(Tcl) SSH Authenticate using Smart Card Private Key

See more SSH Examples

Demonstrates how to use a private key stored on an HSM (smartcard or token) for SSH public-key authentication. (Public-key authentication means the client, which is your application, uses the private key, while the corresponding public key is installed on the server under your SSH account.)

Note: This example requires Chilkat v9.5.0.96 or later.

Chilkat Tcl Extension Downloads Chilkat Tcl Extension Downloads

load ./chilkat.dll

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.

set pkcs11 [new_CkPkcs11]

# Use the PKCS11 driver (.dll, .so, .dylib) for your particular HSM.
# For example:
CkPkcs11_put_SharedLibPath $pkcs11 "C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS11.dll"

# Use your HSM's PIN.
set pin "0000"

# Normal user = 1
set userType 1

# Establish a logged-on user session with the HSM.
set success [CkPkcs11_QuickSession $pkcs11 $userType $pin]
if {$success == 0} then {
    puts [CkPkcs11_lastErrorText $pkcs11]
    delete_CkPkcs11 $pkcs11
    exit
}

# Provide a template to find a PKCS11 object.
set jsonTemplate [new_CkJsonObject]

# Find an RSA private key with the label "MySshKey".
# Here's an example of how the key was originally imported: 
# PKCS11 Import SSH Key
CkJsonObject_UpdateString $jsonTemplate "class" "private_key"
CkJsonObject_UpdateString $jsonTemplate "key_type" "rsa"
CkJsonObject_UpdateString $jsonTemplate "label" "MySshKey"

set privKeyHandle [CkPkcs11_FindObject $pkcs11 $jsonTemplate]
if {$privKeyHandle == 0} then {
    puts [CkPkcs11_lastErrorText $pkcs11]
    delete_CkPkcs11 $pkcs11
    delete_CkJsonObject $jsonTemplate
    exit
}

# The private key handle is only valid during the PKCS11 session.
# If you wish to use the private key in another PKCS11 session,
# you'll first need to find it.  See:  
puts "private key handle: $privKeyHandle"

# We'll also need the PKCS11 public key handle
# Modify the template by updating the "class" to "public_key"
CkJsonObject_UpdateString $jsonTemplate "class" "public_key"

set pubKeyHandle [CkPkcs11_FindObject $pkcs11 $jsonTemplate]
if {$pubKeyHandle == 0} then {
    puts [CkPkcs11_lastErrorText $pkcs11]
    delete_CkPkcs11 $pkcs11
    delete_CkJsonObject $jsonTemplate
    exit
}

puts "public key handle: $pubKeyHandle"

# Create an empty SSH key object, and tell it to use the PKCS11 handles.
# We also need to indicate the key type.
set sshKey [new_CkSshKey]

set success [CkSshKey_UsePkcs11 $sshKey $pkcs11 $privKeyHandle $pubKeyHandle "rsa"]
if {$success == 0} then {
    puts [CkSshKey_lastErrorText $sshKey]
    delete_CkPkcs11 $pkcs11
    delete_CkJsonObject $jsonTemplate
    delete_CkSshKey $sshKey
    exit
}

# Create an SSH object and authenticate using the SSH key, which will utilize the existing PKCS11 session.
set ssh [new_CkSsh]

set success [CkSsh_Connect $ssh "my-ssh-server.com" 22]
if {$success == 0} then {
    puts [CkSsh_lastErrorText $ssh]
    delete_CkPkcs11 $pkcs11
    delete_CkJsonObject $jsonTemplate
    delete_CkSshKey $sshKey
    delete_CkSsh $ssh
    exit
}

# This is where the PKCS11 private key on the smart card is used.
set success [CkSsh_AuthenticatePk $ssh "your_ssh_username" $sshKey]
if {$success == 0} then {
    puts [CkSsh_lastErrorText $ssh]
    delete_CkPkcs11 $pkcs11
    delete_CkJsonObject $jsonTemplate
    delete_CkSshKey $sshKey
    delete_CkSsh $ssh
    exit
}

# Do whatever it is your app needs to do using the authenticated SSH session....
# ...
# ...

CkSsh_Disconnect $ssh

CkPkcs11_Logout $pkcs11
CkPkcs11_CloseSession $pkcs11

delete_CkPkcs11 $pkcs11
delete_CkJsonObject $jsonTemplate
delete_CkSshKey $sshKey
delete_CkSsh $ssh