WinCryptSSHAgent
putty-cac
WinCryptSSHAgent | putty-cac | |
---|---|---|
7 | 12 | |
516 | 451 | |
- | - | |
2.0 | 6.1 | |
about 2 months ago | 20 days ago | |
Go | C | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
WinCryptSSHAgent
-
Unix sockets, Cygwin, SSH agents, and sadness
If that project https://github.com/buptczq/WinCryptSSHAgent had a pin timeout, it would be the perfect Windows ssh agent. It support named pipe, pagent shared memory and a UNIX socket under WSL2 using Hyper-V and socat.
- Use TouchID to Authenticate Sudo on macOS
- Powershell script to automatically ssh into multiple servers and layout the panels
- Use PIV for SSH without PIN/touch?
- YubiKey 5 - Certificates and signing
- SSH-ADD -s not working Win 10
- Setting up SSH on a Yubikey 5 NFC
putty-cac
-
NIST: Personal Identity Verification (PIV) of Federal Employees and Contractors
PuTTY-CAC was an interesting, although imperfect solution to using PIV/CAC cards together with SSH. I remember piloting it from 2013-2014 at an agency. Back then, it was maintained by Dan Risacher[0]. Nowadays it is maintained on GitHub[1] and adopted some interesting features like FIDO.
[0] https://risacher.org/putty-cac/
[1] https://github.com/NoMoreFood/putty-cac
-
Unix sockets, Cygwin, SSH agents, and sadness
>so I've been working on extending our support for hardware-backed SSH certificates to Windows
Interesting work & I wish him luck. The ability to use hardware SSH certs on Windows has been around for at least a decade now, but it hasn't been a seamless experience.
The other attempt I'm aware of is PuTTY-CAC[0]. The issue with PuTTY-CAC is that the server still needs to be configured to check the certificate against CRLs & PKI infrastructure. Even without that, it is still used in security-conscious organizations, like the US Department of Veteran Affairs [1], for example.
[0] https://github.com/NoMoreFood/putty-cac
[1] https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=8714#
- ssh client FIDO2
-
SSH from any computer using FIDO2 resident key, multiple keys and hosts.
Seem like a fork as FIDO Key signing but that's all (https://github.com/NoMoreFood/putty-cac/releases/tag/0.77)
-
Using Yubikey inside RDP Session (Terminal Server)
There is a GitHub Issue by me which may be interesting for you... it is about PuTTY CAC, but maybe you find some useful information in that too.
-
How to secure SSH for Remote connections
If you have smartcards or FIDO2 security keys (Yubikeys), consider using something like PuTTY CAC (https://github.com/NoMoreFood/putty-cac) to provide cheap and easy multi-factor authentication. With FIDO2, specifically, you can force the SSH server to only accept security keys by setting the only allowed authentication method to be [[email protected]](mailto:[email protected]).
-
I have a simple use case: windows ssh to Linux
2) Get an SSH client which works with Windows. I'd like to suggest or a fork based on "Putty SSH" ( https://www.putty.org/ ) called "Putty CAC" (SSH) which as of late May 2022 also supports FIDO2 keys ( citation: https://github.com/NoMoreFood/putty-cac/issues/57 ) ( Site for Putty CAC (ssh): https://github.com/NoMoreFood/putty-cac ) (unlike the main Putty SSH as of July 22, 2022)
-
Single SSH key-pair for my local machine and all my remote servers? Or a custom SSH key-pair for each remote server?
If you want to be safer, look into using WebAuthn/FIDO2 hardware token. OpenSSH supports them since version 8.2, and if you're on Windows, putty-cac added support in the last release.
-
PuTTY CAC (Free, Opensource) FIDO Changes: Help Needed
The development branch for PuTTY CAC that has the FIDO change can be found here.
-
Call For Testers: PuTTY CAC 0.77 Pre-Release (FIDO Support)
For several years, I've been the lead developer for a fork of PuTTY called PuTTY CAC that focuses on 2FA. In addition to utilizing certificate-bound keypairs (via Windows CAPI or a PKCS library), I've recently added support for FIDO2 keys using the WebAuthn functionality in Windows 10+. I tentatively plan on releasing these changes shortly after upstream PuTTY 0.77 is released. The development branch binaries can be found here: putty-cac/binaries at fido_dev_branch ยท NoMoreFood/putty-cac (github.com).
What are some alternatives?
wsl2-ssh-pageant - bridge between windows pageant and wsl2
interesting-keys - Interesting collected (leaked) encryption/decryption keys
win-gpg-agent - [DEPRECATED] Windows helpers for GnuPG tools suite
KiTTY - :computer: KiTTY, a free telnet/ssh client for Windows
wsl-ssh-pageant - A Pageant -> TCP bridge for use with WSL, allowing for Pageant to be used as an ssh-ageant within the WSL environment.
yubikey-agent - yubikey-agent is a seamless ssh-agent for YubiKeys.
hiba - HIBA is a system built on top of regular OpenSSH certificate-based authentication that allows to manage flexible authorization of principals on pools of target hosts without the need to push customized authorized_users files periodically.
wsl-ssh-agent - Helper to interface with Windows ssh-agent.exe service from Windows Subsystem for Linux (WSL)
OpenSC - Open source smart card tools and middleware. PKCS#11/MiniDriver/Tokend
YubiKey-Guide - Guide to using YubiKey for GnuPG and SSH
BorgBackup - Deduplicating archiver with compression and authenticated encryption.