[fpc-pascal] Re: RE : Synapse: SSH client+cryptlib+private key
On 4-2-2012 7:34, Ludo Brands wrote: >> I've been fiddling with connecting to an SSH server. >> >> Thanks to Ludo Brands' help I can use username/password with >> Synapse (stable)+cryptlib. I'm fiddling and trying to get >> private key authentication to work. >> Thanks, >> Reinier >> > After some "fiddling" I finally got it working. There are some more fields > needed for private key authorization: > > FTelnetSend.Sock.SSL.PrivateKeyFile:='path to pkcs#15 formated key > file'; > TSSLCryptLib(FTelnetSend.Sock.SSL).PrivateKeyLabel:='the label that > identifies the private key in the key file'; > FTelnetSend.Sock.SSL.KeyPassword:='the passphrase for the key file'; > > The first line is the most difficult to sort out. ssh_keygen nor openssl > support pkcs#15. The pkcs#15 format is used in crypto cards but almost never > in files. A little howto (perhaps there are shorter routes but I haven't > found one): > -Fire up your linux system > That's it. > > Ludo Quite some fiddling! Thanks a million. Looking over your instructions it seems it's mostly a matter of converting keys, and fortunately the server only needs to accept the final key... I'll give it a go & report back Thanks again, Reinier ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Re: RE : [fpc-pascal] Synapse: SSH client+cryptlib+private key
Hello, I suspect more or less the same can be used to set up a HTTPS connection with a known certificate ? Maybe this is something to be added to the WIKI ? Michael. On Sat, 4 Feb 2012, Ludo Brands wrote: Hi all, I've been fiddling with connecting to an SSH server. Thanks to Ludo Brands' help I can use username/password with Synapse (stable)+cryptlib. I'm fiddling and trying to get private key authentication to work. While this compiles and runs, Ethereal shows SSH traffic just stops.. (on a host that requires private key auth). What am I doing wrong (and/or is this even possible - Synapse docs don't seem to indicate yes or no). Thanks, Reinier After some "fiddling" I finally got it working. There are some more fields needed for private key authorization: FTelnetSend.Sock.SSL.PrivateKeyFile:='path to pkcs#15 formated key file'; TSSLCryptLib(FTelnetSend.Sock.SSL).PrivateKeyLabel:='the label that identifies the private key in the key file'; FTelnetSend.Sock.SSL.KeyPassword:='the passphrase for the key file'; The first line is the most difficult to sort out. ssh_keygen nor openssl support pkcs#15. The pkcs#15 format is used in crypto cards but almost never in files. A little howto (perhaps there are shorter routes but I haven't found one): -Fire up your linux system -Modify /etc/ssl/openssl.conf and change/add the line "keyusage cRLSign,keyCertSign,nonRepudation,digitalSignature,keyEncipherment". Openssl doesn't use keyusage internally but cryptlib is picky about this. I doubt all of the settings are required for SSH but this works for me. Note that there are several keyusage lines in the conf file. Modify them all if you are lazy (I did) ;) -Create a private key and self signed cert with "openssl req -x509 -days 365 -newkey rsa: -nodes -keyout id_rsa.key -out id_rsa.crt" -If you haven't already installed cryptlib, download cl332.zip, unzip with -a in the dir of your choice and run "make" and "make shared". Copy libcl.a and libcl.so.3.3.2 to your system library dir. Create symlink libcl.so. -Download pemtrans from http://toroid.org/ams/pemtrans. Modify makefile to adapt paths for libraries and header files. "make" -run "pemtrans id_rsa.key id_rsa.crt id_rsa.p15 label p15pass". id_rsa.p15 is the file you assign to PrivateKeyFile, label is the string assigned to PrivateKeyLabel and p15pas is assigned to KeyPassword. Note that KeyPassword (p15pass) has nothing to do with the pass phrase for the private key use. It is a password protection for access to the private key in the p15 file. Here we have created a private key without pass phrase(-nodes). The label is an identification for the private key since p15 files can contain multiple keys. -now we need to transfer the public key to the ssh server. First we need to extract it from our key file: "chmod 600 id_rsa.key" then "ssh-keygen -y -f id_rsa.key > id_rsa.pub". ssh-keygen refuses to use a key-file that has group or world read access, hence the chmod. -transfer to host identified by hostname: "ssh-copy-id -i id_rsa.pub hostname". Enter password for user at hostname when prompted. If local user name and remote user name are different use "ssh-copy-id -i id_rsa.pub remoteuser@hostname" -test your config with "ssh -i id_rsa.key hostname" or "ssh -i id_rsa.key remoteuser@hostname" That's it. Ludo ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] lNet and TCP packet length
2012/2/1 Malcolm Poole : > Before I set out to implement the procedures to do this myself, can someone > reassure me that this needs to be done and that I am not re-inventing the > wheel? The TCP protocol will transparently split the data into the packets of needed size without user intervention, so the sending site is probably already ok. But on the receiving side (at least with lNet) you will get a separate event for each received packet and have to combine them again, so you need to implement something on top of lNet to buffer and combine the received chunks of data and only process it when one of your protocol messages is complete. You need a robust way to determine how long your protocol message is, at which byte exactly it ends and the next message begins. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] lNet and TCP packet length
