Hi,
I would like to know, how I need to setup PuTTY to use my NitroKey HSM with it. Unfortunately the “Applications” tab on your website (Applications | Nitrokey) only explains how to do it with a GPG-compatible NitroKey, but as I understood it, the HSM is not, right?
So I already tried to use the modified pageant.exe from Dr. Peter Koch (http://smartcard-auth.de/ssh-en.html) following his Installation instructions (except using version 0.70 instead of 0.68), but the pageant shows my stick as an “Empty Unknown Card”.
Then I tried PuTTY CAC, which should have native support for smart cards and pkcs#11. But there I have the problem, that in the newest version from the homepage, I don’t know how to setup my stick (pageant doesn’t show it and the putty settings want a pkcs#11 certificate).
When I use the older version from your driver package, I can specifiy a pkcs11 library in the settings under “Connection” → “SSH” → “Pkcs11” (which is only available in this version, not the others).
Though when select the pkcs11 dll file from the driver package (the sc-hsm-pkcs11.dll that has been installed into my system32) and then select my NitroKey HSM under “Token label”, the selected smart card disappears as soon, as I click in the “Certificate label” field or anywhere else.
Has anyone successfully used his NitroKey HSM for SSH Login via PuTTY on Windows (or any other SSH Client on Windows) and can tell me how to make it work?
Best regards,
Jonas
P.S: Ich habe nur auf englisch geschrieben, um möglichst viele Personen zu erreichen. Ihr könnt auch auf deutsch antworten.
Hey,
I already knew the tutorial from Raymii.org. It helped me VERY much understanding how to set up the stick and how the stick works. You should definitely put that somewhere in the documentation.
Sadly both didn’t help me, setting up a Windows SSH client. Raymii only shows, how it works with linux and the other link you provided, only says, that you should set up PuTTY CAC. But as I described, I had problems setting up PuTTY CAC and the other versions
okay I see. Sorry. I need to ask: did you try the Putty-CAC version of the sc-hsm-starterkit which is provided in the second link? They may provide a special version, I don’t know.
I’ll try around a bit myself as soon as my Win10 VM is updated
Yes. That was the “older version from your driver package” I talked about in my first post.
But it seems to be bugged, because when I select my Nitrokey and then click somewhere else, it gets deselected automatically…
unfortunately, I couldn’t get it working either, I am sorry. I had the same issues you had. The newest version of PuTTY seems to work with pkcs11 certs only, but I don’t know how they would be handled right now. The older version is somehow broken (as you described).
im having the same problem right now, linux works fine out of the box (besides providing a pkcs11 provider in the client config) but getting it to run under windows seems wonky.
ATM im using putty cac (or more like trying) but it seems not to recognise any key.
Thanks, i managed to get it working via pkcs11 cert based system rather then CAPI.
For anybody interested:
Gen a KeyPair on the HSM
Create a self signed cert based on that key
Put the generated x509 Cert on the Key
Now Putty-CAC Agent should be able to pickup the container if you click “Add PKCS Cert”
Unfortunately SSH does only have support for RSA, DSA (lets skip that…), ECDSA and EdDSA.
Since HSM has no support for EdDSA, we are stuck on either RSA or ECDSA with NSA Curves (secp “random” curves).
Brainpool, which i would consider beside ED25519 (which again is not supported by the key ) is NOT supported by SSH. Neither are secp Koblitz curves.
I would love to see support for ED25519 on HSM. Probabbly even Curve41417.
Until then we are mostly stuck on RSA3072+ for SSH, which takes ages to login.