Apps:SSH agent

From Trezor Wiki
Jump to: navigation, search

Thanks to the great job by Roman Zeyde, Trezor firmware (version 1.3.4 and higher) supports NIST256P1 elliptic curve.

This addition does not affect your cryptocurrency funds at all, but it means you can now use Trezor for SSH login to any of your servers which support it (OpenSSH 5.7 or newer is needed).

What is OpenSSH?[edit]

OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides an extensive suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

Thanks to Trezor SSH Agent, administrators can now enjoy password-less and secure authentication to their servers.

Resources[edit]

Setting up Trezor SSH Agent on Linux[edit]

This manual has been tested with both Trezor One and Trezor Model T on Ubuntu 18.04 LTS and NixOS.

Setup (General Linux)[edit]

1. Install prerequisites:

sudo apt update && sudo apt install python3-pip libusb-1.0-0-dev libudev-dev pinentry-curses

2. Install trezor_agent through pip:

pip3 install trezor_agent

3. Udev rules need to be set up on your system; this can be done in two ways:

a) by installing Trezor Bridge via https://wallet.trezor.io

or

b) by setting up Udev rules

4. If your local bin folder ~/.local/bin has just been created, run the following command or log out and log back into system:

export PATH=$PATH:~/.local/bin/

5. Generate public key using trezor-agent (enter your PIN and/or passphrase just like you would in Trezor Wallet).

$ trezor-agent [email protected]

6. Log into your server as usual and copy the row containing the ecdsa magic from the previous step into ~/.ssh/authorized_keys file on your server

7. From now on, you can log in to your server using trezor using the following command:

$ trezor-agent -c [email protected]


NoteThe generated keys depend on the [email protected] parameter, so no two servers or users share the same key.



NoteIt is possible to use Trezor SSH Agent for secure copy protocol (scp) as well:
$ trezor-agent [email protected] -- scp [email protected]:/tmp/remotefile ~/tmp/localfile



NoteThis method can also be used for git push or other mechanisms that are using SSH as their communication protocol:
$ trezor-agent [email protected] git push


Setup (NixOS)[edit]

1. You will need to add following packages to /etc/nixos/configuration.nix:

environment.systemPackages = with pkgs; [ gnupg pinentry (python3.withPackages(ps: with ps; [ trezor_agent wheel])) ];

2. Udev rules need to be set up on your system; this can be done in two ways:

a) by installing Trezor Bridge by adding the following line to /etc/nixos/configuration.nix:
services.trezord.enable = true; 

or

b) by setting up Udev rules

3. You need to rebuild your system for the changes to take place:

sudo nixos-rebuild switch

4. Generate public key using trezor-agent (enter your PIN and/or passphrase just like you would in Trezor Wallet).

$ trezor-agent [email protected]

5. Log into your server as usual and copy the row containing the ecdsa magic from the previous step into ~/.ssh/authorized_keys file on your server

6. From now on, you can log in to your server using trezor using the following command:

$ trezor-agent -c [email protected]

Setting up Trezor SSH Agent on Windows[edit]

Thanks to the great work by Martin Lizner, it is possible to use SSH login with a Trezor device on computers with a Windows operating system.

For detailed information about Trezor SSH Agent, see also this GitHub page.

Prerequisites[edit]

You will need Java installed to set up Trezor SSH Agent.

https://www.java.com/en/download/

Setup[edit]

1. Download the Trezor SSH agent

https://github.com/martin-lizner/trezor-ssh-agent/releases/download/v1.0.3/TrezorSSHAgent.exe

2. Download and install Putty, a version that supports ECDSA keys. Certified Putty versions: 0.67+, 0.66, 0.65.

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

3. Connect the Trezor device, run the Trezor SSH agent, right-click on the Trezor SSH agent tray icon and select "Show Public Key," enter PIN/Passphrase.

4. Copy the public key and paste it at the end of the ssh authorized_keys file in ~/.ssh/ directory. If that file does not exist yet, create it first and then copy and paste the public key.

5. Start Putty with the "Attempt authentication using Pageant" option selected (Connection->SSH->Auth).

Putty.png

6. Use Putty to connect to your favorite SSH server. Provide PIN/Passphrase if asked.

7. Confirm the identity sign operation on the device - "SSH login to: btc.rulez".

Like Trezor? Get one here!