wingetCollections
  • Auto
  • Search
  • Awesome Collections
  • Awesome Programs
  • My Favorite Collections
  • My Collections
  • Account / Settings
  • Terms of Service
  • Privacy
  • About

© 2025 winget.ragerworks.com

Loading...
Install PuTTY CAC using Winget - wingetCollections
  1. Go back
  2. Packages
  3. PuTTY CAC
PuTTY CAC logo

PuTTY CAC Simon Tatham

2fa cac capi certificate dod ecdsa mfa pkcs11 putty rsa smartcard ssh terminal
Use this command to install PuTTY CAC:
winget install --id=NoMoreFood.PuTTY-CAC -e

Windows Secure Shell Client With Support For Smart Cards & Certificates

PuTTY CAC is a Windows Secure Shell (SSH) client designed to provide enhanced security features for remote server access, with support for smart cards, digital certificates, and FIDO keys. It serves as a robust tool for securely connecting to servers while adhering to modern authentication standards.

Key Features:

  • Smart Card & Certificate Support: Enables users to authenticate using smart cards or digital certificates issued by trusted authorities.

README

PuTTY CAC

PuTTY CAC is a fork of PuTTY, a popular Secure Shell (SSH) terminal. PuTTY CAC adds the ability to use the Windows Certificate API (CAPI), Public Key Cryptography Standards (PKCS) libraries, or Fast Identity Online (FIDO) keys to perform SSH public key authentication using a private key associated with a certificate that is stored on a hardware token.

PuTTY CAC can be used with many types of cryptographic tokens such as Yubikeys and popular smart card models. The 'CAC' in 'PuTTY CAC' refers to Common Access Card, a smart card token used for US Government facilities which was one of the initial drivers for the development of PuTTY CAC.

PuTTY CAC is maintained independently from the US Government by the open source community.

You can download the latest release of PuTTY CAC here: https://github.com/NoMoreFood/putty-cac/releases

PuTTY CAC source code and binaries are free to use for any purpose. The license can be found here: https://github.com/NoMoreFood/putty-cac/blob/master/code/LICENCE

Prerequisites

  • Microsoft Windows 10 or Later
  • For CAPI support, an appropriate Windows smart card mini-driver must be installed. This is typically provided by the smart card manufacturer although many common hardware tokens are supported by OpenSC.
  • For PKCS support, a PKCS #11 library (typically a DLL file) is needed to interface with the hardware token. This is typically provided by the smart card manufacturer although many common hardware tokens are supported by OpenSC.
  • For FIDO support, a FIDO key supported by Windows 10.

Usage

You can find a basic set of instructions on the usage of United States Government's ID Management website under the 'SSH Using PuTTY-CAC' section:

https://playbooks.idmanagement.gov/piv/engineer/ssh/

Command Line Usage

PuTTY CAC supports the same command line options as PuTTY with some additional, specialized options for PuTTY CAC specifically.

In place of a PuTTY key file path for any PuTTY utility, you can specific certificate thumbprint or application identifier. For example:

  • Connect to user@host using the certificate with thumbprint '716B8B58D8F2C3A7F98F3F645161B1BF9818B689' the user certificate store:
    putty.exe user@host -i CAPI:716B8B58D8F2C3A7F98F3F645161B1BF9818B689
  • Connect to user@host using the certificate with thumbprint 'B8B58D8F2C3A7F98F3F645161B1BF9818B689716' using PKCS library 'PKCS.dll':
    putty.exe user@host -i PKCS:B8B58D8F2C3A7F98F3F645161B1BF9818B689716=C:\PKCS.dll

Related Programs

Truthy logo

Truthy

fosslife
Cross-platform (desktop + mobile), secure, 2FA manager.
github.com
Protecc logo

Protecc

FireCubeStudios
Protecc is a modern open source 2FA TOTP code authenticator client for Windows with a wide range of customization and privacy features such as Windows Hello support, privacy filter and export.
github.com
Surfshark logo

Surfshark

Surfshark
Surf the web without tracking with a VPN, shield your devices with Antivirus, & guard your identity with an all-in-one app.
surfshark.com
Ente Auth logo

Ente Auth

ente
Open source 2FA authenticator, with end-to-end encrypted backups
github.com
Yubico Authenticator logo

