Smartcard Authentication - Secure & Easy

Secure Shell with Smart Card Authentication

PuTTY, the free SSH implementation from Simon Tatham, does support public key authentication but lacks support for smart cards. An enhancement request for PuTTY asking for smart card support within the original PuTTY package has been on the PuTTY wishlist for a very long time.

PuTTY.exe may read a private key from a file or may talk to an SSH authentication agent, which will do all cryptographic operation on behalf of the actual putty.exe. The PuTTY-Package contains such an agent, i.e. pageant.exe, but this agent can also read private keys from password protected files only.

In the download area of this website you will find a replacement for pagent.exe that does support smart cards.

This smart card enabled pageant.exe has the following additional features:

• As a security product PuTTY tries to avoid dependencies on external libraries. So does the smart card enabled version of pageant.exe. It either talks directly to your card without the need of any kind of middleware or uses a PKCS#11-library.
• Secure PIN Entry is supported for smart card readers with pinpad.
• Public keys from your smart card will be inserted/removed automatically into pageants keylist on smart card insertion/removal.
• If your smart card contains multiple private keys all of them will be inserted into pageants keylist and may be used simultaneously.
• If you have mutiple cardreaders attached to your PC all of them will be scanned for smart cards and may be used simultaneously.
• As on option pageant may store the PIN of your smart card in memory until you shutdown the agent.
• Support for any Smartcard/Token for which a PKCS#11-library is available.
• Native support for the following Smartcards. Here "native" means that the card can be used without the need for any kind of middlware oder card-specific driver.
  • All TCOS based smartcards, in particular all TCOS based german signature cards (SignTrust 1024, NetKey E4, Datev).
  • All D-Trust cards.
  • german electronic Health Professional Card.
  • german electronic public health insurance membership card.
  • Aladdin eToken PRO (32K and 64K).
  • Sicrypt smartcards.
  • OpenPGP smartcards (version 1+2).
  • OpenPGP CryptoStick.
  
  
• Support of keylenghtes up to 4096bit.
• Creates key-descriptions for all of your smart cards public keys which may be inserted into your authorized_keys file via Cut&Paste. Just insert your smart card with your control-key pressed.
• Supports all applications that implement the SSH authentication agent protocol. In particular pageant.exe will work with WinSCP and the Filezilla-Client.

If your smart card does not work then the reason is most likely that you are the first one to try this particular card. Just let me know at support@smartcard-auth.de and I do my est to support your card as well.

Installation

Installation is easy:

• Install PuTTY with putty-0.61-installer.exe from the PuTTY download page.
• PuTTY will install itself into one directory (normally C:\Program Files\PuTTY). There you will find pageant.exe, the SSH authentication agent. Replace this executable with pageant.exe from the download area.
• If you want to use a PKCS#11-library make a copy and store it under the name pageant11.dll either in the directory where pageant.exe is located or in the system32-directory.
• Using PuTTY and/or the SSH authentication agent is described in the PuTTY-documentation. Besides the possibility to use smartcards there is only one difference. If you insert your smartcard with your control-key pressed pageant.exe will write information about all your public keys into a textfile.

Registering your Public Key

Non commercial use of pageant.exe and use for evaluation purposes is free and you must register your Public Key ony if you want to use it commercially.

Please do NOT register OpenPGP cards or the OpenPGP CryptoStick. In order to support this free project owner of such cards/sticks may use pageant.exe as long as they like no matter whether usage is commercial or not.

There is a order-page available, where you you can register your key. After having payed your licence fee with PayPal you will be immediately mailed a licecene file.

If you want to register a couple of key you may buy a prepaid-code which will allow you to do so without using PayPal for every single licence.