * View Keys from context menu, then double click mouse on key will copy public key to clipboard for insertion into authorized_keys file

2) Yubikey Manager - https://www.yubico.com/products/services-software/download/yubikey-manager/
  * Generate PIV private key for SSH utilization
  * Supports RSA1024/RSA2048 on PIV capable yubikeys for SSH
  * After generating a new key (or importing), remove and re-insert yubikey to allow sync with CAPI cert cache listing
  * Can be used with PIV Slot 9A, 9C, 9D, 9E
	Notes:

	0) WinCryptSSHAgent - https://github.com/buptczq/WinCryptSSHAgent
	* Supports every Windows client interface needed for most applications (pageant/auth_sock/securecrt)
	* This interface just selects "all" certificates that it beleives are applicable
	* At auth time, pin will be requested from windows wincrypt api as needed
	* Notifications when PIV certificates are being used (even with downstream ssh agent passthrough if enabled, nice!)
	1) Putty Wincrypt - https://github.com/ufrisk/puttywincrypt
	* Supports RSA 1024/2048 Keys generated by Yubikey manager
	* Will support Yubikey with both USB and NFC interface (with appropriate NFC reader)
	* Version tends to lag current release version of putty a bit due to developer availability and code restructure upstream
	* Supports new SSH->Auth->Private key file putty ui pref for cert://CN=FOO syntax and cert://thumbprint=ffbbaa syntax or combos
	* I like to use a CN of "SSH context" when generating (where context is a year or special use case or host), then just use cert://CN=SSH which will do a substring "beginning with" search and find all CN strings that start with SSH.
	* Pagent-Wincrypt has some helpful features for getting started
	* Lacks some of normal pageant functionality (context of opening existing saved session names)
	* Can be used with standard putty (does not require putty-wincrypt)
	* Add Certificate from context menu to show CAPI ui for cert selection
	* View Keys from context menu, then double click mouse on key will copy public key to clipboard for insertion into authorized_keys file

	2) Yubikey Manager - https://www.yubico.com/products/services-software/download/yubikey-manager/
	* Generate PIV private key for SSH utilization
	* Supports RSA1024/RSA2048 on PIV capable yubikeys for SSH
	* After generating a new key (or importing), remove and re-insert yubikey to allow sync with CAPI cert cache listing
	* Can be used with PIV Slot 9A, 9C, 9D, 9E