OpenSC
putty-cac
Our great sponsors
OpenSC | putty-cac | |
---|---|---|
8 | 12 | |
2,413 | 448 | |
1.9% | - | |
9.6 | 6.1 | |
5 days ago | 13 days ago | |
C | C | |
GNU Lesser General Public License v3.0 only | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
OpenSC
- How do you put your private key files (.ppk) on a security key (HYPERFIDO U2F/FIDO2/HOTP) ?
-
Create Your Own Local Root CA With Yubikey Signing
This installs opensc, a library for dealing with Smart Card (essentially what a Yubikey is recognized as) access in a programmatic way. It also installs OpenSSL bindings that interact using the pkcs11 standard. Basically, we won't get very far using a Yubikey for signing without this. The intermediate CA configuration will also need to be updated:
-
You can link an OpenPGP key to a German eID
Well, in Spain you can use your eID directly: https://github.com/OpenSC/OpenSC/wiki/DNIe-%28OpenDNIe%29#up...
-
Enhance your Network Security with Zero Trust and OTP
The OpenSC binary to interact with the Yubikey at command line.
-
Tillitis Security Key – Mullvad spin-off inspired by measured boot and DICE
https://github.com/OpenSC/OpenSC
Note that "production ready" does not equate to "follow a YouTube video and write 17 lines of TypeScript." You need to know Java, you need to know crypto, and you need a few bucks to throw at the appropriate hardware. That said, the entire US DoD is built on JavaCard so it is as production grade as you can get.
-
EU Commission to open source software
Next step. Make sure EU Government paid contractors release source code per LGPL https://github.com/OpenSC/OpenSC/issues/2462
-
How do you store private keys?
I have one of the Nitrokeys and several of the smart cards for various purposes. The software side of using them can be a bit confusing if you're not familiar with HSMs and PKCS#11, but the OpenSC project has a lot of good info to help.
-
Dev Tools I Can't Appreciate Enough
1- PKCS11-Tools by OpenSC
putty-cac
-
NIST: Personal Identity Verification (PIV) of Federal Employees and Contractors
PuTTY-CAC was an interesting, although imperfect solution to using PIV/CAC cards together with SSH. I remember piloting it from 2013-2014 at an agency. Back then, it was maintained by Dan Risacher[0]. Nowadays it is maintained on GitHub[1] and adopted some interesting features like FIDO.
[0] https://risacher.org/putty-cac/
[1] https://github.com/NoMoreFood/putty-cac
-
Unix sockets, Cygwin, SSH agents, and sadness
>so I've been working on extending our support for hardware-backed SSH certificates to Windows
Interesting work & I wish him luck. The ability to use hardware SSH certs on Windows has been around for at least a decade now, but it hasn't been a seamless experience.
The other attempt I'm aware of is PuTTY-CAC[0]. The issue with PuTTY-CAC is that the server still needs to be configured to check the certificate against CRLs & PKI infrastructure. Even without that, it is still used in security-conscious organizations, like the US Department of Veteran Affairs [1], for example.
[0] https://github.com/NoMoreFood/putty-cac
[1] https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=8714#
- ssh client FIDO2
-
SSH from any computer using FIDO2 resident key, multiple keys and hosts.
Seem like a fork as FIDO Key signing but that's all (https://github.com/NoMoreFood/putty-cac/releases/tag/0.77)
-
Using Yubikey inside RDP Session (Terminal Server)
There is a GitHub Issue by me which may be interesting for you... it is about PuTTY CAC, but maybe you find some useful information in that too.
-
How to secure SSH for Remote connections
If you have smartcards or FIDO2 security keys (Yubikeys), consider using something like PuTTY CAC (https://github.com/NoMoreFood/putty-cac) to provide cheap and easy multi-factor authentication. With FIDO2, specifically, you can force the SSH server to only accept security keys by setting the only allowed authentication method to be [[email protected]](mailto:[email protected]).
-
I have a simple use case: windows ssh to Linux
2) Get an SSH client which works with Windows. I'd like to suggest or a fork based on "Putty SSH" ( https://www.putty.org/ ) called "Putty CAC" (SSH) which as of late May 2022 also supports FIDO2 keys ( citation: https://github.com/NoMoreFood/putty-cac/issues/57 ) ( Site for Putty CAC (ssh): https://github.com/NoMoreFood/putty-cac ) (unlike the main Putty SSH as of July 22, 2022)
-
Single SSH key-pair for my local machine and all my remote servers? Or a custom SSH key-pair for each remote server?
If you want to be safer, look into using WebAuthn/FIDO2 hardware token. OpenSSH supports them since version 8.2, and if you're on Windows, putty-cac added support in the last release.
-
PuTTY CAC (Free, Opensource) FIDO Changes: Help Needed
The development branch for PuTTY CAC that has the FIDO change can be found here.
-
Call For Testers: PuTTY CAC 0.77 Pre-Release (FIDO Support)
For several years, I've been the lead developer for a fork of PuTTY called PuTTY CAC that focuses on 2FA. In addition to utilizing certificate-bound keypairs (via Windows CAPI or a PKCS library), I've recently added support for FIDO2 keys using the WebAuthn functionality in Windows 10+. I tentatively plan on releasing these changes shortly after upstream PuTTY 0.77 is released. The development branch binaries can be found here: putty-cac/binaries at fido_dev_branch · NoMoreFood/putty-cac (github.com).
What are some alternatives?
AusweisApp - Der offizielle eID-Client des Bundes.
interesting-keys - Interesting collected (leaked) encryption/decryption keys
tpm2-pkcs11 - A PKCS#11 interface for TPM2 hardware
KiTTY - :computer: KiTTY, a free telnet/ssh client for Windows
yubico-piv-tool - Command line tool for the YubiKey PIV application
win-gpg-agent - [DEPRECATED] Windows helpers for GnuPG tools suite
eid-mw - eID Middleware (main repository)
hiba - HIBA is a system built on top of regular OpenSSH certificate-based authentication that allows to manage flexible authorization of principals on pools of target hosts without the need to push customized authorized_users files periodically.
yubikey-full-disk-encryption - Use YubiKey to unlock a LUKS partition
BorgBackup - Deduplicating archiver with compression and authenticated encryption.
postman-app-support - Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
WindTerm - A professional cross-platform SSH/Sftp/Shell/Telnet/Serial terminal.