CAC-Enabled SSH

2,218 views
Skip to first unread message

Mark Pennington

unread,
Sep 16, 2015, 10:23:57 AM9/16/15
to Military Open Source Software
All,

I have read the generic Red Hat directions on implementing Smart Card login, but I was wondering if anyone has any insight, directions, or links to specific instructions for CAC-enabling SSH logins.  Also, my plan was to use PuttyCAC unless better solutions exist.  I am planning to set this up today in my sandbox so I would appreciate, as always, any insights from the group.
Regards,
Mark

Jamie Jones

unread,
Sep 16, 2015, 10:38:06 AM9/16/15
to Military Open Source Software
Mark, I've spent a great deal of time looking into this recently, I'd be happy to help.

From the mention of Putty-CAC, it looks like you are planning on using Windows?

The following is from a work in progress document I have, but hopefully it is of some help or at least more background (sorry, no images came through):

SSH Support - Putty

Putty is the defacto preferred SSH client and toolset for Windows. It includes functionality for Secure Copy, Secure FTP, Key Generation tools, Authentication Agent and more. It comes with support for password and Public Key authentication.
Putty-SC is a Smart Card enabled version of Putty, which extends its Public Key support for hardware cards and keys. It includes a usable PKCS#11 API that requires a card-specific interface typically provided by a middleware manufacturer. It is able to read the public and private keys from the hardware device.
Putty-CAC is built on Putty-SC (and Putty 0.62). Improvements include:

  • U.S. government PIV and CAC cards don't store public keys, but instead store certificates. The public key has to be derived from this.
  • Microsoft Cryprographic API (CAPI) support included. CAPI is easier to configure for most users and also allows use of soft-certs. This also doesn't require a middleware software, and is available in modern versions of Windows.

Middleware

ActivClient
ActivClient is the leader in Windows Smart Card (and PIV/CAC) enabling software. Many U.S. government agencies provide licenses and installations for their users as part of their standard baseline.

OpenSC
OpenSC is an open source Smart Card middleware provider that supports many varieties of Smart Cards and tokens, including CAC and PIV cards. It also includes command line utilities to interact with the Smart Cards.

CACKEY
CACKEY software is another open source middleware tool. Unlike OpenSC, this has the ability to change the PIN on PIV cards.

Bugs and issues

  • OpenSC
    • Recent versions of OpenSC (.12+, current is 0.15) installer don't work on Windows
    • OpenSC has issues with Windows 10
  • Putty-CAC

Accessing Certificates from Microsoft Windows

Microsoft Windows comes with a Graphical Tool, the Certificate Manager to browse certificates stored on the system and associated smart cards. You can navigate the tree to Certificates - Current User/Personal/Certificates. See the example below.

You can select each card to get more details, including the intended usage. 

Accessing SSH formatted keys with Windows/Putty-CAC

Putty-CAC provides an interface to get to the OpenSSH-formatted Public Key. From the putty interface, navigate to Connection/SSH/CAPI, and click the browse button (red outline in the image below) next to the "Cert" textbox. This will prompt you to select the certificate from your smart cad to use(identified earlier, see Accessing Certificates from Microsoft Windows), and it will fill the SSH keystring textbox.

Using Power Shell on Windows to programatically list certificate ThumbPrint

Certificate Manager allows you to identify your cert ThumbPrint Certificates/Personal/My You want the cert that is issued by DOD CA, not DOD Email CA

  #List Cert ThumbPrint via PowerShell
  PowerShell 
  Get-ChildItem cert:\CurrentUser\My   




--
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
 
www.mil-oss.org

---
You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mil-oss+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Mark Pennington

unread,
Sep 18, 2015, 5:16:43 PM9/18/15
to Military Open Source Software
With a lot of help from J. Jones, I was able to log into CentOS using a CAC.  I documented my steps for that and post them here for your review, use, or distribution.  By the way, since WinSCP can use Pageant for authentication, you get prompted for CAC PIN when doing SCP from Windows to Linux. 
Mark
CAC Enabling Linux Login with PuTTY CAC.docx

Adam Young

unread,
Sep 18, 2015, 8:43:05 PM9/18/15
to mil...@googlegroups.com

CAC is an NSS database.  It has A signed x509 Cert in it
While normal openssh does not support x509 based AUTH, Red hat builds do.  So, if you are sshing to a RH based server you should be able to enable it.

--
Reply all
Reply to author
Forward
0 new messages