Win32-OpenSSH VS putty-cac

A request for an official answer on CALs for Microsofts' SSH port is about to turn 6 years old:

https://github.com/PowerShell/Win32-OpenSSH/issues/926

I have automated some things "normally" on Windows successfully after installing OpenSSH-win32; https://github.com/PowerShell/Win32-OpenSSH/releases

Are there any other ssh clients that support FIDO2 on windows besides Win32-OpenSSH?

If you're on windows, you need openssh 8.9 to use fido for ssh. https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v8.9.1.0p1-Beta

Unlike Linux, Windows does not come with any tools for setting up an SFTP server. Even FileZilla Server, one of the most popular programs for setting up a FTP server, doesn't support SFTP out of the box. So, are there any other ways to set up an SFTP on Windows? Yes, of course. OpenSSH is a suite of programs for establishing secure connections to the server. sftp-server is one of the utility programs provided by OpenSSH, so this article will walk you through how to set up an SFTP server on Windows using OpenSSH. Originally, OpenSSH was only available on Linux, but Microsoft has ported it to Windows, so you can now use OpenSSH by downloading the zip file from here.

It is mentioned in Win32-OpenSSH's scope that it does not support "VPN Forwarding". Is it the same thing as local/remote port forwarding (ssh -L, and ssh -R)? Can I forward port to and from Windows with Win32-OpenSSH installed on both client and server?

So, personally, I haven't been able to get FIDO2 keys to work at all on Windows, but I didn't try very hard because I'm set-up just fine with GPG for SSH. Apparently there have been a few bugs reported (ref, and linked issue.

PuTTY-CAC was an interesting, although imperfect solution to using PIV/CAC cards together with SSH. I remember piloting it from 2013-2014 at an agency. Back then, it was maintained by Dan Risacher[0]. Nowadays it is maintained on GitHub[1] and adopted some interesting features like FIDO.

[0] https://risacher.org/putty-cac/

[1] https://github.com/NoMoreFood/putty-cac

>so I've been working on extending our support for hardware-backed SSH certificates to Windows

Interesting work & I wish him luck. The ability to use hardware SSH certs on Windows has been around for at least a decade now, but it hasn't been a seamless experience.

The other attempt I'm aware of is PuTTY-CAC[0]. The issue with PuTTY-CAC is that the server still needs to be configured to check the certificate against CRLs & PKI infrastructure. Even without that, it is still used in security-conscious organizations, like the US Department of Veteran Affairs [1], for example.

[0] https://github.com/NoMoreFood/putty-cac

[1] https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=8714#

Seem like a fork as FIDO Key signing but that's all (https://github.com/NoMoreFood/putty-cac/releases/tag/0.77)

There is a GitHub Issue by me which may be interesting for you... it is about PuTTY CAC, but maybe you find some useful information in that too.

If you have smartcards or FIDO2 security keys (Yubikeys), consider using something like PuTTY CAC (https://github.com/NoMoreFood/putty-cac) to provide cheap and easy multi-factor authentication. With FIDO2, specifically, you can force the SSH server to only accept security keys by setting the only allowed authentication method to be [[email protected]](mailto:[email protected]).

2) Get an SSH client which works with Windows. I'd like to suggest or a fork based on "Putty SSH" ( https://www.putty.org/ ) called "Putty CAC" (SSH) which as of late May 2022 also supports FIDO2 keys ( citation: https://github.com/NoMoreFood/putty-cac/issues/57 ) ( Site for Putty CAC (ssh): https://github.com/NoMoreFood/putty-cac ) (unlike the main Putty SSH as of July 22, 2022)

If you want to be safer, look into using WebAuthn/FIDO2 hardware token. OpenSSH supports them since version 8.2, and if you're on Windows, putty-cac added support in the last release.

The development branch for PuTTY CAC that has the FIDO change can be found here.

For several years, I've been the lead developer for a fork of PuTTY called PuTTY CAC that focuses on 2FA. In addition to utilizing certificate-bound keypairs (via Windows CAPI or a PKCS library), I've recently added support for FIDO2 keys using the WebAuthn functionality in Windows 10+. I tentatively plan on releasing these changes shortly after upstream PuTTY 0.77 is released. The development branch binaries can be found here: putty-cac/binaries at fido_dev_branch · NoMoreFood/putty-cac (github.com).