[fpc-pascal] Synapse: SSH client+cryptlib+private key
Michael Van Canneyt
michael at freepascal.org
Sat Feb 4 13:59:10 CET 2012
Hello,
I suspect more or less the same can be used to set up a HTTPS connection
with a known certificate ?
Maybe this is something to be added to the WIKI ?
Michael.
On Sat, 4 Feb 2012, Ludo Brands wrote:
>>
>> Hi all,
>>
>> I've been fiddling with connecting to an SSH server.
>>
>> Thanks to Ludo Brands' help I can use username/password with
>> Synapse (stable)+cryptlib. I'm fiddling and trying to get
>> private key authentication to work.
>>
>> While this compiles and runs, Ethereal shows SSH traffic just
>> stops.. (on a host that requires private key auth).
>>
>> What am I doing wrong (and/or is this even possible - Synapse
>> docs don't seem to indicate yes or no).
>>
>> Thanks,
>> Reinier
>>
>
> After some "fiddling" I finally got it working. There are some more fields
> needed for private key authorization:
>
> FTelnetSend.Sock.SSL.PrivateKeyFile:='path to pkcs#15 formated key
> file';
> TSSLCryptLib(FTelnetSend.Sock.SSL).PrivateKeyLabel:='the label that
> identifies the private key in the key file';
> FTelnetSend.Sock.SSL.KeyPassword:='the passphrase for the key file';
>
> The first line is the most difficult to sort out. ssh_keygen nor openssl
> support pkcs#15. The pkcs#15 format is used in crypto cards but almost never
> in files. A little howto (perhaps there are shorter routes but I haven't
> found one):
> -Fire up your linux system
> -Modify /etc/ssl/openssl.conf and change/add the line "keyusage
> cRLSign,keyCertSign,nonRepudation,digitalSignature,keyEncipherment". Openssl
> doesn't use keyusage internally but cryptlib is picky about this. I doubt
> all of the settings are required for SSH but this works for me. Note that
> there are several keyusage lines in the conf file. Modify them all if you
> are lazy (I did) ;)
> -Create a private key and self signed cert with "openssl req -x509 -days 365
> -newkey rsa: -nodes -keyout id_rsa.key -out id_rsa.crt"
> -If you haven't already installed cryptlib, download cl332.zip, unzip with
> -a in the dir of your choice and run "make" and "make shared". Copy libcl.a
> and libcl.so.3.3.2 to your system library dir. Create symlink libcl.so.
> -Download pemtrans from http://toroid.org/ams/pemtrans. Modify makefile to
> adapt paths for libraries and header files. "make"
> -run "pemtrans id_rsa.key id_rsa.crt id_rsa.p15 label p15pass". id_rsa.p15
> is the file you assign to PrivateKeyFile, label is the string assigned to
> PrivateKeyLabel and p15pas is assigned to KeyPassword. Note that KeyPassword
> (p15pass) has nothing to do with the pass phrase for the private key use. It
> is a password protection for access to the private key in the p15 file. Here
> we have created a private key without pass phrase(-nodes). The label is an
> identification for the private key since p15 files can contain multiple
> keys.
> -now we need to transfer the public key to the ssh server. First we need to
> extract it from our key file: "chmod 600 id_rsa.key" then "ssh-keygen -y -f
> id_rsa.key > id_rsa.pub". ssh-keygen refuses to use a key-file that has
> group or world read access, hence the chmod.
> -transfer to host identified by hostname: "ssh-copy-id -i id_rsa.pub
> hostname". Enter password for user at hostname when prompted. If local user
> name and remote user name are different use "ssh-copy-id -i id_rsa.pub
> remoteuser at hostname"
> -test your config with "ssh -i id_rsa.key hostname" or "ssh -i id_rsa.key
> remoteuser at hostname"
>
> That's it.
>
> Ludo
>
>
>
>
>
> _______________________________________________
> fpc-pascal maillist - fpc-pascal at lists.freepascal.org
> http://lists.freepascal.org/mailman/listinfo/fpc-pascal
>
More information about the fpc-pascal
mailing list