Skip to content

SSH Putty CAC

Guide to using MS CAPI with Putty-CAC

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an insecure network. The best known application example is for remote user login to computer systems.

SSH provides a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command line login and remote command execution, but any network service can be secured with SSH.

Putty-CAC is software based on Putty, which is an SSH terminal. The version used in this guide is 0.76.

Environment configuration

  1. Install the HSM client. It can be downloaded from Downloads.

  2. Configuring CSP using DINAMOcon.

  3. To use Putty-CAC you need to enable CNG. To do this, DINAMOcon must be run with administrative elevation. Once open, click on Local configuration and then on the MS CAPI menu. Check CNG Enabled and apply the configuration.

    MS CAPI parameters MS CAPI parameters
    MS CAPI parameters

  4. First open DINAMOcon's certificates tab: on the home screen choose Certificates and then click on the Certificates menu. Check that the certificate to be used is enabled in Windows; if it isn't, right-click and enable it.

    Table of certificates Table of certificates
    Table of certificates

  5. Configure Putty-CAC.

  6. After opening the program fill in the IP/port

  7. Open the Connection -> SSH -> Certificate menu and click on the Set CAPI Cert button and choose the certificate to be used.

  8. In order to authenticate, the public key must be on the destination server, so there is a button to copy the key in the correct format. Click on Copy to Clipboard and copy it to the authorized_keys file on the server.

  9. The destination server must also be configured correctly, the SSH service usually comes with public key authentication disabled and you need to enable it; to do this, simply edit the file sshd_config and add the line:

    PubkeyAuthentication yes