Tcl
Tcl
SSH HSM Public Key Authentication
See more uncategorized Examples
Demonstrates how to authenticate with an SSH server using public key authentication using an HSM (USB token or smartcard).Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
# This example assumes the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
# Note: Chilkat's PKCS11 implementation runs on Windows, Linux, MacOs, and other supported operating systems.
set pkcs11 [new_CkPkcs11]
# This would be a path to a .dylib on MacOS, or a path to a .so shared lib on Linux.
CkPkcs11_put_SharedLibPath $pkcs11 "C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS1164.dll"
set pin "0000"
set userType 1
# Establish a PKCS11 logged-on session using the driver (.so, .dylib, or .dll) as specified in the SharedLibPath above.
set success [CkPkcs11_QuickSession $pkcs11 $userType $pin]
if {$success == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
delete_CkPkcs11 $pkcs11
exit
}
# Set PKCS11 attributes to find our desired private key object.
set json [new_CkJsonObject]
CkJsonObject_UpdateString $json "class" "private_key"
CkJsonObject_UpdateString $json "label" "MySshKey"
# Get the PKCS11 handle to the private key located on the HSM.
set priv_handle [CkPkcs11_FindObject $pkcs11 $json]
# Get the PKCS11 handle to the corresponding public key located on the HSM.
CkJsonObject_UpdateString $json "class" "public_key"
set pub_handle [CkPkcs11_FindObject $pkcs11 $json]
set key [new_CkSshKey]
# The key type can be "rsa" or "ec"
set keyType "rsa"
set success [CkSshKey_UsePkcs11 $key $pkcs11 $priv_handle $pub_handle $keyType]
if {$success == 0} then {
puts [CkSshKey_lastErrorText $key]
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $json
delete_CkSshKey $key
exit
}
set ssh [new_CkSsh]
set success [CkSsh_Connect $ssh "example.com" 22]
if {$success != 1} then {
puts [CkSsh_lastErrorText $ssh]
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $json
delete_CkSshKey $key
delete_CkSsh $ssh
exit
}
# Authenticate with the SSH server using the login and
# HSM private key. (The corresponding public key should've
# been installed on the SSH server beforehand.)
set success [CkSsh_AuthenticatePk $ssh "myLogin" $key]
if {$success != 1} then {
puts [CkSsh_lastErrorText $ssh]
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $json
delete_CkSshKey $key
delete_CkSsh $ssh
exit
}
puts "Public-Key Authentication Successful!"
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $json
delete_CkSshKey $key
delete_CkSsh $ssh