[fpc-pascal] Synapse: SSH client+cryptlib+private key
Ludo Brands
ludo.brands at free.fr
Sat Feb 4 07:34:27 CET 2012
>
> Hi all,
>
> I've been fiddling with connecting to an SSH server.
>
> Thanks to Ludo Brands' help I can use username/password with
> Synapse (stable)+cryptlib. I'm fiddling and trying to get
> private key authentication to work.
>
> While this compiles and runs, Ethereal shows SSH traffic just
> stops.. (on a host that requires private key auth).
>
> What am I doing wrong (and/or is this even possible - Synapse
> docs don't seem to indicate yes or no).
>
> Thanks,
> Reinier
>
After some "fiddling" I finally got it working. There are some more fields
needed for private key authorization:
FTelnetSend.Sock.SSL.PrivateKeyFile:='path to pkcs#15 formated key
file';
TSSLCryptLib(FTelnetSend.Sock.SSL).PrivateKeyLabel:='the label that
identifies the private key in the key file';
FTelnetSend.Sock.SSL.KeyPassword:='the passphrase for the key file';
The first line is the most difficult to sort out. ssh_keygen nor openssl
support pkcs#15. The pkcs#15 format is used in crypto cards but almost never
in files. A little howto (perhaps there are shorter routes but I haven't
found one):
-Fire up your linux system
-Modify /etc/ssl/openssl.conf and change/add the line "keyusage
cRLSign,keyCertSign,nonRepudation,digitalSignature,keyEncipherment". Openssl
doesn't use keyusage internally but cryptlib is picky about this. I doubt
all of the settings are required for SSH but this works for me. Note that
there are several keyusage lines in the conf file. Modify them all if you
are lazy (I did) ;)
-Create a private key and self signed cert with "openssl req -x509 -days 365
-newkey rsa: -nodes -keyout id_rsa.key -out id_rsa.crt"
-If you haven't already installed cryptlib, download cl332.zip, unzip with
-a in the dir of your choice and run "make" and "make shared". Copy libcl.a
and libcl.so.3.3.2 to your system library dir. Create symlink libcl.so.
-Download pemtrans from http://toroid.org/ams/pemtrans. Modify makefile to
adapt paths for libraries and header files. "make"
-run "pemtrans id_rsa.key id_rsa.crt id_rsa.p15 label p15pass". id_rsa.p15
is the file you assign to PrivateKeyFile, label is the string assigned to
PrivateKeyLabel and p15pas is assigned to KeyPassword. Note that KeyPassword
(p15pass) has nothing to do with the pass phrase for the private key use. It
is a password protection for access to the private key in the p15 file. Here
we have created a private key without pass phrase(-nodes). The label is an
identification for the private key since p15 files can contain multiple
keys.
-now we need to transfer the public key to the ssh server. First we need to
extract it from our key file: "chmod 600 id_rsa.key" then "ssh-keygen -y -f
id_rsa.key > id_rsa.pub". ssh-keygen refuses to use a key-file that has
group or world read access, hence the chmod.
-transfer to host identified by hostname: "ssh-copy-id -i id_rsa.pub
hostname". Enter password for user at hostname when prompted. If local user
name and remote user name are different use "ssh-copy-id -i id_rsa.pub
remoteuser at hostname"
-test your config with "ssh -i id_rsa.key hostname" or "ssh -i id_rsa.key
remoteuser at hostname"
That's it.
Ludo
More information about the fpc-pascal
mailing list