PuTTY SC (Smart Card)—now more commonly maintained and utilized as the specialized fork PuTTY-CAC—enables secure SSH login to remote Linux servers using a physical smart card, cryptographic token, or PIV/CAC card. Instead of saving highly sensitive private keys on your hard drive, authentication relies on the hardware-backed certificates stored on your smart card, which are fully compliant with standard federal and corporate infrastructure security requirements. 1. Prerequisites
Before beginning the configuration, ensure you have the following elements ready:
A physical smart card reader connected to your machine and your PIV/CAC card inserted. The PIN associated with your smart card.
The specialized version of the software downloaded directly from the official PuTTY-CAC GitHub repository. Traditional PuTTY does not have native support for smart cards. 2. Extract Your Public Key
To allow a remote server to trust your smart card, you must export your public key out of the card and add it to the server’s configuration file. Open PuTTY-CAC.
On the left-hand navigation pane, expand Connection → SSH → and select CAPI (or PKCS11 if using custom middleware). Click the Set CAPI Cert button.
A Windows Security prompt will display your certificates. Highlight your active Smart Card Logon certificate and click OK.
Click Copy to Clipboard. This copies your hardware-backed public key in standard OpenSSH format. 3. Configure the Remote Server
You must place your public key on the destination machine so it recognizes your token.
Log into your destination Linux server using your traditional credentials one last time. Open your server’s authorized keys file by executing: nano ~/.ssh/authorized_keys Use code with caution.
Paste the string you copied from your clipboard into a new line at the bottom of the file. Ensure it remains entirely on one single line with no unintended line breaks. Save and close the file.
Set the correct file permissions to prevent the server from rejecting it: chmod 600 ~/.ssh/authorized_keys Use code with caution. 4. Authenticate and Log In
Once configured, you can log into your server completely password-free using your hardware token. CAC-Enabled SSH – Google Groups
Leave a Reply