layout | title | parent | nav_order | has_toc |
---|---|---|---|---|
default |
Trezor Agent |
Bonus Section |
120 |
false |
Difficulty: easy
It is possible to SSH to your device using your Trezor (It should be possible with Ledger and Keepkey but I haven't tried)
- Using romanz's trezor-agent https://github.com/romanz/trezor-agent and Trezor's documentation https://wiki.trezor.io/Apps:SSH_agent
- This Process is currently only available on Linux
On your main machine - Instal pre-requisites:
$ sudo apt update && sudo apt install python3-pip libusb-1.0-0-dev libudev-dev pinentry-curses
Install trezor-agent
$ pip3 install trezor_agent
Set up udev rules on your machine: While your device is disconnected, open a file with nano and paste the udev rules. Save and exit.
$ sudo nano /etc/udev/rules.d/51-trezor.rules
# Trezor: The Original Hardware Wallet
# https://trezor.io/
#
# Put this file into /etc/udev/rules.d
#
# If you are creating a distribution package,
# put this into /usr/lib/udev/rules.d or /lib/udev/rules.d
# depending on your distribution
# Trezor
SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
# Trezor v2
SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
Generate a public keys for 'admin' and 'root' users, when asked enter the pin of your trezor and a passphrase
- You can use PASSWORD[A], or come up with a diffrent passphrase
$ trezor-agent [email protected]
> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBByrPrzZXq3ysny74YhYC3AQLBEx7ocjG7oy3C0r+dYui772sOxjDjTj+Ra+Pi7tDjO+m0kcfiMcRjxbB9eF/dg= <ssh://[email protected]|nist256p1>
$ trezor-agent [email protected]
> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCD4lnzAIDCcMbA3MRjBALsAl4oQf2A1ILYyC/HtB6MeyPo5znrfuxcRdSSPHQ3AuN3/i7taZB2uZukPxZ+zbLA= <ssh://[email protected]|nist256p1>
Login to your pi as admin and add the public keys to your authorized keys file
$ sudo nano .ssh/authorized_keys
Substitute with the public keys you produced on your machine
...
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBByrPrzZXq3ysny74YhYC3AQLBEx7ocjG7oy3C0r+dYui772sOxjDjTj+Ra+Pi7tDjO+m0kcfiMcRjxbB9eF/dg= <ssh://[email protected]|nist256p1>
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCD4lnzAIDCcMbA3MRjBALsAl4oQf2A1ILYyC/HtB6MeyPo5znrfuxcRdSSPHQ3AuN3/i7taZB2uZukPxZ+zbLA= <ssh://[email protected]|nist256p1>
Copy the authorized keys file to the root user as well and exit
$ sudo su -
$ cp -r /home/admin/.ssh .ssh
$ exit
Exit from you pi
$ exit
SSH from your trezor as admin, enter pin and the password that you chosen
$ trezor-agent -c [email protected]
or as root
$ trezor-agent -c [email protected]
If the SSH succeeded go to your authorized keys file and delete/comment out all other public keys That's it, Now you can only SSH to your raspibolt using your trezor.
<< Back: Bonus guides