Windows SSH with MFA / SmartCard auth

There are likely several ways to accomplish this.

  • Putty CAC - Below

  • OpenSC SSH page recommendations

  • OpenSC Windows binaries -- perhaps combined with Windows native OpenSSH clients -- Seems there is work being done here

  • Sadly, WSL USB device support is very limited. You might try token2shell passthrough, see here and here

Putty and SmartCard Auth

How to configure the venerable putty (Putty CAC fork) to work with ORNL SmartCard auth -- well, one way at least.

Install Putty CAC

Determine what cert to load into Putty

tldr; It's likely the one presented as:
Issuer:Entrust Managed Serivce SSP CA

One way is to connect with Linux to see the key presented.

Then, dump and view the cert to know which one do select in the Windows Security cert viewer when adding to Putty.

E.g. Linux ssh -vv shows:

debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:DJ7V9NPhhjT6E2FhYC46+wrsdiNOzLt/9S6SrCLpzDE

Get cert info:

pae@cataclysm:~$ pkcs15-tool -r 01 > cert01.out
Using reader with a card: Cherry GmbH SmartTerminal XX44 01 00

pae@cataclysm:~$ openssl x509 -noout -fingerprint -sha256 -inform pem -in cert01.out
SHA256 Fingerprint=4C:E5:13:86:0B:9E:23:79:40:6A:B2:F5:5D:5E:32:05:A1:0D:10:0A:4F:D8:09:82:09:90:73:42:68:F0:DA:76

pae@cataclysm:~$ openssl x509 -in cert01.out -text -noout | grep -A1 "Subject Key Identifier"
            X509v3 Subject Key Identifier:

You can then match the cert info (Subject Key Identifier) against certs presented in Windows Security / cert navigator:

E.g "Details -> Subject Key Identifier -> KeyID = "40:D4:F9:7A:E0..." from above

Get key fingerprint, from cert, that matches above:

pae@cataclysm:~$ pkcs15-tool --read-ssh-key 01 > public-key-01.txt Using reader with a card: Cherry GmbH SmartTerminal XX44 01 00

pae@cataclysm:~$ ssh-keygen -l -f public-key-01.txt 2048 SHA256:DJ7V9NPhhjT6E2FhYC46+wrsdiNOzLt/9S6SrCLpzDE PIV AUTH pubkey (RSA)


results matching ""

    No results matching ""