2012/2/4 Bernd : > You need a robust way to determine how long your > protocol message is, at which byte exactly it ends and the next > message begins. The simplest way would probably be if you prepend all your messages with a length field and a checksum field to be sent as the very first bytes of each of your custom protocol messages (also take care of endianness and exactly specify this in your protocol description). Then you can either read as many bytes are available on the stream (if it is less than still needed) or read only as many bytes as are still missing (if equal or more are available), leave the rest of the data in the stream, process the message and trigger the read event again to read what can only be the beginning of the next message. You can also use lNet in blocking mode (which can sometimes make things easier) simply by specifying a timeout value for the socket. Then you can just have a thread looping and trying to read indefinitely, counting received bytes and let it generate your own events on completion of a message instead of using the lNet events which fire on every TCP packet. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
RE : RE : [fpc-pascal] Synapse: SSH client+cryptlib+private key
> > Hello, > > I suspect more or less the same can be used to set up a HTTPS > connection > with a known certificate ? > > Maybe this is something to be added to the WIKI ? > > Michael. > You mean client authentication (the HTTPS server has a list of public keys of the authorised users)? When using cryptlib you'll have a similar pk conversion problem. It should be much easier to set up with OpenSSL which has support for ssl client authentication and looking at the synapse code it is supporting it also. Use Sock.SSL.PrivateKeyFile for the private key file (pem or asn1 format, only first key used while cryptlib uses the additional label to select from multiple keys) and Sock.SSL.KeyPassWord for the password used to encrypt the private key. For SSH the main difficulty is that only synapse+cryptlib supports SSH and synapse has taken a shortcut in using only private keys from file which, in cryptlib, is restricted to pkcs15 or pgp keyring. Ludo ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
[fpc-pascal] fpc 2.6 32 & 64bit difference
Hello guys, What has been changed in 2.6 in enumeration size. I have many enumerated where it is enough to use single byte. 32bit lnx compiler uses single byte but 64 bit lnx double byte in memory. Thanks for all answers. TRoland; ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] lNet and TCP packet length
On 04/02/12 14:14, Bernd wrote: 2012/2/4 Bernd: You need a robust way to determine how long your protocol message is, at which byte exactly it ends and the next message begins. The simplest way would probably be if you prepend all your messages with a length field and a checksum field to be sent as the very first bytes of each of your custom protocol messages (also take care of endianness and exactly specify this in your protocol description). Then you can either read as many bytes are available on the stream (if it is less than still needed) or read only as many bytes as are still missing (if equal or more are available), leave the rest of the data in the stream, process the message and trigger the read event again to read what can only be the beginning of the next message. You can also use lNet in blocking mode (which can sometimes make things easier) simply by specifying a timeout value for the socket. Then you can just have a thread looping and trying to read indefinitely, counting received bytes and let it generate your own events on completion of a message instead of using the lNet events which fire on every TCP packet. Many thanks Bernd, for your very helpful reply. The messages already start with a header record, which includes the length, so I'll add a checksum field to that and work along the lines you suggest. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] TStringStream.DataString returns garbage?
it seems http://docwiki.embarcadero.com/VCL/XE2/en/Classes.TStringStream.WriteString in delphi the WriteString() function accepts a strongly typed string. This might be a compatibility problem in delphi mode since in fpc, writestring accepts a untyped pointer if i am not mistaken. Different behaviors, right? A strongly typed string parameter wouldn't send in the length of the string AFAIK, it would just send the string contents. so if someone was porting code from delphi, wouldn't this produce different behavior in fpc? ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] TStringStream.DataString returns garbage?
Lars wrote: > it seems > > http://docwiki.embarcadero.com/VCL/XE2/en/Classes.TStringStream.WriteString > > in delphi the WriteString() function accepts a strongly typed string. > > This might be a compatibility problem in delphi mode since in fpc, > writestring accepts a untyped pointer if i am not mistaken. Actually I think there is just a problem with the FPDOC system: http://www.freepascal.org/docs-html/rtl/classes/tstringstream.writestring.html Says: public procedure TStringStream.WriteString( const AString: ); I thought const AString was untyped due to that doc page, not the fpc sources. Shouldn't the docs generate a page that says: const astring: string; i.e. public procedure TStringStream.WriteString( const AString: string ); ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
