EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validating RSA Fingerprint in TElSimpleSFTPClient.OnKeyValidate

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#18641
Posted: 01/09/2012 06:15:34
by Dave Risby (Basic support level)
Joined: 01/05/2012
Posts: 1

I'm connecting to an SSH Server via SFTP.
When connecting (before sending user and password) I want to validate the RSA fingerprint that is received from the Server.
I'm doing this in TElSimpleSFTPClient.OnKeyValidate

The Eldos Samples simply set Validate = True with a note to NEVER do this in a live environment.
I've followed the related link and searched the site but can't find any examples of how to do this properly.

I can get the byte array of 129 bytes from ServerKey.RSAPublicModulus, convert it to a 258 char hex string and then check this against a stored value.

But what I'd really like to do is return the RSA fingerprint in the familiar format of "ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx".
Anyone got a simple code example to do this?
#18642
Posted: 01/09/2012 06:46:15
by Eugene Mayevski (EldoS Corp.)

Thank you for contacting us.


Quote
Dave Risby wrote:
I've followed the related link and searched the site but can't find any examples of how to do this properly.


There's a how-to in Help file regarding this topic.

Quote
Dave Risby wrote:
But what I'd really like to do is return the RSA fingerprint in the familiar format of "ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx". Anyone got a simple code example to do this?


Well, "familiar" format is not a "standard". SSH doesn't have any standards for any representation. I think that what you quote is a BASE16 encoding of MD5 hash of the key with byte representations delimited with semicolon. Other applications might use different formatting to represent a hash, or even use other hash (eg. SHA1) of the key.


Sincerely yours
Eugene Mayevski
#20832
Posted: 07/18/2012 12:36:54
by Sheby Z (Basic support level)
Joined: 07/18/2012
Posts: 1

Hi,

I have a simillar problem, I have the fingerprint as
"ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx".

How do I validate this finger print in TElSimpleSFTPClient.OnKeyValidate? or

will it be possible to config the above fingerprint value TElSimpleSFTPClient? If yes, will it be validate itself?

Thanks
#20833
Posted: 07/18/2012 12:48:09
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

You can read key fingerprint inside TElSimpleSFTPClient.OnKeyValidate event handler using TElSSHKey.FingerprintMD5 property. Then you can convert it to a byte array using SBUtils.DigestToByteArray128 function. Then you can simply write a function to convert an array of bytes to "xx:xx:xx..." format and compare it to the one you have. If they are equal then you should set Validate to 'true'.

Reply

Statistics

Topic viewed 2039 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!