How to use OpenSSH certificates on Windows?
OpenSSH supports signing user keys with a certificate authority. From man ssh-keygen
:
ssh-keygen supports signing of keys to produce certificates that may
be used for user or host authentication. Certificates consist of a
public key, some identity information, zero or more principal (user
or host) names and a set of options that are signed by a Certification
Authority (CA) key
In a pure Linux environment SSH certificates are quite easy to use. No problem for the server part (TrustedUserCAKeys
) and on the client side ssh -i
does the right job.
I need to be able to use OpenSSH certificates from a Windows SSH client (the project is to deliver short-living SSH certificates to sysadmins Windows workstations after they have authenticated themselves using a company specific auth scheme).
Cygwin is not an option (killing a fly with a hammer, and probably not acceptable by Windows admins), PuTTY does not recognize OpenSSH certificates.
What would be other options?
If you can't end up figuring out a way to use the certs with PuTTY. There are lighter-weight ways to get the actual OpenSSH client on a Windows box than Cygwin. The most likely candidate that comes to mind is the Windows distribution of Git.
There's a standard installable version or a portable version that you can just unzip and run. It's basically bash, git, and ssh.
Slightly heavier, but at least native to the OS is the Windows Subsystem for Linux which could work if you have Windows 10 anniversary update or later.
OpenSSH is now supported as "optional feature" in windows 10. Allegedly, OpenSSH 7.6p1 should be available at the usual place: Control Panel, selecting Programs | Programs and Features | Turn Windows features on or off. You can also access this wizard directly by typing "optionalFeatures" from the Windows Start prompt.
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
https://www.bleepingcomputer.com/news/microsoft/heres-how-to-enable-the-built-in-windows-10-openssh-client/
Hope they don't kick out certificate authentication, as they apparently did with the OpenSSH server "feature"