Yubico Authenticator

Yubico AB
Authenticator to generate 2-step verification codes using your YubiKey
www.yubico.com
Authme logo

Authme

levminer
Authme is a two-factor authentication app, you can import from QR codes or Google Authenticator QR codes.
authme.levminer.com
Proton Authenticator logo

Proton Authenticator

Proton AG
Secure two-factor authentication app by Proton
proton.me
Kensington Fingerprint Application logo

Kensington Fingerprint Application

Kensington Computer Products Group
Tools and drivers for Kensington VeriMark fingerprint login devices.
customer.kensington.com
YubiKey Manager logo

YubiKey Manager

Yubico AB
This application provides an easy way to perform the most common configuration tasks on a YubiKey. The current version can: - Display the serial number and firmware version of a YubiKey - Configure a FIDO2 PIN - Reset the FIDO Applications - Configure the OTP Application. A YubiKey have two slots (Short Touch and Long Touch), which may both be configured for different functionality. This tool can configure a Yubico OTP credential, a static password, a challenge-response credential or an OATH HOTP credential in both of these slots. - Manage certificates and PINs for the PIV Application - Swap the credentials between two configured slots - Enable and disable USB and NFC interfaces
www.yubico.com
2FAGuard logo

2FAGuard

Timo Kössler
A modern and secure Windows app for managing 2FA authentication codes. Import existing tokens from other apps or export your data to use elsewhere. Use your fingerprint or face to access your tokens quickly and securely. Your data is encrypted using the latest security standards and stored securely on your device.
2faguard.app
Truthy logo

Truthy

fosslife
Cross-platform (desktop + mobile), secure, 2FA manager.
github.com
Protecc logo

Protecc

FireCubeStudios
Protecc is a modern open source 2FA TOTP code authenticator client for Windows with a wide range of customization and privacy features such as Windows Hello support, privacy filter and export.
github.com
Surfshark logo

Surfshark

Surfshark
Surf the web without tracking with a VPN, shield your devices with Antivirus, & guard your identity with an all-in-one app.
surfshark.com
Ente Auth logo

Ente Auth

ente
Open source 2FA authenticator, with end-to-end encrypted backups
github.com
Yubico Authenticator logo

Yubico Authenticator

Yubico AB
Authenticator to generate 2-step verification codes using your YubiKey
www.yubico.com
Authme logo

Authme

levminer
Authme is a two-factor authentication app, you can import from QR codes or Google Authenticator QR codes.
authme.levminer.com
Proton Authenticator logo

Proton Authenticator

Proton AG
Secure two-factor authentication app by Proton
proton.me
Kensington Fingerprint Application logo

Kensington Fingerprint Application

Kensington Computer Products Group
Tools and drivers for Kensington VeriMark fingerprint login devices.
customer.kensington.com
YubiKey Manager logo

YubiKey Manager

Yubico AB
This application provides an easy way to perform the most common configuration tasks on a YubiKey. The current version can: - Display the serial number and firmware version of a YubiKey - Configure a FIDO2 PIN - Reset the FIDO Applications - Configure the OTP Application. A YubiKey have two slots (Short Touch and Long Touch), which may both be configured for different functionality. This tool can configure a Yubico OTP credential, a static password, a challenge-response credential or an OATH HOTP credential in both of these slots. - Manage certificates and PINs for the PIV Application - Swap the credentials between two configured slots - Enable and disable USB and NFC interfaces
www.yubico.com
2FAGuard logo

2FAGuard

Timo Kössler
A modern and secure Windows app for managing 2FA authentication codes. Import existing tokens from other apps or export your data to use elsewhere. Use your fingerprint or face to access your tokens quickly and securely. Your data is encrypted using the latest security standards and stored securely on your device.
2faguard.app
Truthy logo

Truthy

fosslife
Cross-platform (desktop + mobile), secure, 2FA manager.
github.com
Protecc logo

Protecc

FireCubeStudios
Protecc is a modern open source 2FA TOTP code authenticator client for Windows with a wide range of customization and privacy features such as Windows Hello support, privacy filter and export.
github.com
Versions
0.83.0.1
0.82.0.1
0.82.0.0
0.81.0.0
0.80.0.0
0.79.0.0
0.78.0.1
0.77.0.1
0.77.0.0
0.76.0.4
Website
github.com
License
Last Updated
5/15/2025
  • FIDO Key Integration: Supports FIDO2 and U2F security keys for two-factor authentication, enhancing account security.
  • SSH Protocol Compliance: Offers full compatibility with the SSH protocol, ensuring secure communication between clients and servers.
  • User-Friendly Interface: Provides an intuitive graphical user interface for seamless navigation and configuration of connection settings.
  • Customizable Settings: Allows users to tailor session configurations, including port selection, encryption algorithms, and proxy support.

