Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PKCS providers in Windows #307

Closed
sdalessandro opened this issue Sep 6, 2016 · 13 comments
Closed

Support PKCS providers in Windows #307

sdalessandro opened this issue Sep 6, 2016 · 13 comments
Labels
0 - Backlog
Milestone
v8.0.0.0p1-Beta

Comments

@sdalessandro
Copy link

Getting the following error trying to use OpenSC to generate a key for my YK4...

PS C:\Users\Sandro\Documents\Yubi_Stuff> ssh-keygen.exe -D opensc-pksc11.dll -e
no pkcs11 support

I have a fresh install of both OpenSSH-Win32 and OpenSC-0.15.0-win32. Not sure where the issue is that's throwing this error. Any help is much appreciated!
@manojampalam
Copy link
Contributor

Yes. PKCS providers are not in scope yet. https://github.com/PowerShell/Win32-OpenSSH/wiki/Project-Scope

@manojampalam manojampalam reopened this Sep 12, 2016
@manojampalam manojampalam changed the title ssh-keygen with opensc-pksc11.dll not supported? Support PKCS providers in Windows Sep 12, 2016
@omniproc
Copy link

I'd like to see PKCS11 as well. As we're moving away from traditional passwords this would be a great deal.

@RichardScothern
Copy link

Just adding an interest in this feature too.

@manojampalam do you have a hard requirement for this repo being merged into the official openSSH before accepting pull requests for out of scope features? Thanks!

@manojampalam
Copy link
Contributor

@RichardScothern, not at all. We can take any changes that are well tested and don't contribute to any major deviations in core source code layout .

@lars18th
Copy link

Hi,

You ca use this solution:

After that all of yours certificates in PKCS11 loaded in Pageant will be available for your Win32-OpenSSH SSH Client.
And this works too for PuTTY keys and CAPI certificates.

Regards.

@omniproc
Copy link

@lars18th I'm currently using the CAC port of PuTTY and yes, your suggested method to use it's pageant component would allow PKCS11 use. However: this seems like a workaround. Native PKCS11 support in Windows and W31-OpenSSH would be a great thing.

@lars18th
Copy link

@lars18th I'm currently using the CAC port of PuTTY and yes, your suggested method to use it's pageant component would allow PKCS11 use. However: this seems like a workaround. Native PKCS11 support in Windows and W31-OpenSSH would be a great thing.

Hi @M451 ,

I feel native support will never be. Why? Because Win32-OpenSSH has his own Agent Manager. And the Microsoft people prefers to use it. Then, if you like to use the PuTTY's Agent Pageant (de facto standard in Windows), then you only require to use a PROXY. And this piece it's the WSL-SSH-Pageant. This new tool is quite simple and works well. You don't need more... except that the original Pageant lacks PKCS11 support (and others). But @NoMoreFood did a good job adding support to the Pageant.

So from my point of view, this it's the best solution. Besides, I'm a PuTTY Pageant fan. 😄
Regards.

@miketheitguy
Copy link

Just throwing my hat in the ring for support for this :)

@keliansb
Copy link

Hi,

You ca use this solution:

After that all of yours certificates in PKCS11 loaded in Pageant will be available for your Win32-OpenSSH SSH Client.
And this works too for PuTTY keys and CAPI certificates.

Regards.

Thank you for your solution, it works like a charm! Do you know if the same thing is possible to do but with PuTTY instead of the Win32-OpenSSH client? I'm currently using mRemoteNG which doesn't support it currently...

@lars18th
Copy link

Thank you for your solution, it works like a charm! Do you know if the same thing is possible to do but with PuTTY instead of the Win32-OpenSSH client? I'm currently using mRemoteNG which doesn't support it currently...

Sure! If you use the original PuTTY (or any other fork... I like the KiTTY), then you only need to run the PuTTY-Pageant-CAC and select in your session configuration "Connection-->SSH-->Auth-->Authenticate methods" and check the option Attempt authentication using Pageant.

Regards.

@manojampalam manojampalam modified the milestones: vNext, v8.0.0.0p1-Beta Jun 23, 2019
@manojampalam
Copy link
Contributor

manojampalam commented Jun 23, 2019
edited

Relevant changes

@omniproc
Copy link

@manojampalam any usage instructions?

@NoMoreFood
Copy link

@M451 There's nothing unique about the Windows implementation other than you point to a .dll file instead of a .so file. The -I flag can be used to specify the library.

@manojampalam manojampalam mentioned this issue Sep 19, 2019
Open
@thexeos thexeos mentioned this issue Apr 24, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0 - Backlog
Projects
None yet
Milestone
v8.0.0.0p1-Beta
Development

No branches or pull requests
9 participants
@RichardScothern @joeyaiello @omniproc @sdalessandro @miketheitguy @lars18th @NoMoreFood @manojampalam @keliansb