2015-09-23: The version Josh published had some bugs that made the CAPI support mostly broken. I believe these are fixed by last-night's patchset. For the moment, binaries for testing this are in ./testing/. These are compiled with VS2015 with debugging turned on, which is why they are so large. I expect to post "Release" versions here, on github, and on software.forge.mil within the next few days.
2015-08-14: Josh Dantzler has updated PuTTY-CAC to be synchronized with PuTTY-0.65. At this time the code for these versions has not been integrated into the GitHub codebase. (I plan to do so eventually...) He has three versions, provided below:
The PuTTY-CAC with the simplified Pageant makes the interface more simplified and easier to use when adding CAPI certs. It removes the ability to add other types of SSH keys. It will only allow you to add CAPI SSH certs/keys.
The PuTTY-CAC with the original Pageant maintains all the features and does not simplify anything. You can add any SSH key and/or CAPI certs/keys.
WARNING: The PKCS11 API originally from PuTTY-SC has been removed from all applications in this PuTTY-CAC Suite due to complications Josh was having with the code. However, CAPI support is still functional which is the main premise behind PuTTY-CAC anyways. If you need to use PKCS11 then DO NOT DOWNLOAD ANY OF THESE VERSIONS. Download an older release of 0.62 which has support for PKCS11. If you do not know what Josh is talking about then this release should be fine for your needs. Also, none of these releases will include the PuTTYtel application.
Josh has included compiled versions of the PuTTY-CAC suite that can be found in the EXECUTABLES folder for each type listed above for those that do not want to compile the code. However, these compiled applications may only work on Windows 7/8. They have not been tested on older OS’s such as Vista/XP or newer OS's such as 10.
2012-09-18: the source code has been moved to github at https://github.com/risacher/putty-cac. This version is synchronized with PuTTY-0.62, and also includes support for Microsoft's Cryprographic API (CAPI). CAPI support should be easier to configure for most users and also allows use of soft-certs. Use of CAPI instead of PKCS#11 is now recommended.
PuTTY-CAC is derived from PuTTY and PuTTY SC. (See below for the pedigree.) It should support other smartcards as well, but has not been tested to do so.
PuTTY-CAC was developed by Dan Risacher.
U.S. Department of Defense users can also obtain this software from https://software.forge.mil/sf/projects/community_cac
Use the "Pkcs11" panel to configure PuTTY SC
for smartcard usage.
Note: these settings are used by the SSH agent as well.
$HOME/.ssh/authorized_keysfile on the server.
ssh-rsa AAAAB3NzaC1yc2EAAAA.....ZHkknlDE7jhQ== token-key'.
|Middleware||Path||Token Label||Certificate Label||Comment|
|Litronics NetSign||C:\WINNT\system32\core32.dll||Common Access Card V2||"CAC-IDEN"||NetSign seems to do a good job finding the Token label and Certificate label, once you've set the PKCS#11 library.|
|ActivClient CAC||C:\WINDOWS\system32\acpkcs211.dll||ActivIdentity ActivClient 0||ID Certificate||ActivClient generates Token labels on-the-fly. I put a workaround in the experimental version to fix this, but it doesn't work if there are multiple card readers.|
|Alladin eToken Pro||eTPKCS11.dll||Depends||Depends||Thanks to Jernej Simoncic|
|SafeSign||C:\windows\system32\aetpkss1.dll||crescendo C700||Depends||Thanks to Eric Johnson at Imperial College|
|Coolkey||C:\windows\system32\libcoolkeypk11.dll||Depends||Broken||Coolkey build from Nabber.org will work, but the dialog box makes it look like it doesn't
(As of 2012-03-20.)
Please email me with others if you learn them.
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham.
PuTTY is great, but I thought it would be cooler if it could use PKI tokens for authentication.
PuTTY SC is a free implementation of SSH for Win32 platform. It was developed by Pascal Buchbinder. This modified version of PuTTY supports RSA keys held on a smartcard or usb token for authentication. The interface is based on PKCS #11 and you need the appropriate library (.dll) of the manufacturer of your smartcard in order to use PuTTY SC.
PuTTY SC is pretty cool too, but the implementation makes a critical assumption about the smartcard that isn't always true: namely, that the smartcard contains the public key as an independent object. The DoD CAC program issues tokens that include private keys and public certificates, but does not include public keys as distinct objects. Public certificates include public keys, but the implementation in PuTTY SC will not extract those public keys from the certificates. PuTTY-CAC fixes this.
PuTTY-CAC is based on PuTTY SC, but adds the capability to extract public keys from certificates on the card if the public key is not available as a distinct object.
PuTTY SC, upon which PuTTY-CAC is based, includes some windows-specific code (for loading the PKCS#11 library) which causes it to lose the cross-platform nature of the original PuTTY. As a Mac and Linux user, I'd love to fix this, but I haven't done so.
X.509, the ITU-T standard for public key certificates, leaves a disturbing amount of flexibility. It's not clear that the assumptions that I made in extracting public keys from certificates will always hold. I tested with several DoD CAC cards, but nothing else. I'd like to get feedback on whether PuTTY CAC works with other PKI implementations.
PKCS#11 Libraries: PuTTY CAC was tested with the Litronics NetSign CAC middleware, and with the ActivIdentity ActivClient CAC middleware. Feedback is requested by the author on whether it works or not with other middleware.
Licensing: The basic PuTTY source code is licensed under the MIT license. PuTTY SC is licensed under the GNU General Public License (GPL). The PuTTY-CAC enhancements were written by a direct employee of the United States Federal Government, and as such, those enhancements are a declared work of the United States Government and are not subject to copyright protection. A binary, compiled version is a derivative work of all three sources, and should be considered GPL licensed.