Using NitroKey HSM with PuTTY

Hi,
I would like to know, how I need to setup PuTTY to use my NitroKey HSM with it. Unfortunately the “Applications” tab on your website (https://www.nitrokey.com/documentation/applications#p:nitrokey-hsm&os:windows&a:ssh-for-server-administration) only explains how to do it with a GPG-compatible NitroKey, but as I understood it, the HSM is not, right?

So I already tried to use the modified pageant.exe from Dr. Peter Koch (http://smartcard-auth.de/ssh-en.html) following his Installation instructions (except using version 0.70 instead of 0.68), but the pageant shows my stick as an “Empty Unknown Card”.

Then I tried PuTTY CAC, which should have native support for smart cards and pkcs#11. But there I have the problem, that in the newest version from the homepage, I don’t know how to setup my stick (pageant doesn’t show it and the putty settings want a pkcs#11 certificate).
When I use the older version from your driver package, I can specifiy a pkcs11 library in the settings under “Connection” -> “SSH” -> “Pkcs11” (which is only available in this version, not the others).
Though when select the pkcs11 dll file from the driver package (the sc-hsm-pkcs11.dll that has been installed into my system32) and then select my NitroKey HSM under “Token label”, the selected smart card disappears as soon, as I click in the “Certificate label” field or anywhere else.

Has anyone successfully used his NitroKey HSM for SSH Login via PuTTY on Windows (or any other SSH Client on Windows) and can tell me how to make it work?

Best regards,
Jonas

P.S: Ich habe nur auf englisch geschrieben, um möglichst viele Personen zu erreichen. Ihr könnt auch auf deutsch antworten.

Hey,

does these two help? raymii and smartcard

Kind regards
Alex

PS: I’ll probably add them to the documentation as well. Thanks for the hint!

Hey,
I already knew the tutorial from Raymii.org. It helped me VERY much understanding how to set up the stick and how the stick works. You should definitely put that somewhere in the documentation.

Sadly both didn’t help me, setting up a Windows SSH client. Raymii only shows, how it works with linux and the other link you provided, only says, that you should set up PuTTY CAC. But as I described, I had problems setting up PuTTY CAC and the other versions :confused:

Best regards,
Jonas

Hi,

okay I see. Sorry. I need to ask: did you try the Putty-CAC version of the sc-hsm-starterkit which is provided in the second link? They may provide a special version, I don’t know.

I’ll try around a bit myself as soon as my Win10 VM is updated :wink:

Kind regards
Alex

Yes. That was the “older version from your driver package” I talked about in my first post.
But it seems to be bugged, because when I select my Nitrokey and then click somewhere else, it gets deselected automatically…

Thanks for your help :slight_smile:

Hey,

unfortunately, I couldn’t get it working either, I am sorry. I had the same issues you had. The newest version of PuTTY seems to work with pkcs11 certs only, but I don’t know how they would be handled right now. The older version is somehow broken (as you described).

I may have another look at the end of the week.

Kind regards
Alex

1 Like

Hi,

im having the same problem right now, linux works fine out of the box (besides providing a pkcs11 provider in the client config) but getting it to run under windows seems wonky.

ATM im using putty cac (or more like trying) but it seems not to recognise any key.

Any ideas?

Thanks!

KiTTY is a better maintained fork of PuTTY which should support smart cards. You may try it.

Thanks but it does not offer pkcs11 support.

You need to use CAPI rather than PKCS#11.

See Getting Access to GIT Repositories for details.

1 Like

Thanks, i managed to get it working via pkcs11 cert based system rather then CAPI.

For anybody interested:

  • Gen a KeyPair on the HSM
  • Create a self signed cert based on that key
  • Put the generated x509 Cert on the Key

Now Putty-CAC Agent should be able to pickup the container if you click “Add PKCS Cert”

Unfortunately SSH does only have support for RSA, DSA (lets skip that…), ECDSA and EdDSA.
Since HSM has no support for EdDSA, we are stuck on either RSA or ECDSA with NSA Curves (secp “random” curves).

Brainpool, which i would consider beside ED25519 (which again is not supported by the key :frowning: ) is NOT supported by SSH. Neither are secp Koblitz curves.

I would love to see support for ED25519 on HSM. Probabbly even Curve41417.
Until then we are mostly stuck on RSA3072+ for SSH, which takes ages to login.