Smartcard Authentication - Secure & Easy
Secure Shell with Smart Card Authentication

PuTTY, the free SSH implementation from Simon Tatham,
does support public key authentication but lacks
support for smart cards. An enhancement request
for PuTTY asking for smart card support within the
original PuTTY package has been on the
PuTTY
wishlist for a very long time.
PuTTY.exe may read a private key from a file or may
talk to an SSH authentication agent, which will do all
cryptographic operation on behalf of the actual putty.exe.
The PuTTY-Package contains such an agent, i.e. pageant.exe,
but this agent can also read private keys from password
protected files only.
In the download area of this
website you will find a replacement for pagent.exe that
does support smart cards.
This smart card enabled pageant.exe has the following
additional features:
- As a security product PuTTY tries to avoid dependencies
on external libraries. So does the smart card enabled
version of pageant.exe. It does not use any kind of
smart card middleware (neither OpenSC nor PKCS#11 nor CSP)
but talks directly to your smart card via the PC/SC driver
of your smart card reader (WinSCard-API).
- Secure PIN Entry is supported for smart card
readers with pinpad (disabled for non-registered
public keys).
- Public keys from your smart card will be inserted/removed automatically
into pageants keylist on smart card insertion/removal.
- If your smart card contains multiple private keys all of them
will be inserted into pageants keylist and may be used simultaneously.
- If you have mutiple cardreaders attached to your PC all of them
will be scanned for smart cards and may be used simultaneously.
- As on option pageant may store the PIN of your smart card in memory
until you shutdown the agent.
- Support for CryptoFlex smart cards.
- Support for almost all TCOS based smart cards,
in particular NetKey E4 cards from TeleSec GmbH
and all TCOS based german signature cards.
- Support for some CardOS based cards,
in particular the D-Trust 2048bit card.
- Support for german Health Professional Cards.
- Support for Aladdin eToken PRO (32K and 64K).
- Support for Sicrypt smart cards.
- Support for the OpenPGP (version 1+2) smart card and the OpenPGP CryptoStick.
- Support for 2048bit RSA-keys.
- Creates key-descriptions for all of your smart cards public keys
which may be inserted into your authorized_keys file via Cut&Paste.
Just insert your smart card with your control-key pressed.
- Supports all applications that implement the SSH authentication
agent protocol. In particular pageant.exe will work with
WinSCP and the
Filezilla-Client.
If your smart card does not work then the reason is
most likely that you are the first one to try this particular
card. If OpenSC
supports your card then it will be relatively easy to add
support for your card to pageant.exe as well. You only have
to email OpenSC
debug-output with highest verbosity level to
support@smartcard-auth.de and must be willing
to do some tests. In return for your testing activities I will
register your public keys for free.
If your smart card does neither work with pageant.exe nor
OpenSC then a test
card and documentation is most likely needed to add support for
such a card. Please send informtion about your smart card to
support@smartcard-auth.de if you own such a card.
Installation
Installation is easy:
- Install PuTTY with
putty-0.60-installer.exe
from the PuTTY
download page.
- PuTTY will install itself into one directory (normally C:\Program Files\PuTTY).
There you will find pageant.exe, the SSH authentication agent.
Replace this executable with pageant.exe
from the download area.
- Using PuTTY and/or the SSH authentication agent is described in the
PuTTY-documentation. Besides the possibility to use smartcards there is
only one difference. If you insert your smartcard with your control-key pressed
pageant.exe will write information about all your public keys into a textfile.
Registering your Public Key
If you use pageant.exe with a non-registered public key
then Secure PIN entry will be disabled and pageant.exe will
connect to a destination only after a short delay.
You may evaluate pageant.exe with a non-registered public
key for at most 30 days. It will be functional for a
longer time though.
Please do NOT register OpenPGP cards or the OpenPGP CryptoStick.
In order to support this free project owner of such cards/sticks
may use pageant.exe as long as they like. Secure PIN entry is
enabled for OpenPGP cards and SSH-connections start without a delay.
The About-dialog still mentions the 30 day trial period.
Please ignore this if you are using an OpenPGP card/stick.
You cannot register the software but must register your
public key instead. This has the following consequences:
- Once a key was registered you may use it with
as many current (or future) versions of pageant.exe
as you like.
- If you are able to store your private key into multiple
smart cards you will only need one licence to use these
cards with pageant.exe. Of course creating multiple smart
cards containig the same private key is against the idea
of using a smart card as a unique two factor authentification
token. This might be a reasonable way to replace a lost or
broken smart card. I recommend not to do so.
- If your private key is stored within your smart card only, then
there is no way to recover your private key if you loose your
smart card or block your PIN permanently. You will need a
new card with a new private key then. And you must also
reregister your new public key. There will be no refund for
registration fees of lost private keys.
In order to register your public key please follow the instructions
at the order-page.