Tcl
Tcl
SSH Authenticate using Smart Card Private Key
See more SSH Examples
Demonstrates how to use a private key stored on an HSM (smartcard or token) for SSH public-key authentication. (Public-key authentication means the client, which is your application, uses the private key, while the corresponding public key is installed on the server under your SSH account.)Note: This example requires Chilkat v9.5.0.96 or later.
Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
# Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.
set pkcs11 [new_CkPkcs11]
# Use the PKCS11 driver (.dll, .so, .dylib) for your particular HSM.
# For example:
CkPkcs11_put_SharedLibPath $pkcs11 "C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS11.dll"
# Use your HSM's PIN.
set pin "0000"
# Normal user = 1
set userType 1
# Establish a logged-on user session with the HSM.
set success [CkPkcs11_QuickSession $pkcs11 $userType $pin]
if {$success == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
delete_CkPkcs11 $pkcs11
exit
}
# Provide a template to find a PKCS11 object.
set jsonTemplate [new_CkJsonObject]
# Find an RSA private key with the label "MySshKey".
# Here's an example of how the key was originally imported:
# PKCS11 Import SSH Key
CkJsonObject_UpdateString $jsonTemplate "class" "private_key"
CkJsonObject_UpdateString $jsonTemplate "key_type" "rsa"
CkJsonObject_UpdateString $jsonTemplate "label" "MySshKey"
set privKeyHandle [CkPkcs11_FindObject $pkcs11 $jsonTemplate]
if {$privKeyHandle == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $jsonTemplate
exit
}
# The private key handle is only valid during the PKCS11 session.
# If you wish to use the private key in another PKCS11 session,
# you'll first need to find it. See:
puts "private key handle: $privKeyHandle"
# We'll also need the PKCS11 public key handle
# Modify the template by updating the "class" to "public_key"
CkJsonObject_UpdateString $jsonTemplate "class" "public_key"
set pubKeyHandle [CkPkcs11_FindObject $pkcs11 $jsonTemplate]
if {$pubKeyHandle == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $jsonTemplate
exit
}
puts "public key handle: $pubKeyHandle"
# Create an empty SSH key object, and tell it to use the PKCS11 handles.
# We also need to indicate the key type.
set sshKey [new_CkSshKey]
set success [CkSshKey_UsePkcs11 $sshKey $pkcs11 $privKeyHandle $pubKeyHandle "rsa"]
if {$success == 0} then {
puts [CkSshKey_lastErrorText $sshKey]
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $jsonTemplate
delete_CkSshKey $sshKey
exit
}
# Create an SSH object and authenticate using the SSH key, which will utilize the existing PKCS11 session.
set ssh [new_CkSsh]
set success [CkSsh_Connect $ssh "my-ssh-server.com" 22]
if {$success == 0} then {
puts [CkSsh_lastErrorText $ssh]
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $jsonTemplate
delete_CkSshKey $sshKey
delete_CkSsh $ssh
exit
}
# This is where the PKCS11 private key on the smart card is used.
set success [CkSsh_AuthenticatePk $ssh "your_ssh_username" $sshKey]
if {$success == 0} then {
puts [CkSsh_lastErrorText $ssh]
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $jsonTemplate
delete_CkSshKey $sshKey
delete_CkSsh $ssh
exit
}
# Do whatever it is your app needs to do using the authenticated SSH session....
# ...
# ...
CkSsh_Disconnect $ssh
CkPkcs11_Logout $pkcs11
CkPkcs11_CloseSession $pkcs11
delete_CkPkcs11 $pkcs11
delete_CkJsonObject $jsonTemplate
delete_CkSshKey $sshKey
delete_CkSsh $ssh