hiba VS putty-cac

Interestingly enough this is getting another layer on top of it. Google is working on something called "HIBA" (https://github.com/google/hiba) which is an extension to OpenSSH SSH Certificates.

So now you have layers of:

- SSH RFC

- OpenSSH extensions to SSH

- Google extensions to OpenSSH

PuTTY-CAC was an interesting, although imperfect solution to using PIV/CAC cards together with SSH. I remember piloting it from 2013-2014 at an agency. Back then, it was maintained by Dan Risacher[0]. Nowadays it is maintained on GitHub[1] and adopted some interesting features like FIDO.

[0] https://risacher.org/putty-cac/

[1] https://github.com/NoMoreFood/putty-cac

>so I've been working on extending our support for hardware-backed SSH certificates to Windows

Interesting work & I wish him luck. The ability to use hardware SSH certs on Windows has been around for at least a decade now, but it hasn't been a seamless experience.

The other attempt I'm aware of is PuTTY-CAC[0]. The issue with PuTTY-CAC is that the server still needs to be configured to check the certificate against CRLs & PKI infrastructure. Even without that, it is still used in security-conscious organizations, like the US Department of Veteran Affairs [1], for example.

[0] https://github.com/NoMoreFood/putty-cac

[1] https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=8714#

Seem like a fork as FIDO Key signing but that's all (https://github.com/NoMoreFood/putty-cac/releases/tag/0.77)

There is a GitHub Issue by me which may be interesting for you... it is about PuTTY CAC, but maybe you find some useful information in that too.

If you have smartcards or FIDO2 security keys (Yubikeys), consider using something like PuTTY CAC (https://github.com/NoMoreFood/putty-cac) to provide cheap and easy multi-factor authentication. With FIDO2, specifically, you can force the SSH server to only accept security keys by setting the only allowed authentication method to be [[email protected]](mailto:[email protected]).

2) Get an SSH client which works with Windows. I'd like to suggest or a fork based on "Putty SSH" ( https://www.putty.org/ ) called "Putty CAC" (SSH) which as of late May 2022 also supports FIDO2 keys ( citation: https://github.com/NoMoreFood/putty-cac/issues/57 ) ( Site for Putty CAC (ssh): https://github.com/NoMoreFood/putty-cac ) (unlike the main Putty SSH as of July 22, 2022)

If you want to be safer, look into using WebAuthn/FIDO2 hardware token. OpenSSH supports them since version 8.2, and if you're on Windows, putty-cac added support in the last release.

The development branch for PuTTY CAC that has the FIDO change can be found here.

For several years, I've been the lead developer for a fork of PuTTY called PuTTY CAC that focuses on 2FA. In addition to utilizing certificate-bound keypairs (via Windows CAPI or a PKCS library), I've recently added support for FIDO2 keys using the WebAuthn functionality in Windows 10+. I tentatively plan on releasing these changes shortly after upstream PuTTY 0.77 is released. The development branch binaries can be found here: putty-cac/binaries at fido_dev_branch · NoMoreFood/putty-cac (github.com).