Windows 7: PIV card PIN dialog missing input field

Question

Windows 7: PIV card PIN dialog missing input field

al20878 opened this issue 2 years ago · 14 comments

al20878 commented 2 years ago

Installed 0.77-1 64 bit (on Win 7) and could not login using my PIV card, the dialog is missing the PIN input field... Rolled back to .76-4 and it works fine again..

.

Answer 1 · 2022-07-10T15:14:36.000Z

This is how it should look like (and does so in .76-4):

Answer 2 · 2022-07-10T16:17:22.000Z

I had previously updated the OS requirements for 0.77 to list Windows 10+ since I can't continue to support testing on every OS variant, but I'll take a look at this time permitting.

Answer 3 · 2022-07-10T18:31:40.000Z

@al20878 Actually I looked back and this is almost certainly related a special Windows 7 related conditional that wasn't ported over in the 0.77 release. If you'd like, I can merge it into an interim build that you can download but I will not be creating an "official" release to address this until there are more changes necessary to warrant it.

Answer 4 · 2022-07-10T18:53:41.000Z

Thank you for looking into this! I'm fine with .76-4, so there's no pressing issue for me here, and I won't even request a special interim build for that. Do I understand this correctly that the special conditional is still going to be merged back to .77-x (whenever it's coming out) so that PuTTY-CAC has a good chance to be usable again on Win 7? Or should I just stick with .76-4?

Answer 5 · 2022-07-10T19:24:45.000Z

Yes, I'm very confident the CAPI/PKCS portion will work with Windows 7 after that change. So it'll eventually make it to 0.77u2 or 0.78 -- whichever comes first.

Answer 6 · 2022-07-10T19:29:02.000Z

Awesome! Thanks again for all your help!

Answer 7 · 2022-07-11T23:28:27.000Z

@al20878 At your leisure, could you try launched PowerShell as admin, paste in the below code, and see if it changes the behavior?

New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR -ErrorAction SilentlyContinue

$Keys = @(
'CLSID\{94596c7e-3744-41ce-893e-bbf09122f76a}\InProcServer32'
'CLSID\{8bf9a910-a8ff-457f-999f-a5ca10b4a885}\InProcServer32'
'Wow6432Node\CLSID\{94596c7e-3744-41ce-893e-bbf09122f76a}\InProcServer32'
'Wow6432Node\CLSID\{8bf9a910-a8ff-457f-999f-a5ca10b4a885}\InProcServer32'
)

ForEach ($Key in $Keys)
{
    $Base = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($Key, 'ReadWriteSubTree', 'ChangePermissions')
    $Acl = $Base.GetAccessControl()

    $Owner = [System.Security.Principal.NTAccount]'BUILTIN\Administrators'    
    $Inheritance = [System.Security.AccessControl.InheritanceFlags]'ContainerInherit,ObjectInherit'
    $Rule = New-Object System.Security.AccessControl.RegistryAccessRule($Owner,'FullControl',$Inheritance,'None','Allow')
    $Acl.AddAccessRule($Rule)
    $Base.SetAccessControl($Acl)
    
    Set-ItemProperty ('HKCR:\' + $Key) -Name '(default)' -Value (Join-Path ([System.Environment]::SystemDirectory) 'SmartcardCredentialProvider.dll')
}

Answer 8 · 2022-07-12T00:03:24.000Z

see if it changes the behavior?

I'm sorry, the behavior of what?

Answer 9 · 2022-07-12T02:12:35.000Z

Sorry, I should have been clearer. The behavior of 0.77u1 without any code changes. In short, PuTTY enables some application security features in Windows that are causing this behavior. Windows 7 started supporting those security features very late in the game and Microsoft apparently didn't test them out with PIN prompts (which is causing the behavior you see). Previously I had fixed them by just making PuTTY not enable those features on Windows 7 since I didn't feel like battling Microsoft for a bugfix and the security features really aren't all that valuable. That said, the PowerShell snippet I provided above changes attempts to change a few references of 'SmartcardCredentialProvider.dll' to 'C:\Windows\System32\SmartcardCredentialProvider.dll' which in some isolated testing seemed to address the change for me without needing to make any changes at all. I was hoping you could tell me if it fixes it for you.

