support for OpenSSH's certificate system
4bo opened this issue · 2 comments
As of version 0.78, putty supports OpenSSH's certificate system (in PuTTY Configuration, from Connection -> SSH -> Auth -> Credentials -> Certificate to use with the privatekey).
Is there any way to use this kind of cert while corresponding private key is stored in an HSM?
I don’t see a clear path to implementation give how unique the OpenSSH certificates are. Curious if anyone else has input.
I got putty-cac 0.78 to work with openssh certs, at least for CAPI certs (tested with a PIV-I card), so it may just work the same with PKCS certs (HSM via PKCS11).
- Create a new putty session
- Set the remote hostname, default username in usual locations
- In
Connection -> SSH -> Auth -> Credentials -> Certificate to use with the privatekeyset the openssh cert corresponding to the key you want to use - In `Connection -> SSH -> Certificate -> Set CAPI Cert (Set PKCS Cert) in your case
- Open your connection
I think this is fine when working with directly with putty.exe, but it won't work when using plink and pageant. The next step would be to add a way in pageant to associate a key with an openssh cert in a persistent way and let putty use it in the same way as putty.exe does. Eventually perhaps even take the openssh cert directly from a SAN value (type uri, value of urn:example:{base64 encoded cert} or something) or a custom extension in the X509 certificate matching the key, either in CAPI or in the HSM (find by label with object type certificate)