Smartcard Authentication - Secure & Easy
Secure Shell with Smart Card Authentication
the free SSH implementation from Simon Tatham,
does support public key authentication but lacks
support for smart cards. An enhancement request
for PuTTY asking for smart card support within the
original PuTTY package has been on the
wishlist for a very long time.
PuTTY.exe may read a private key from a file or may
talk to an SSH authentication agent, which will do all
cryptographic operation on behalf of the actual putty.exe.
The PuTTY-Package contains such an agent, i.e. pageant.exe,
but this agent can also read private keys from password
protected files only.
In the download area of this
website you will find a replacement for pagent.exe that
does support smart cards.
This smart card enabled pageant.exe has the following
- As a security product PuTTY tries to avoid dependencies
on external libraries. So does the smart card enabled
version of pageant.exe. It either talks directly to
your card without the need of any kind of middleware
or uses a PKCS#11-library.
- Secure PIN Entry is supported for smart card readers with pinpad.
- Public keys from your smart card will be inserted/removed automatically
into pageants keylist on smart card insertion/removal.
- If your smart card contains multiple private RSA- and ECC-keys all of them
will be inserted into pageants keylist and may be used simultaneously.
- If you have mutiple cardreaders attached to your PC all of them
will be scanned for smart cards and may be used simultaneously.
- As on option pageant may store the PIN of your smart card in memory
until you shutdown the agent.
- Support for any Smartcard/Token for which a PKCS#11-library is available
(so far only RSA-keys are supported).
- Native support for the following Smartcards. Here "native" means
that the card can be used without the need for any kind of middlware
or card-specific driver.
- PKCard Version 1 (RSA-keys up to 4096bits) and Version 2
(RSA- and ECC-keys).
- All TCOS based smartcards, in particular all TCOS based german signature cards
(SignTrust 1024, NetKey E4, Datev).
- CardOS cards, in particular most cards of the german Trust-Center D-Trust.
- german electronic Health Professional Card.
- german electronic public health insurance membership card.
- Aladdin eToken PRO (32K and 64K).
- Sicrypt smartcards.
- OpenPGP smartcards (version 1 and 2).
- OpenPGP CryptoStick.
- OpenPGP Applet in Yubikey NEO (please notice that older Yubikeys neo have a
security problem and their private keys can be used without entering a PIN.
If this happens with pageant.exe ask Yubiko for a replacement)
- Aloaha Smartcard.
- Support of keys up to 4096bit.
- Creates key-descriptions for all of your smart cards public keys
which may be inserted into your authorized_keys file via Cut&Paste.
Just insert your smart card into your reader with your control-key pressed.
- Supports all applications that implement the SSH authentication
agent protocol. In particular pageant.exe will work with
WinSCP and the
If your smart card does not work then the reason is
most likely that you are the first one to try this particular
card. Just let me know at firstname.lastname@example.org
and I will do my best to support your card as well.
There's a Smartcard Client Programm
in the download area that allows me to open your smartcard via an internet
connection. That's the most comfortable way to debug problems and add support
for a new card. Of course you should change your card PINs to 123456 and
should know what you are doing. If you dont trust me, dont let me
do whatever I want with your smartcard.
Installation is easy:
- Install PuTTY with
from the PuTTY
- PuTTY will install itself into one directory (normally C:\Program Files\PuTTY).
There you will find pageant.exe, the SSH authentication agent.
Replace this executable with pageant.exe
from the download area.
- If you want to use a PKCS#11-library make a copy and store it under
the name pageant11.dll either in the directory where pageant.exe
is located or in the system32-directory.
- Using PuTTY and/or the SSH authentication agent is described in the
PuTTY-documentation. Besides the possibility to use smartcards there is
only one difference. If you insert your smartcard with your control-key pressed
pageant.exe will write information about all your public keys into a textfile.
Registering your Public Key
Noncommercial use of pageant.exe and use for evaluation purposes is free
and you must register your Public Key only if you want to use it commercially.
In order to support free projects users of OpenPGP cards
or the OpenPGP CryptoStick may use pageant.exe for free no matter whether
usage is commercial or not.
If you need a free licence - either because your usage is noncommercial or
you are using an OpenPGP card/stick - just contact me by mail and I will sent
you a licence key. If you cannot wait, you may order a licence for EUR 1 and
a licence restricted to OpenPGP cards/sticks will be mailed to you immediately.
There is a order-page available, where you can register
your key for commercial usage. After having payed your licence fee
with PayPal you will be immediately mailed a license file.
If you want to register a couple of keys you may buy a
prepaid-code which will allow you to do so without using PayPal
for every single licence. Or you may contact me and I will prepare a site-licence.