Apps:SSH agent

From Trezor Wiki
Jump to: navigation, search

Thanks to the great job by Roman Zeyde, Trezor firmware (version 1.3.4 and higher) supports NIST256P1 elliptic curve.

This addition does not affect your cryptocurrency funds at all, but it means you can now use Trezor for SSH login to any of your servers which support it (OpenSSH 5.7 or newer is needed).

See also the related blog articles: "Trezor Firmware 1.3.4 enables SSH login", #FeatureFriday — SSH Agent, "OpenSSH with FIDO2 and Trezor"

What is OpenSSH?[edit]

OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides an extensive suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

Thanks to Trezor SSH Agent, administrators can now enjoy password-less and secure authentication to their servers.

Resources[edit]

Setting up Trezor SSH Agent on Linux[edit]

This manual has been tested with both Trezor One and Trezor Model T on Ubuntu 18.04 LTS and NixOS.

Setup (General Linux)[edit]

1. Install prerequisites:

sudo apt update && sudo apt install python3-pip libusb-1.0-0-dev libudev-dev pinentry-curses

2. Install trezor_agent through pip:

pip3 install trezor_agent

3. Udev rules need to be set up on your system; this can be done in two ways:

a) by installing Trezor Bridge via https://wallet.trezor.io

or

b) by setting up Udev rules

4. If your local bin folder ~/.local/bin has just been created, run the following command or log out and log back into system:

export PATH=$PATH:~/.local/bin/

5. Generate public key using trezor-agent (enter your PIN and/or passphrase just like you would in Trezor Wallet).

$ trezor-agent [email protected]

6. Log into your server as usual and copy the row containing the ecdsa magic from the previous step into ~/.ssh/authorized_keys file on your server

7. From now on, you can log in to your server using trezor using the following command:

$ trezor-agent -c [email protected]


NoteThe generated keys depend on the [email protected] parameter, so no two servers or users share the same key.



NoteIt is possible to use Trezor SSH Agent for secure copy protocol (scp) as well:
$ trezor-agent [email protected] -- scp [email protected]:/tmp/remotefile ~/tmp/localfile



NoteThis method can also be used for git push or other mechanisms that are using SSH as their communication protocol:
$ trezor-agent [email protected] git push


Setup (NixOS)[edit]

1. You will need to add following packages to /etc/nixos/configuration.nix:

environment.systemPackages = with pkgs; [ gnupg pinentry (python3.withPackages(ps: with ps; [ trezor_agent wheel])) ];

2. Udev rules need to be set up on your system; this can be done in two ways:

a) by installing Trezor Bridge by adding the following line to /etc/nixos/configuration.nix:
services.trezord.enable = true; 

or

b) by setting up Udev rules

3. You need to rebuild your system for the changes to take place:

sudo nixos-rebuild switch

4. Generate public key using trezor-agent (enter your PIN and/or passphrase just like you would in Trezor Wallet).

$ trezor-agent [email protected]

5. Log into your server as usual and copy the row containing the ecdsa magic from the previous step into ~/.ssh/authorized_keys file on your server

6. From now on, you can log in to your server using trezor using the following command:

$ trezor-agent -c [email protected]
Like Trezor? Get one here!