-rawsettings DetachedCertificate -hostkey and Load Authorities from PuTTY :: Support Forum

koka
Joined:: 2022-12-30
Posts:: 13

-rawsettings DetachedCertificate -hostkey and Load Authorities from PuTTY

2025-04-26 14:10

Connect using a certificate with:

winscp.exe sftp://_@127.0.0.1:2200/ /hostkey="ecdsa-sha2-nistp256-cert-v01@openssh.com 256 HGzeMguvVfTsMb+WfkqmjZNXaeVcBXCQqXyjKUBy9pA" /rawsettings DetachedCertificate="C:\Users\user_\.ssh\id_rsa-cert.pub"

is possible if the option Security > Load Authorities from PuTTY is enabled as SshHostCAsFromPuTTY=1 and the host certificate is specified in:

[HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\SshHostCAs\X]
"PublicKey"="AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDm48o80E2Ah5JFxqRzYzRN5hJx2y1+Pkukace/j1n0aw+6CemCSz2o4T+n7CG9yyneWggyz59eser70VOLI3A="
"Validity"="*"

if you change SshHostCAsFromPuTTY=0
then you will not be able to connect. This is because

-hostkey="ecdsa-sha2-nistp256-cert-v01@openssh.com 256 HGzeMguvVfTsMb+WfkqmjZNXaeVcBXCQqXyjKUBy9pA"

changed SSHManualHostKeys
as

plink -v _@127.0.0.1:2200 -hostkey AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDm48o80E2Ah5JFxqRzYzRN5hJx2y1+Pkukace/j1n0aw+6CemCSz2o4T+n7CG9yyneWggyz59eser70VOLI3A= -cert C:\Users\user_\.ssh\id_rsa-cert.pub

and that's right, if it's not a certificate, but if it's a certificate, then you need to change:

[...\SshHostCAs\X]
"PublicKey"="AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDm48o80E2Ah5JFxqRzYzRN5hJx2y1+Pkukace/j1n0aw+6CemCSz2o4T+n7CG9yyneWggyz59eser70VOLI3A="
"Validity"="*"

to connect.
Where PublicKey and Validity from file ~/.ssh/X:

@cert-authority * ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDm48o80E2Ah5JFxqRzYzRN5hJx2y1+Pkukace/j1n0aw+6CemCSz2o4T+n7CG9yyneWggyz59eser70VOLI3A=

Reply with quote

koka
Joined:: 2022-12-30
Posts:: 13

2025-04-26 14:34

log files

SshHostCAsFromPuTTY1.log (80.68 KB, Private file)

Description: Security~>Load Authorities from PuTTY~>on

SshHostCAsFromPuTTY0.log (5.96 KB)

Description: Security~>Load Authorities from PuTTY~>off

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 42,011
Location:: Prague, Czechia

Re: -rawsettings DetachedCertificate -hostkey and Load Authorities from PuTTY

2025-04-29

I'm bit confused. I do not use this much, but the DetachedCertificate is not related to the "Load Authorities from PuTTY", right? The first is about user authentication, while the later is about host authentication.

What are you trying to do? Are you trying to verify certified host key by passing public key of the certificate in /hostkey?

Reply with quote

koka

2025-04-30 08:04

Are you trying to verify certified host key by passing public key of the certificate in /hostkey?

Yes

Reply with quote

martin◆ Site Admin

2025-05-01

Ok, and does your plink example imply that it is possible with plink to use its -hostkey to specify a public key of the certificate? I do not even thing that plink has any -cert switch.

Reply with quote

-rawsettings DetachedCertificate -hostkey and Load Authorities from PuTTY

-rawsettings DetachedCertificate -hostkey and Load Authorities from PuTTY

Re: -rawsettings DetachedCertificate -hostkey and Load Authorities from PuTTY

Documentation

Support

Associations

Follow Us