NoMoreFood/putty-cac

Specify/Force authentication to a proxy without pagent

jishac opened this issue · 5 comments

jishac commented

It seems that it is not possible to specify or force the use of authentication mechanisms to a ssh proxy host like you can do for the primary connection.

For example, I am unable to specify in the settings to use a CAC card to authenticate with a proxy, resulting in connection failing since password authentication is not allowed. However, if I have my CAC credentials loaded into pagent, the connection through the proxy succeeds.

Are you asking how to do agent forwarding without having the agent running? As far as I know, standard PuTTY does not support this. If you want this capability for PuTTY CAC, you'll need to request this for standard PuTTY and then I will make sure it works with PuTTY CAC.

jishac commented

My question is not about agent forwarding. It is about using a ssh proxy sometimes called a jump host. Under Linux with OpenSSH one would use the ProxyJump directive. PuTTY has a "Proxy" section in the configuration.

The issue is that ONLY password authentication is attempted to the proxy server when set and the proxy server does not allow password authentication so the connection fails. However, if pagent is running, PuTTY will attempt any public key or CAC type of authentication that the agent has loaded. It is an odd quirk that forces the use of pagent.

So my question is, can some level of checkbox be added to allow the same authentication methods being used for the main connection (including CAC) to be attempted with the proxy as well?

A fancier solution would be to replicate the entire "Auth" configuration menu as a submenu to the "Proxy" entry - allowing for an independent configuration for the proxy. However, that is likely a request for the main PuTTY team.

Yeah, that latter request would definitely be a request for the PuTTY team.

Are you able to have PuTTY key-based authentication work in your proxy configuration when using a PuTTY ppk file without Pageant? If that works, then I can see about potentially making it work for the certificate-based authentication. If not, that's probably PuTTY-level change as well.

The PuTTY Team (mainly Simon) loves to go crazy every year or two and massively refactor/reorganize parts of the code. THat means merging hell for me so I have to be pretty selective with the changes we implement.

jishac commented

Using a PuTTY ppk file to access the proxy does not work, so it sounds like it is a PuTTY level feature request. I will send the PuTTY team a request. Thank you!

jishac commented

If anyone stumbles upon this thread at a later date, the way to resolve this issue in PuTTY is to create a saved session for the proxy host with all the proper settings (including CAC key) specified. Then, when creating a profile for the internal host which requires the proxy, instead of using a fully qualified domain name for the proxy, instead use the PuTTY configuration name. By setting things up this way, you could even jump through multiple proxy boxes using different keys for each.