[SOLVED] Stuck using Synapse tlntsend as SSH client

[BigChimp]

Hi all,

I'm trying to send some commands to an SSH server and parse the results.

I've tried using Synapse tlntsend, together with the cryptlib dll and synapse support files under windows.
However, it doesn't work: I can't get a connection and the auth.log on the server says "Bad protocol version identification '' from <source ip address"; I also sometimes get "Did not receive identification string from <source ip address>", depending on how much I fiddle with the parameters.

(My version is very much like Leonardo Ramé's example at
http://leonardorame.blogspot.com/2010/01/synapse-based-ssh-client.html
which also doesn't work)

Would it be better (is it possible) to use the openssl dll?

Would some kind soul have a look and tell
The source files including cryptlib DLL for Windows, can be downloaded at
http://dl.dropbox.com/u/20995033/FreePascalCryptlibSynapseSSHClient.zip
See SSHTest.lpr, which will compile to a simple test program that runs "ls" on the server.... but doesn't 

[ludob]

Would it be better (is it possible) to use the openssl dll?

openssl doesn't support SSH. Synapse only supports SSH with Cryptlib.

[mica]

here is more info:

http://www.ararat.cz/synapse/doku.php/public:howto:sslplugin

http://leonardorame.blogspot.com/2010/01/synapse-based-ssh-client.html

[BigChimp]

Thanks mica, I've used Leonardo's example as well (see original post) and it doesn't work. And you & Ludo or right: cryptlib is probably my only choice 

[ludob]

Cryptlib dll and cryptlib bindings have to be at the same release level. cl32 is version 3.4 while cryptlib.pas are the bindings for 3.3. Cryptlib isn't binary compatible between versions.
I see you use a recent version of ssl_cryptlib that contains my patch in the initialization routine that compares the dll version with the bindings version. In earlier versions a mismatch would just crash your program somewhere or fail in some very weird ways
Now in your telnet code you are not checking the error messages since you should be getting a
  SSL.LastError := -1;
  SSL.LastErrorDesc := 'SSL/TLS support is not compiled!';
when connecting.

[BigChimp]

 

Thanks a million, again, Ludo. Who'd have thought: DLL hell even in open source implementations. You wouldn't happen to have a compiled 3.3 cryptlib dll or a 3.4 ssl_cryptlib.pas lying around, would you?  (I even read the readme for 3.4, "small changes..." blah....)

Ok, hadn't known about the error messages. Seems (to me anyway) that they should bubble up via the synapse telnet/ssh client library, but now that I know what's going on I can check myself.
It works (the error handling, that is ):

Code: [Select]

procedure TTelnetSSHClient.Connect;
...
      if FTelnetSend.SSHLogin then
        FConnected := True;
      case FTelnetSend.Sock.SSL.LastError of
       -1:
       begin
         FConnected:=false;
         raise Exception.Create('Cannot find cryptlib library or invalid version.');
       end;
       0: begin end;//everything hunky-dory.
       else begin end; //unknown error, let's continue for now.;
      end;


[ludob]

I uploaded 3.3.3 here:http://dl.free.fr/izHgBttba Click on "Télécharger ce fichier"

BTW in unit telnetsshclient, you can't include both ssl_openssl and ssl_cryptlib. They override the same TCustomSSL virtual methods.

[BigChimp]

I uploaded 3.3.3 here:http://dl.free.fr/izHgBttba Click on "Télécharger ce fichier"

Merci bien, Ludo.

BTW in unit telnetsshclient, you can't include both ssl_openssl and ssl_cryptlib. They override the same TCustomSSL virtual methods.

And thanks again, I'll get rid of it... I went crazy copy & pasting after a while...

[BigChimp]

Mmmm.. replaced library with 3.3.3 version, removed openssl unit references; still an error "Did not receive identification string from <ip address>"

Updated files at:
http://dl.dropbox.com/u/20995033/FreePascalCryptlibSynapseSSHClient.zip

What am I still doing wrong?

[ludob]

Change in sshtest.pas line 32 to 

Code: [Select]

comm.PrivateKey:='';
because in telnetsshclient line 107 the password is left blank when PrivateKey <> ''.
With this change I can connect to my ubuntu box

Note that Synapse defaults to not check certificates against the issuer. So any private certificate is accepted as long as it is well formed. When you use the "standard" ssh client it will show the self signed certificate and ask you to accept it or not.

[BigChimp]

Change in sshtest.pas line 32 to 

Code: [Select]

comm.PrivateKey:='';
because in telnetsshclient line 107 the password is left blank when PrivateKey <> ''.
With this change I can connect to my ubuntu box

Thanks a lot. Better to sleep on it - it seemed like a good idea at the time, maybe pop up a warning or something.  Don't know enough about SSH to know if it will accept a wrong key and then a correct password
I can connect as well, I'll leave my troubles with the command output for later.

Note that Synapse defaults to not check certificates against the issuer. So any private certificate is accepted as long as it is well formed. When you use the "standard" ssh client it will show the self signed certificate and ask you to accept it or not.

Mmmmhh.... AFAIK, SSH keys are not issued by a CA, but generated by the host box. But that may be what you mean, and I might be wrong again, also  .
I'll check that later - it would be ideal if I could run it with a private key and a passphrase, but a plain private key without passphrase would be fine, too.

Thanks for the help!

[ludob]

AFAIK, SSH keys are not issued by a CA

You are right. I contributed a while ago some patches to synapse regarding certificate verification and Cryptlib but that was related to SSL, not SSH. Too many things on my mind lately

[BigChimp]

Thanks a lot, Ludo, it works. Helps if you sleep on it 

I've also updated the Synapse wiki page with the code as it might be useful to others. Of course, improvements/comments welcome.
http://wiki.lazarus.freepascal.org/Synapse