Sample code for 30+ languages & platforms
Tcl

SSH Authentication using X.509 Certificates

See more SSH Examples

Demonstrates how to authenticate with an SSH/SFTP server using an certificate's private key.

Note: See X.509v3 Certificates for SSH Authentication for more information.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example assumes the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

set ssh [new_CkSsh]

set hostname "ssh.example.com"
set port 22
set success [CkSsh_Connect $ssh $hostname $port]
if {$success != 1} then {
    puts [CkSsh_lastErrorText $ssh]
    delete_CkSsh $ssh
    exit
}

# Load the cert + private key from a .pfx.
# Note: Chilkat provides methods for loading certs and private keys from many sources, including smart cards and USB tokens (HSM's)
set cert [new_CkCert]

set success [CkCert_LoadPfxFile $cert "qa_data/pfx/example.pfx" "pfx_password"]
if {$success != 1} then {
    puts [CkCert_lastErrorText $cert]
    delete_CkSsh $ssh
    delete_CkCert $cert
    exit
}

# Get the cert's private key (as PEM) to be used for SSH authentication.
# (The public key is installed on the server.)
set privKeyPem [CkCert_getPrivateKeyPem $cert]
if {[CkCert_get_LastMethodSuccess $cert] == 0} then {
    puts [CkCert_lastErrorText $cert]
    delete_CkSsh $ssh
    delete_CkCert $cert
    exit
}

set key [new_CkSshKey]

# Load a private key from a PEM string:
set success [CkSshKey_FromOpenSshPrivateKey $key $privKeyPem]
if {$success != 1} then {
    puts [CkSshKey_lastErrorText $key]
    delete_CkSsh $ssh
    delete_CkCert $cert
    delete_CkSshKey $key
    exit
}

# Authenticate with the SSH server.
set success [CkSsh_AuthenticatePk $ssh "myLogin" $key]
if {$success != 1} then {
    puts [CkSsh_lastErrorText $ssh]
    delete_CkSsh $ssh
    delete_CkCert $cert
    delete_CkSshKey $key
    exit
}

puts "Public-Key Authentication Successful!"

delete_CkSsh $ssh
delete_CkCert $cert
delete_CkSshKey $key