Is it possible to use CA signed keys to ssh from windows to linux with putty?

4

A number of Linux servers has been set up, so that they have TrustedUserCAKeys in their sshd_config.

My public ssh key is not and should not be installed on any of these servers. Instead, when I need access to any of these service, I get a piece of software to sign my public ssh key with the CA certificate that the servers trust as above. The issued signature is short-timed so it's valid, say, for half an hour.

Say, my private key is stored in mykey file and my public key is stored in mykey.pub file. So said piece of software authenticates me and, when it's satisfied that I have necessary access, issues me with a signature of my mykey.pub, that I then store in mykey-cert.pub file. With all three files in the current directory I issue this command on Linux:

ssh -i mykey myname@server

and I'm in.

I would like to be able to access these Linux servers from windows too. I of course could try and use cygwin or msys ssh, but I like the convenience of putty.

Is there any way for me to make putty understand and communicate my CA signed key to the servers?

Andrew Savinykh

Posted 2017-07-27T00:56:33.430

Reputation: 1 521

1

Looks like putty does not support it. Bummer!

– Andrew Savinykh – 2017-07-27T01:01:44.793

1Looks like you found your own answer. Please post it as a proper Answer (rather than just a comment), and then accept your own Answer by clicking the checkmark next to your Answer. That way SuperUser will show that this question has been resolved. – Spiff – 2017-07-27T01:17:58.663

@Spiff it's a good practice to keep questions open for a few days to give others a chance to contribute. – Andrew Savinykh – 2017-07-27T01:35:24.357

@AndrewSavinykh You clearly have an answer. You should submit an answer today. A few days won't change the fact you have an answer. If somebody submits a better answer you can always change your accepted answer. Putty doesn't support it, that won't change in a few days, that will never change until the software is updated. – Ramhound – 2017-07-27T01:43:15.490

@Ramhound, I'm always surprised to ingenuity of our excellent community, who can come up with unexpected and brilliant answers when you least expect that. You could be surprised. But even if not - no harm done. – Andrew Savinykh – 2017-07-27T02:06:01.757

Doesn't change the fact you should still submit your answer – Ramhound – 2017-07-27T02:10:30.370

@Ramhound I totally intend to. – Andrew Savinykh – 2017-07-27T02:11:31.147

@AndrewSavinykh When do you think you'll do that? – SimonJGreen – 2017-12-12T19:51:07.840

@SimonJGreen thank you for reminding me, I accepted the answer. – Andrew Savinykh – 2017-12-12T22:18:10.617

Answers

1

The OpenSSH certificates are not implemented in anything else than OpenSSH (yet). It was discussed some time ago on openssh-unix-dev mailing list (thread):

https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-May/035992.html

The best chance you have really with Cygwin on Windows or with "native Win32" application made by Windows developers, which "should work" at this moment:

https://github.com/PowerShell/Win32-OpenSSH/wiki/Project-Status

Jakuje

Posted 2017-07-27T00:56:33.430

Reputation: 7 981