Cannot connect via Synapse and SSH to a linux box

[Pascal]

Hello,

i used the source samples on http://wiki.lazarus.freepascal.org/Synapse to build a test prog
for connecting via SSH to remote machine (using cryptlib 3.4.2 on windos 10).

Code: Pascal  [Select][+][-]

1. program TestSSHClient;
2.  
3. {Test program for telnetsshclient
4.  
5. Written by Reinier Olislagers 2011.
6. Modified for libssh2 by Alexey Suhinin 2012.
7.  
8. License of code:
9. * MIT
10. * LGPLv2 or later (with FreePascal static linking exception)
11. * GPLv2 or later
12. according to your choice.
13. Free use allowed but please don't sue or blame me.
14.  
15. Uses other libraries/components; different licenses may apply that also can influence the combined/compiled work.
16.  
17. Run: sshtest <serverIPorhostname> [PrivateKeyFile]
18. }
19. {$mode objfpc}{$H+}
20. {$APPTYPE CONSOLE}
21.  
22. uses
23.   telnetsshclient;
24. var
25.   comm: TTelnetSSHClient;
26.   Command: string;
27. begin
28.   writeln('Starting.');
29.   comm:=TTelnetSSHClient.Create;
30.   comm.HostName:= 'linuxmachine'; // ParamStr(1); //First argument on command line
31.   if comm.HostName='' then
32.   begin
33.     writeln('Please specify hostname on command line.');
34.     halt(1);
35.   end;
36.  
37.   comm.PrivateKeyFile := '';
38.  
39.   comm.TargetPort:=''; //auto determine based on protocoltype
40.   comm.UserName:='user'; //change to your situation
41.   comm.Password:='password'; //change to your situation
42.   comm.ProtocolType:=SSH; //Telnet or SSH
43.   writeln(comm.Connect); //Show result of connection
44.   if comm.Connected then
45.   begin
46.     writeln('Server: ' + comm.HostName + ':'+comm.TargetPort+', user: '+comm.UserName);
47.     writeln('Welcome message:');
48.     writeln(comm.WelcomeMessage);
49.     Command:='ls -al';
50.     writeln('*** Sending ' + Command);
51.     writeln('*** Begin result****');
52.     writeln(comm.CommandResult(Command));
53.     writeln('*** End result****');
54.     writeln('');
55.     writeln('');
56.     Command:='df -h';
57.     writeln('*** Sending ' + Command);
58.     writeln('*** Begin result****');
59.     writeln(comm.CommandResult(Command));
60.     writeln('*** End result****');
61.     writeln('');
62.     writeln('');
63.     writeln('All output:');
64.     writeln('*** Begin result****');
65.     writeln(comm.AllOutput);
66.     writeln('*** End result****');
67.     comm.Disconnect;
68.   end
69.   else
70.   begin
71.     writeln('Connection to ' +
72.       comm.HostName + ':' +
73.       comm.TargetPort + ' failed.');
74.   end;
75.   comm.Free;
76. end.

This works for AIX 7.1 but not for linux or ubuntu.

What am i making wrong or missing?

[rvk]

Did you remove the {$DEFINE LIBSSH2} in telnetsshclient.pas?

Otherwise you're not using the cryptlib 3.4.2  library and LIBSSH2.DLL will be used (which you didn't install but might be present on the AIX).

Code: Pascal  [Select][+][-]

1. {$mode objfpc}{$H+}
2. {$DEFINE HAS_SSH_SUPPORT} //comment out if only telnet support required
3. {$DEFINE LIBSSH2}
4.  
5. interface
6.  
7. uses
8.   Classes, SysUtils,
9.   tlntsend
10.   {$IFDEF HAS_SSH_SUPPORT}
11.   {ssl - or actually ssh - libs required by tlntsend}
12.     {$IFDEF LIBSSH2}
13.       ssl_libssh2
14.     {$ELSE}
15.       ssl_cryptlib
16.   {$ENDIF}
17.   {$ENDIF HAS_SSH_SUPPORT}  ;

[Pascal]

Yes, libssh2 is disabled.

I couldn't find any suitable dll to use LIBSSH2! Otherwise i could have tested libssh2 as well.

[rvk]

This works for AIX 7.1 but not for linux or ubuntu.

And what is the problem.

(not working isn't really a good description)

[Pascal]

I cannot connet/login.

[rvk]

No errors?

[Thaddy]

The most likely cause (I know for a fact the example code used to work ad verbatim on linux) is that the certificate or the connection encryption is not correct or refused because of unsafe algorithms.
E.g. if the server is running an updated version of openssl (1.0.0g or 1.1) you can't use most of the algorithms that are deemed unsafe.
The connection will never take place. Not even a refusal, but dropped. Hence no errors.

E.g. SSLv2 won't work anymore, not even in the protocol fallback chain. RC4 won't work anymore, more hash related things are refused. You really need e.g. tls 1.2 and the max fallback is tls 1.1. This has a huge impact on SSH and SSH2.
See release notes at openssl.org for openssl v1.1.
In synapse there is a setting to always use the highest encryption possible. (Forgot the name) if you set that, everything will be OK, at least with openssl.

[Pascal]

at least with openssl.

Okay, but where can i get the matching libssh2.dll?
Or is there a working sample program with source and dlls?

[rvk]

at least with openssl.

Okay, but where can i get the matching libssh2.dll?
Or is there a working sample program with source and dlls?

The libssh2.dll shouldn't be a problem to find. But you need the corresponding libssh2.pas with the bindings.

(Can't look myself at the moment)

[Thaddy]

Well, theoretically that should not be necessary because synapse will enumerate "unknowns" anyway and use them by priority.
There are some name clashes, though.
I'll see if I can come up with a quick fix and over the weekend something better.
The library is pretty easy to make yourself:
https://github.com/libssh2/libssh2

(I use cygwin on windows)

Note that this is not really an FPC or Lazarus or Synapse issue.
The issue is that openssl dropped support for unsafe code, so it can no longer be called.

[Pascal]

I'll see if I can come up with a quick fix and over the weekend something better.

This will be great. I would realy appreciate that.

[Thaddy]

Can you give me the openssl version on the linux box?
Like typing this in a terminal:

Code: [Select]

openssl version
OpenSSL 1.0.1t  3 May 2016


[Pascal]

box 1: suselinux02

Code: Pascal  [Select][+][-]

1. OpenSSL 0.9.8j-fips 07 Jan 2009

Error: Error connecting to SSH server suselinux02:22 as user d197. Technical details: No data was read because the remote system closed the connection (recv() == 0)

box2: d197test

Code: Pascal  [Select][+][-]

1. OpenSSL 0.9.8h 28 May 2008

Error: Error connecting to SSH server d197test:22 as user sg32. Technical details: Invalid PAM authentication request packet

Edit: I used the program from post 1.

[Thaddy]

These are really old. Please update these openssl versions first.
The most likely cause is based on those error messages that the certificate is not accepted.
That can be because of multiple issues. I would generate new certificates after I updated the openssl versions.

You *must* update openssl. These versions are highly insecure and very easy to hack.

[Pascal]

You *must* update openssl. These versions are highly insecure and very easy to hack.

Sorry, i can't. But never mind these machines are not publicly available.