I am using puttysc to authenticate to a remote Linux server with my smart card . But as I understand, this isn't true PKI authentication - puttysc just unlocks the public key and matches it to a user account on the Linux server. Is there a way that I can use puttysc along with pam_pkcs11 to perform true PKI authentication? I know that you can use PAM along with the pam_pkcs11 module to require true PKI authentication. I just don't know how to use the two (puttysc and PAM with pam_pkcs11) together.
Asked
Active
Viewed 1,513 times
2 Answers
0
I don't believe puttysc can. But I think this is what you are looking for https://www.risacher.org/putty-cac/
Gravy
- 780
- 1
- 5
- 17
0
The smartcard authentication on the client side performs a normal challenges response. I.e. the ssh server encrypts a challenge with the public ssh key from the .ssh/authorized_keys. You smartcard decrypts this challenge using the private key on the smartcard.
But at this point no x509 certificates are involved. If you want to include x509 certificates and CRLs you need:
- a patched SSH server, that supports DNs in the authorized_keys
- a client, that supports handling certificates like the tectia ssh client.
cornelinux
- 229
- 1
- 7
-
Is it possible that this patched server/client exist somewhere within the far reaches of the net? Sounds like a great project idea. – ring0 Jan 29 '15 at 16:05
-
Take a look here: http://roumenpetrov.info/openssh/ – cornelinux Jan 29 '15 at 19:36