Apps:SSH agent

From Trezor Wiki
Jump to: navigation, search
Apps openssh logo.png

Thanks to the great work by Roman Zeyde, Trezor firmware (version 1.3.4 and higher) supports NIST256P1 elliptic curve.

This addition does not affect your cryptocurrency funds at all, but it means you can now use Trezor for SSH login to any of your servers which support it (OpenSSH 5.7 or newer is needed).

What is OpenSSH?[edit]

OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides an extensive suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

Thanks to Trezor SSH Agent, administrators can now install this OpenSSH compatible agent easily and enjoy password-less and secure authentication to their servers.


Setting up Trezor SSH Agent on Linux[edit]

This manual has been tested on Ubuntu 18.04 LTS.


sudo apt-get install python3-pip libusb-1.0-0-dev libudev-dev


  1. Run:
pip3 install trezor_agent
  1. Create udev rules:
  2. vi /etc/udev/rules.d/51-trezor.rules
  3. If your local bin folder ~/.local/bin has just been created, run the following command or log out and log back into system:
export PATH=$PATH:~/.local/bin/
  1. Generate public key using trezor-agent (enter your PIN just like you would in Trezor Wallet).
$ trezor-agent [email protected]
  1. Log into your server as usual and copy the row containing the ecdsa magic from the previous step into ~/.ssh/authorized_keys file on your server
  2. From now on, you can log in to your server using trezor using the following command:
$ trezor-agent -c [email protected]

NoteThe generated keys depend on the [email protected] parameter, so no two servers or users share the same key.

NoteThis method can also be used for git push or other mechanisms that are using SSH as their communication protocol:
$ trezor-agent [email protected] git push

Setting up Trezor SSH Agent on Windows[edit]

Thanks to the great work by Martin Lizner, it is possible to use SSH login with a Trezor device on computers with a Windows operating system.

For detailed information about Trezor SSH Agent, see also this GitHub page.


You will need Java installed to set up Trezor SSH Agent.


1. Download the Trezor SSH agent

2. Download and install Putty, a version that supports ECDSA keys. Certified Putty versions: 0.67+, 0.66, 0.65.

3. Connect the Trezor device, run the Trezor SSH agent, right-click on the Trezor SSH agent tray icon and select "Show Public Key," enter PIN/Passphrase.

4. Copy the public key and paste it at the end of the ssh authorized_keys file in ~/.ssh/ directory. If that file does not exist yet, create it first and then copy and paste the public key.

5. Start Putty with the "Attempt authentication using Pageant" option selected (Connection->SSH->Auth).


6. Use Putty to connect to your favorite SSH server. Provide PIN/Passphrase if asked.

7. Confirm the identity sign operation on the device - "SSH login to: btc.rulez".

Like Trezor? Get one here!