WinSCP with PuTTY-CAC

Advertisement

jdantzler
Joined:
Posts:
13

WinSCP with PuTTY-CAC

I am trying to use WinSCP 5.1.1 with PuTTY-CAC for authentication. However, anytime I try to connect to our server Pageant seems to fail to communicate. Here is the log below:
. 2012-12-07 07:27:04.652 Pageant is running. Requesting keys.
. 2012-12-07 07:27:04.655 Failed to get reply from Pageant
! 2012-12-07 07:27:04.655 Using username "USERNAME".
. 2012-12-07 07:27:06.560 Prompt (7, SSH password, , &Password: )
. 2012-12-07 07:27:07.855 Attempt to close connection due to fatal exception:
. 2012-12-07 07:27:07.855 Closing connection.
. 2012-12-07 07:27:07.855 Sending special code: 12
* 2012-12-07 07:27:07.964 (ESshFatal) 
The last version of WinSCP that will work with PuTTY-CAC without any problems is 4.2.9. I really would like to be able to upgrade our WinSCP but I can not do so because we have to use PuTTY-CAC. So my question is can support be added in these newer version to support PuTTY-CAC once again? What changed from 4.2.9 to newer versions for it to stop working?

PuTTY-CAC can be found here: https://github.com/NoMoreFood/putty-cac/releases

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: WinSCP with Putty-CAC

Is the PuTTY-CAC Pageant different from the one that is in standard PuTTY package? Does it have some CAC-specific functionality?

Reply with quote

jdantzler

PuTTY-CAC is suppose to be in sync with the latest putty (0.62). However, when you view the version information it says, "unidentified build". PuTTY-CAC adds support for MS-CAPI for CAC's. Like I said before PuTTY-CAC works fine with older versions up to 4.2.9 but nothing after that for some reason. Thanks.

Reply with quote

martin
Site Admin
martin avatar

@jdantzler: Ok, I'm asking, if the CAC Pageant is the same as in standard PuTTY or if there's something special in the CAC Pageant. I.e. does the CAC Pageant allow WinSCP to use CAC? Or do you use CAC Pageant with WinSCP only because you use the CAC package in general? What if you replace the CAC pageant with standard one? Would WinSCP work? (I suppose it would). Would it break anything in your workflow? Also, can you authenticate using the latest standard PuTTY via the CAC Pageant?

Reply with quote

jdantzler
Joined:
Posts:
13

Yes, the CAC Pageant uses our CAC to authenticate with WinSCP. If I was to replace the CAC Pageant with the regular one there would be no way for us to use our CAC's to access the server. CAC Pageant has a built in extra button, "Add CAPI Cert". We use this button to add our CAPI Cert from our CAC for authentication. The only thing I can thing of is something is not quite right with PuTTY-CAC. Although, it says it is updated to be in sync with the regular PuTTY (0.62) something must be messed up. We have to use PuTTY-CAC as there is no other way that I know of around this. I have already contacted the developer of PuTTY-CAC and I am waiting on a response. It's been over three weeks so far. I just was unsure if there was something that could be fixed on this end or not.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Thanks for explanation.
So, can you authenticate using the latest standard PuTTY via the CAC Pageant?

Note that there has been a change in how PuTTY (or WinSCP) and Pageant communicate in PuTTY 0.61. So PuTTY 0.61 does not talk to Pageant 0.60. Though PuTTY 0.62 fixed that. It now talks to both old and new Pageants. The same for the latest WinSCP.

Reply with quote

jdantzler

The way we authenticate I don't think we even need to use PuTTY at all. We do not use PuTTY Private Keys in Pageant. I am almost certain Pageant CAC doesn't use PuTTY for authentication. I can just have Pageant CAC on computer without any PuTTY and it will work on WinSCP 4.2.9 I believe. Correct me if I am wrong. How would I test this for sure?

Reply with quote

jdantzler

Ok, I just modified the source code for it and I got it working finally. It appears that the developer accidentally deleted some necessary code from the original PuTTY. Thanks for all your help.

Reply with quote

pivinoperable
Guest

@jdantzler: Appreciate the information in this thread. Was able to get the latest PuTTY-CAC working with WinSCP 4.2.9. Any chance you still have the file with the code change for the later version of WinSCP?

Reply with quote

Advertisement

jdantzler
Joined:
Posts:
13

@pivinoperable: See attached. This is PuTTY-CAC updated/modified to 0.63 by me. This should work with newer versions of WinSCP for you. All the executable's are in the executable folder if you don't want to compile and build the code yourself. Hope this helps.

<Attachment made inaccessible by admin – see below>
  • PuTTY CAC 0.63 With Original Pageant.zip (2.39 MB, Private file)
Description: PuTTY-CAC 0.63 (Updated/Modified by me)

Reply with quote

williawh
Joined:
Posts:
3
Location:
Houston, Tx

FYI - Attached File Corrupted

PuTTY CAC 0.63 With Original Pageant.zip has a Trogen.Gen.2 according to my Symantec Endpoint Protection...

Description: Trogen.Gen.2 virus detected

Trogen.Gen.2.jpg

Reply with quote

martin
Site Admin
martin avatar

Re: FYI - Attached File Corrupted

@williawh: Thanks. Might be a false positive. While Virus Total has 10 positives, all are quite generic (same as yours). In any case, as the binary is severely outdated, I've made it inaccessible to the public.

Reply with quote

williawh
Joined:
Posts:
3
Location:
Houston, Tx

Re: FYI - Attached File Corrupted

Thank you Martin. I did not think about false positive... I am working with my Sys Admin to get connection. Apparently I was not aware of other important steps I must take...
Transferring files to a Windows VM using WinSCP:
If a file transfer to a VM running a Windows OS is needed, follow the following steps:
  1. Go to Settings>Apps & Features>Optional Features>Add a feature.
  2. Type in 'SSH' and install everything that comes up.
  3. Search for 'Services'
  4. Find 'OpenSSH Authentication Agent' and double click on it to see the properties.
  5. Change the 'Startup type:' to 'Automatic' and click on 'Apply.'
  6. Under 'Service status:' click on 'Start' and click on 'Apply' and then 'OK.'
  7. Repeat steps 4 through 6 for the 'OpenSSH SSH Server' service.
The WinSCP settings should be the same as the settings used for a Linux VM (both use SFTP)​

I should of asked him first smh...
Thanks

Reply with quote

Advertisement

williawh
Joined:
Posts:
3
Location:
Houston, Tx

Re: FYI - Attached File Corrupted

Turns out it was so easy I was making it difficult.
As soon as I tunnel in to the Server on site with Putty CAC and sign in with Smart Card
all I had to do was:
File Protocol: SFTP
Host Name: 127.0.0.[last IP octet of Host] // (same as source IP in above PuTTY-CAC config)
Port Number: 22
Your user name and password for the login should be your dev machine account login information
BOOM!!! I was in!
What an awesome tool.
Thanks,
William

Reply with quote

Advertisement

You can post new topics in this forum