Getting Access to GIT Repositories on the CDN


Please make sure that you have registered at the CardContact Developer Network before trying to access the GIT repositories. Repository access requires the CDN key on your SmartCard-HSM as SSH key. Keys newly registered at the CDN will take a least an hour to be populated in the repositories (Update happens every 17 minutes after the hour). If you registered before Feb 24th, 2015, then you will need to redo the certificate issuance process (using requestcert.js). Your account information at the CDN will remain unchanged, only the new key will be populated for SSH access.

On Linux you will need to install OpenSC at least in version 0.13.

On Windows you will need to install OpenSC, the SmartCard-HSM Driver for Windows and PuTTY-CAC. All packages can be found in the Starterkit. Please use the PuTTY-CAC version from the Starterkit, which is newer than the one posted on the PuTTY-CAC website.


First you will need to register the SmartCard-HSM with the SSH authentication agent

$ ssh-add -s /usr/local/lib/
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/

Your new key should be available in the agent now.

$ ssh-add -l
2048 4f:9b:42:53:87:cc:53:93:14:5d:56:cc:26:f3:ea:9b /usr/local/lib/

If you are getting an error message while adding the shared object, then please make sure that ssh-agent is running (ps aux | grep agent should show ssh-agent). On newer (>=14.04) versions of Ubuntu the ssh-agent is replaced by gnome-keyring, which does not support adding PKCS#11 modules. On such systems you must disable the ssh component in gnome-keyring by adding the line


to /etc/xdg/autostart/gnome-keyring-ssh.desktop.

If you now connect via SSH to port 222 on, you should see a list of repositories:

$ ssh -p 222
PTY allocation request failed on channel 0
hello, this is git@pasta running gitolite3 v3.6.2-4-g2471e18 on git

 R      scsh-mods
 R W    testing
Connection to closed.

Now you can clone from the GIT repositories at the CDN:

$ git clone ssh:// scsh
Cloning into 'scsh'...
remote: Counting objects: 82, done.
remote: Compressing objects: 100% (78/78), done.
remote: Total 82 (delta 33), reused 0 (delta 0)
Receiving objects: 100% (82/82), 103.96 KiB, done.
Resolving deltas: 100% (33/33), done.

Please note that you need to specify the URL with the ssh: protocol and non-standard port 222.


You will need to download and install the GIT client for Windows.

During installation you will be asked if you want to use plink from PuTTY for authentication. This must be selected.

You can test SSH connectivity with the CDN using PuTTY-CAC and the CAPI configuration.

Once you are able to see the list of repositories, you need to start pageant and via the tray icon's context menue add the CDN certificate with "View Keys" / "Add CAPI Certificate".

To check connectivity you should follow these steps:

  1. Install OpenSC from the Starterkit. On a 64-bit system you need to install both, the 32 and 64 bit version.
  2. Run putty.exe from putty-cac in the Starterkit.
  3. Select the CDN certificate from your SmartCard-HSM as shown here for the CAPI Mode.
  4. Enter "" as host for ssh, select port 222 and select "Close windows on exit": Never. Press "Open".
  5. At the "Login as: " prompt enter "git"
  6. putty should ask for your SmartCard-HSM PIN.
  7. The server at should present you with a list of repositories you can access. You also get an error message like "Server refused to allocate pty" - That is OK, because you don't get full shell access but only access to the GIT repo.
  8. Start pageant.exe from the putty-cac.
  9. On the tray menu for pageant select "View keys".
  10. Select "Add CAPI Cert" and choose your CDN certificate from the list.
  11. Run putty again, this time without selecting a CAPI like in step 3 (Putty now uses the certificate you registered in pageant).
  12. Install GIT and select the plink option with the plink.exe from putty-cac.
  13. Run GIT Bash
  14. Enter "git clone ssh:// scsh"

Mac OS X

On MacOS X you will need to update the OpenSSH package, as the one supplied by Apple has a bug.