Answer 10 · 2022-07-17T17:23:00.000Z

Sorry about the delay in response... I downloaded a single putty.exe executable (.77-1) [vs. the installation package as I usually do], ran it from my Downloads folder, and verified that there's still no PIN code entry in the PIV card dialog that it shows...

Then I ran this (as instructed):

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR -ErrorAction SilentlyContinu
e

Name           Used (GB)     Free (GB) Provider      Root                                               CurrentLocation
----           ---------     --------- --------      ----                                               ---------------
HKCR                                   Registry      HKEY_CLASSES_ROOT


PS C:\Windows\system32>
PS C:\Windows\system32> $Keys = @(
>> 'CLSID\{94596c7e-3744-41ce-893e-bbf09122f76a}\InProcServer32'
>> 'CLSID\{8bf9a910-a8ff-457f-999f-a5ca10b4a885}\InProcServer32'
>> 'Wow6432Node\CLSID\{94596c7e-3744-41ce-893e-bbf09122f76a}\InProcServer32'
>> 'Wow6432Node\CLSID\{8bf9a910-a8ff-457f-999f-a5ca10b4a885}\InProcServer32'
>> )
>>
PS C:\Windows\system32> ForEach ($Key in $Keys)
>> {
>>     $Base = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($Key, 'ReadWriteSubTree', 'ChangePermissions')
>>     $Acl = $Base.GetAccessControl()
>>
>>     $Owner = [System.Security.Principal.NTAccount]'BUILTIN\Administrators'
>>     $Inheritance = [System.Security.AccessControl.InheritanceFlags]'ContainerInherit,ObjectInherit'
>>     $Rule = New-Object System.Security.AccessControl.RegistryAccessRule($Owner,'FullControl',$Inheritance,'None','All
ow')
>>     $Acl.AddAccessRule($Rule)
>>     $Base.SetAccessControl($Acl)
>>
>>     Set-ItemProperty ('HKCR:\' + $Key) -Name '(default)' -Value (Join-Path ([System.Environment]::SystemDirectory) 'S
martcardCredentialProvider.dll')
>> }
>>
PS C:\Windows\system32>

(it did not produce any output other than shown).

And then I re-ran the same standalone binary. When it requested my PIN again, the entry field was back in place! It let me log in and seems to work as expected.

IDK how good this solution is, TBH, because not everybody is allowed to run things as Admin, and there's also a chance to badly screw things up, should something go wrong with this long series of lines as they are copied, pasted, executed... (so even folks, who can reach the elevated prompt, would tend to avoid having to run this script).

In my case, though, it looks like I would be unable to tell again if there was a regression with the PIN entry behavior because my PC has now been "fixed" in a unique way... LOL

Answer 11 · 2022-07-23T18:36:32.000Z

@al20878 While arguably the "better" solution from a cybersecurity perspective, I agree this isn't the best long term solution for continued Windows 7 support. It was more academic. Thank you for testing it.

Answer 12 · 2022-08-26T00:01:49.000Z

@al20878 Can you verify these binaries also address your issue: https://github.com/NoMoreFood/putty-cac/tree/master/binaries

Answer 13 · 2022-08-31T14:25:24.000Z

Thanks! I have just verified the new .77u2 PuTTY-CAC binary, and happy to report that the PIV card popup appears normally there, allowing me to enter my PIN and login successfully. BTW I did so on a (Win7) PC, which wasn't patched with the registry tweaks per the instructions included previously in this thread.

Answer 14 · 2022-09-04T00:14:09.000Z

Thanks for testing. I'm going to close this issue. The change will be in the next official release.