> > Hi all, > > I've been fiddling with connecting to an SSH server. > > Thanks to Ludo Brands' help I can use username/password with > Synapse (stable)+cryptlib. I'm fiddling and trying to get > private key authentication to work. > > While this compiles and runs, Ethereal shows SSH traffic just > stops.. (on a host that requires private key auth). > > What am I doing wrong (and/or is this even possible - Synapse > docs don't seem to indicate yes or no). > > Thanks, > Reinier >
After some "fiddling" I finally got it working. There are some more fields needed for private key authorization: FTelnetSend.Sock.SSL.PrivateKeyFile:='path to pkcs#15 formated key file'; TSSLCryptLib(FTelnetSend.Sock.SSL).PrivateKeyLabel:='the label that identifies the private key in the key file'; FTelnetSend.Sock.SSL.KeyPassword:='the passphrase for the key file'; The first line is the most difficult to sort out. ssh_keygen nor openssl support pkcs#15. The pkcs#15 format is used in crypto cards but almost never in files. A little howto (perhaps there are shorter routes but I haven't found one): -Fire up your linux system -Modify /etc/ssl/openssl.conf and change/add the line "keyusage cRLSign,keyCertSign,nonRepudation,digitalSignature,keyEncipherment". Openssl doesn't use keyusage internally but cryptlib is picky about this. I doubt all of the settings are required for SSH but this works for me. Note that there are several keyusage lines in the conf file. Modify them all if you are lazy (I did) ;) -Create a private key and self signed cert with "openssl req -x509 -days 365 -newkey rsa: -nodes -keyout id_rsa.key -out id_rsa.crt" -If you haven't already installed cryptlib, download cl332.zip, unzip with -a in the dir of your choice and run "make" and "make shared". Copy libcl.a and libcl.so.3.3.2 to your system library dir. Create symlink libcl.so. -Download pemtrans from http://toroid.org/ams/pemtrans. Modify makefile to adapt paths for libraries and header files. "make" -run "pemtrans id_rsa.key id_rsa.crt id_rsa.p15 label p15pass". id_rsa.p15 is the file you assign to PrivateKeyFile, label is the string assigned to PrivateKeyLabel and p15pas is assigned to KeyPassword. Note that KeyPassword (p15pass) has nothing to do with the pass phrase for the private key use. It is a password protection for access to the private key in the p15 file. Here we have created a private key without pass phrase(-nodes). The label is an identification for the private key since p15 files can contain multiple keys. -now we need to transfer the public key to the ssh server. First we need to extract it from our key file: "chmod 600 id_rsa.key" then "ssh-keygen -y -f id_rsa.key > id_rsa.pub". ssh-keygen refuses to use a key-file that has group or world read access, hence the chmod. -transfer to host identified by hostname: "ssh-copy-id -i id_rsa.pub hostname". Enter password for user at hostname when prompted. If local user name and remote user name are different use "ssh-copy-id -i id_rsa.pub remoteuser@hostname" -test your config with "ssh -i id_rsa.key hostname" or "ssh -i id_rsa.key remoteuser@hostname" That's it. Ludo _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal