README

This is the README for PuTTYwincrypt

ABOUT

PuTTYwincrypt is a patched version of PuTTY. PuTTYwincrypt enables the user to use any private key related to a certificate in the user personal certificate store to perform public key ssh authentication.

As long as there exists a certificate in the user personal certificate store that has a corresponding private key it should be possible to use the key to perform a public key ssh authentication.

This enables the use of smart cards in PuTTY and Pageant, as long as the smart card is supported by Windows.

PuTTY is found at: http://www.chiark.greenend.org.uk/~sgtatham/putty/

REQUIREMENTS

Windows XP or later. No other requirements.

USAGE - PuTTY

To use a key backed by Windows please specify this key in the "Private key file for authentication:" text box found in PuTTYwincrypt. This text box is found at Connection > SSH > Auth.

To select ANY key backed by Windows type (in the text box):

cert://*

In order to select a specific key by certificate thumbprint type:

cert://thumbprint=<thumbprint_in_hex>

In order to select a specific key by part of certificate common name type:

cert://cn=<part_of_common_name_to_search_for>

Searching for all certificates may take a long time and "hang" PuTTYwincrypt if there exist many certificates on slow smart cards in the certificate store.

USAGE - Pageant

Start Pageant by clicking on it. To add a key stored in Windows crypto API right click on Pageant in the systray and select "Add Certificate" in the menu. Whenever the private key is accessed the user may or may not be prompted by Windows to enter a passphrase/PIN depending on whether the key is protected or not.

Please note that it is not possible to add keys backed by Windows from the Pageant main GUI at the moment, only from the systray menu.

To export the public key in the ssh authorized_keys format load the key into Pageant and double click on it. The public key will be copied into the clipboard in the authorized_keys format.

BACKGROUND

The PuTTYwincrypt patch was written in order to ease the use of public key ssh authentication with smart cards. The easiest way to go with this seemed to be using the windows crypto api for this. This enabled PuTTYwincrypt to function without bothering with any direct card drivers and pkcs#11 implementations.

[Michael Dubner]

There are problem: I can't add different certificates with same cn (but different thumbprint's). As far as I understand they was generated by microsoft lync to contact to different (primary/backup) servers.

[Ulf Frisk]

sent you a message.

[Darren DeHaven]

I've been successful with both entered in, for example:
cert://cn=FIRSTNAMELASTNAME,thumbprint=0123456789012345678901234567890123456789
I don't know if there's any downsides to that way.

[On Mediem]

Hi,

I found a "bug" in pageant_wincrypt when loading certificate keys.
Description of the trouble:

• When you start to run it without Pageant loaded, then you can use the command line to start it loading certificate keys. Example: "pageant_wincrypt.exe cert://cn=NAME_CERT1 cert://cn=NAME_CERT2". This works right.
• However, when you start Pageant without loading any key, and AFTER you load keys using the command line, then you receive an error window with the message: "The already running Pageant refused to add the key". Example: "pageant_wincrypt.exe" <OK>, "pageant_wincrypt.exe cert://cn=NAME_CERT1" --> ERROR!

Please, can you fix it?
I need to load keys using scripts, and with this bug I can't load my certificates when the Pageant is already running.

Thank you!

[Ulf Frisk]

Hi,

Thanks for reporting this. Actually I wasn't aware that you could use pageant this way, but now I am :) I'll try to look into it during January, I'll also have to update it to the most recent version.

I hope to be able to do this in January, realistically at the end of the month unfortunately (busy with other engagements before it).