    • Audience & Benefit:
    Ideal for IT professionals, system administrators, and security teams who require secure access to remote systems. PuTTY CAC simplifies the process of implementing strong authentication methods, reducing risks associated with password-based login while maintaining compliance with organizational security policies. It can be installed via winget for easy setup on Windows environments.

  • Connect to user@host using FIDO key identified by 'ssh:MyFidoKey' from PuTTY CAC FIDO key cache:
    putty.exe user@host -i FIDO:ssh:MyFidoKey

    • PuTTY executables (putty.exe, pageant.exe, psftp.exe) support the following additional command line options. Most of these options are focused on the operation of Pageant and are also settable from its user interface. Once set, these options will apply automatically to subsequent executions unless specifically unset. Settings that filter Pageant certificate selection dialogs will also affect filter certificate selection dialogs in the standard PuTTY application:

    • Automatically load any compatible CAPI certificates at startup: -autoload,-autoloadoff
    • Save key list between PuTTY executions: -savecertlist,-savecertlistoff
    • Enable supplementary PIN caching in Pageant: -forcepincache,-forcepincacheoff
    • Prompt when certificate signing operation is requested: -certauthprompting,-certauthpromptingoff
    • Only display trusted certificates in certificate selection dialogs: -trustedcertsonly,-trustedcertsonlyoff
    • Do not display expired certificates in certificate selection dialogs: -ignoreexpiredcerts,-ignoreexpiredcertsoff
    • Disable all filtering in certificate selection dialogs: -allowanycert,-allowanycertoff

    Special Considerations

    Certificates

    For the purposes of PuTTY CAC, the certificate is simply a convenient way to reference a private/public key pair. If you want to use PuTTY CAC to securely logon to your system and do not have access to a Certificate Authority (CA), the certificate can be self-signed. Conversely, PuTTY CAC can be used in conjunction with managed SSH servers to enforce multifactor authentication. This can be done by ensuring that the OpenSSH authorized_keys file only contains public keys associated with hardware tokens either procedurally or by creating an index of all issued certs and looking them up through OpenSSH directives like AuthorizedKeysCommand.

    Federal Information Processing Standards (FIPS) Compliance

    The specific code used to interface with the hardware token utilizes the Microsoft cryptographic libraries which in turn are governed by system-level FIPS settings (see Microsoft's website). Similarly, the hardware token that is used for signing authentication challenges is guaranteed to use FIPS compliant algorithms if the hardware key is FIPS certified; see the hardware token's manufacturer website for more information. PuTTY itself utilizes proprietary encryption and hashing once the SSH session is established which has not undergone evaluation for FIPS compliance or certification.

    Notes On Building PuTTY CAC

    Prerequisites

    • Visual Studio 2022 with C++ Desktop Application Development
    • WiX Toolset (to build the MSI files)
    • Windows PowerShell (to build the MSI/ZIP/Hash files)

    Building

    • Execute 'packager\build.cmd' to create build files
    • Visual Studio solution files will be generated under 'build'

    Dependencies

    • PuTTYImp is used to import existing FIDO resident keys. This links libfido2 statically; libfido2 and its binary dependencies are included in this repository. All other PuTTY executables have no dependencies other than those included within the Windows operating system and its associated SDKs.
    Ente CLI logo

    Ente CLI

    ente-io
    CLI for Ente Photos Deskop and Ente Auth
    github.com
    Ente CLI logo

    Ente CLI

    ente-io
    CLI for Ente Photos Deskop and Ente Auth
    github.com
    Ente CLI logo

    Ente CLI

    ente-io
    CLI for Ente Photos Deskop and Ente Auth
    github.com