Is it possible to use CA signed keys to ssh from windows to linux with putty?

linux windows ssh putty certificate

5,594

The OpenSSH certificates are not implemented in anything else than OpenSSH (yet). It was discussed some time ago on openssh-unix-dev mailing list (thread):

https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-May/035992.html

The best chance you have really with Cygwin on Windows or with "native Win32" application made by Windows developers, which "should work" at this moment:

https://github.com/PowerShell/Win32-OpenSSH/wiki/Project-Status

5,594

Andrew Savinykh

Updated on September 18, 2022

Comments

Andrew Savinykh over 1 year
A number of Linux servers has been set up, so that they have TrustedUserCAKeys in their sshd_config.

My public ssh key is not and should not be installed on any of these servers. Instead, when I need access to any of these service, I get a piece of software to sign my public ssh key with the CA certificate that the servers trust as above. The issued signature is short-timed so it's valid, say, for half an hour.

Say, my private key is stored in mykey file and my public key is stored in mykey.pub file. So said piece of software authenticates me and, when it's satisfied that I have necessary access, issues me with a signature of my mykey.pub, that I then store in mykey-cert.pub file. With all three files in the current directory I issue this command on Linux:
```
ssh -i mykey myname@server
```
and I'm in.

I would like to be able to access these Linux servers from windows too. I of course could try and use cygwin or msys ssh, but I like the convenience of putty.

Is there any way for me to make putty understand and communicate my CA signed key to the servers?
- Andrew Savinykh almost 7 years
  
  Looks like putty does not support it. Bummer!
- Spiff almost 7 years
  
  Looks like you found your own answer. Please post it as a proper Answer (rather than just a comment), and then accept your own Answer by clicking the checkmark next to your Answer. That way SuperUser will show that this question has been resolved.
- Andrew Savinykh almost 7 years
  
  @Spiff it's a good practice to keep questions open for a few days to give others a chance to contribute.
- Ramhound almost 7 years
  
  @AndrewSavinykh You clearly have an answer. You should submit an answer today. A few days won't change the fact you have an answer. If somebody submits a better answer you can always change your accepted answer. Putty doesn't support it, that won't change in a few days, that will never change until the software is updated.
- Andrew Savinykh almost 7 years
  
  @Ramhound, I'm always surprised to ingenuity of our excellent community, who can come up with unexpected and brilliant answers when you least expect that. You could be surprised. But even if not - no harm done.
- Ramhound almost 7 years
  
  Doesn't change the fact you should still submit your answer
- Andrew Savinykh almost 7 years
  
  @Ramhound I totally intend to.
- SimonJGreen over 6 years
  
  @AndrewSavinykh When do you think you'll do that?
- Andrew Savinykh over 6 years
  
  @SimonJGreen thank you for reminding me, I accepted the answer.