Yubico Forum

Hi

Im using the yubikey PIV-PKCS#11 setup on my ubuntu pc.
I was able to save my rsa-keys to slot 9a. And from my ubuntu I have generated the rsa-keys and load it
up on the remote server authorized_keys.

I was able to login to the remote server, using the command from my terminal in ubuntu
ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so root@my.remote.server.

Now what I want to do is used the same rsa-key saved on my yubikey on slot 9a and use that key
using a windows OS pc with putty, on my putty I will ssh to the remote server using the same
key I imported from my yubikey.

My question is, how do I use the rsa keys save on my Yubikey slot 9a using a Putty on windows.
What settings I need to do to my Putty? how do I specify on putty to use the rsa keys save on my Yubikey.
what are the commands to run to specify which pkcs11 dll to use.
Do I need to use putty or putty-sc or putty-cac?

Thanks in advance
valgenova

Hi,

Searching the net, I was able to find the correct settings for my Yubikey 4 to work on a Windows putty-sc settings,
using my save rsa key on slot 9a of my Yubikey.

Here is what I did. I download the putty-sc, and download opensc-0.15.0-win32, also download the psearch.exe.
installed all the three installers. To know where my pkcs dll is stored, I run the psearch.exe, result say that the dll is
stored in c:\windows\system32\opensc-pkcs11.dll.(take note of this path, because this will be use for the pkcs#11 library)

I inserted my Yubikey 4 device.
Then I run the putty-sc, and configured it. On my putty-sc,From Category --> I click SSH then Pkcs11
From the menu window of Pkcs11 I put a check on the checkbox Attempt "PKCS#11 smart card" auth (SSH-2)
For the Authentication parameters PKCS#11 library for authentication, I browse my opensc-pkcs11.dll,
the file is stored in c:\windows\system32\opensc-pkcs11.dll (the psearch.exe result)
Token Label: will have a value when you click the dropdown arrow, the value is PIV_II (PIV Card Holder Pin)
Certificate Label: will also have a value when you click the dropdown arrow: the value is: Certificate for PIV Authentication

From the Category again, click Session, then type the hostname or ip address of the remote server where you stored your authorized_keys.
From the ssh: login as root (or any user you put to your remote server)
Passphrase for smartcard "PIV_II (PIV Card Holder pin) "type or yubikey PIN" then press enter
Your yubikey should be blinking, tap your Yubikey to login to the remote server. You should be able to login to your remote server.

Hope this guide will help others like me who are new to Yubikey.

Thanks in advance

valgenova

Unless you have a specific need for OpenSC or PKCS11, it is probably easier to use Putty-CAC though. It integrates directly with the Windows Crypto API which can natively access certificates on the PIV applet, so no need to install OpenSC.

Though note that certificates may not be visible on Windows 10 due to what looks like a bug in Yubico's recently released driver (uninstalling and using the Windows native driver works, see link).