Hi all, Thanks to Ludo Brands I've managed to get simple SSH client code working in Lazarus/FreePascal/Synapse trunk/Cryptlib on Windows.
He found out a way to use private key authentication instead of passwords: http://www.mail-archive.com/fpc-pascal@lists.freepascal.org/msg27295.html I'm wondering if there's a quicker/easier way to: 1. use OpenSSH private key with FPC/Synapse/cryptlib SSH 2. perhaps generate the key yourself (I've skimmed through the cryptlib manual; perhaps it makes sense to use that). I'd be especially glad with links to any example source code or tools ;) Thanks, Reinier ================================================================ Ludo's way of getting a private key After some "fiddling" I finally got it working. There are some more fields needed for private key authorization: FTelnetSend.Sock.SSL.PrivateKeyFile:='path to pkcs#15 formated key file'; TSSLCryptLib(FTelnetSend.Sock.SSL).PrivateKeyLabel:='the label that identifies the private key in the key file'; FTelnetSend.Sock.SSL.KeyPassword:='the passphrase for the key file'; The first line is the most difficult to sort out. ssh_keygen nor openssl support pkcs#15. The pkcs#15 format is used in crypto cards but almost never in files. A little howto (perhaps there are shorter routes but I haven't found one): -Fire up your linux system -Modify /etc/ssl/openssl.conf and change/add the line "keyusage cRLSign,keyCertSign,nonRepudation,digitalSignature,keyEncipherment". Openssl doesn't use keyusage internally but cryptlib is picky about this. I doubt all of the settings are required for SSH but this works for me. Note that there are several keyusage lines in the conf file. Modify them all if you are lazy (I did) -Create a private key and self signed cert with openssl req -x509 -days 365 \ -newkey rsa: -nodes -keyout id_rsa.key -out id_rsa.crt -If you haven't already installed cryptlib, download cl332.zip, unzip with -a in the dir of your choice and run "make" and "make shared". Copy libcl.a and libcl.so.3.3.2 to your system library dir. Create symlink libcl.so. -Download pemtrans from http://toroid.org/ams/pemtrans. Modify makefile to adapt paths for libraries and header files. "make" -run "pemtrans id_rsa.key id_rsa.crt id_rsa.p15 label p15pass". id_rsa.p15 is the file you assign to PrivateKeyFile, label is the string assigned to PrivateKeyLabel and p15pas is assigned to KeyPassword. Note that KeyPassword (p15pass) has nothing to do with the pass phrase for the private key use. It is a password protection for access to the private key in the p15 file. Here we have created a private key without pass phrase(-nodes). The label is an identification for the private key since p15 files can contain multiple keys. -now we need to transfer the public key to the ssh server. First we need to extract it from our key file: "chmod 600 id_rsa.key" then "ssh-keygen -y -f id_rsa.key > id_rsa.pub". ssh-keygen refuses to use a key-file that has group or world read access, hence the chmod. -transfer to host identified by hostname: "ssh-copy-id -i id_rsa.pub hostname". Enter password for user at hostname when prompted. If local user name and remote user name are different use "ssh-copy-id -i id_rsa.pub remoteuser@hostname" -test your config with "ssh -i id_rsa.key hostname" or "ssh -i id_rsa.key remoteuser@hostname" That's it. Ludo ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ synalist-public mailing list synalist-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/synalist-public
