From debcda4ce8c0e2c4d38f9c1cdee5c56f3c9e73a1 Mon Sep 17 00:00:00 2001 From: Iskra Delta Date: Tue, 17 Jan 2023 19:50:23 +0000 Subject: [PATCH 1/4] Update README-SSH.md document the ssh signatures examples --- doc/README-SSH.md | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/doc/README-SSH.md b/doc/README-SSH.md index a4272ab..4816b68 100644 --- a/doc/README-SSH.md +++ b/doc/README-SSH.md @@ -226,12 +226,47 @@ automatically when the socket is opened. ##### 4. SSH will now automatically use your device key in all terminals. +##### 5. Signatures with ssh and trezor + +SSH and ssh-keygen can make and verify signatures, See +[ssh_signatures](https://www.agwa.name/blog/post/ssh_signatures) + +See here for more ssh protocol details: +https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig +https://github.com/openssh/openssh-portable/blob/master/sshsig.c +openssh/openssh-portable@2a9c9f7 + + +## generate SSH public key +$ trezor-agent -e ed25519 git@github.com | tee ~/.ssh/trezor-github.pub +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvcbhXyaXXNytCLTDfEMlLuwEhtfo0XmPP1U5RsnOZ4 + +## sign the given file using TREZOR +$ trezor-agent -e ed25519 git@github.com -- ssh-keygen -Y sign -f ~/.ssh/trezor-github.pub -n file README.md +Signing file README.md +Write signature to README.md.sig + +## set allowed identities for verification (using the above public key) +$ cat allowed +git@github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvcbhXyaXXNytCLTDfEMlLuwEhtfo0XmPP1U5RsnOZ4 + +## verify the above signature +$ ssh-keygen -Y verify -f allowed -I git@github.com -n file -s README.md.sig -vvv < README.md +debug1: sshsig_verify_fd: signature made with hash "sha512" +debug1: sshsig_wrap_verify: verify message length 64 +debug1: Valid (unverified) signature from key SHA256:6UBhPb5SOoCUfasGC1/aCBegYov0/P3ajd6eNbYg77A +debug1: parse_principals_key_and_options: allowed:1: matched principal "git@github.com" +debug1: allowed:1: matched key and principal +Good "file" signature for git@github.com with ED25519 key SHA256:6UBhPb5SOoCUfasGC1/aCBegYov0/P3ajd6eNbYg77A +# + + ## 4. Troubleshooting If SSH connection fails to work, please open an [issue](https://github.com/romanz/trezor-agent/issues) with a verbose log attached (by running `trezor-agent -vv`) . -##### `IdentitiesOnly` SSH option +#### `IdentitiesOnly` SSH option Note that your local SSH configuration may ignore `trezor-agent`, if it has `IdentitiesOnly` option set to `yes`. From d3817a4eec5c0b01540515c76bcbad52a0b319ec Mon Sep 17 00:00:00 2001 From: Iskra Delta Date: Tue, 17 Jan 2023 20:39:38 +0000 Subject: [PATCH 2/4] Update README-SSH.md --- doc/README-SSH.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/README-SSH.md b/doc/README-SSH.md index 4816b68..6b49245 100644 --- a/doc/README-SSH.md +++ b/doc/README-SSH.md @@ -226,7 +226,7 @@ automatically when the socket is opened. ##### 4. SSH will now automatically use your device key in all terminals. -##### 5. Signatures with ssh and trezor +## 5. Signatures with ssh and trezor SSH and ssh-keygen can make and verify signatures, See [ssh_signatures](https://www.agwa.name/blog/post/ssh_signatures) @@ -237,20 +237,20 @@ https://github.com/openssh/openssh-portable/blob/master/sshsig.c openssh/openssh-portable@2a9c9f7 -## generate SSH public key +##### generate SSH public key $ trezor-agent -e ed25519 git@github.com | tee ~/.ssh/trezor-github.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvcbhXyaXXNytCLTDfEMlLuwEhtfo0XmPP1U5RsnOZ4 -## sign the given file using TREZOR +##### sign the given file using TREZOR $ trezor-agent -e ed25519 git@github.com -- ssh-keygen -Y sign -f ~/.ssh/trezor-github.pub -n file README.md Signing file README.md Write signature to README.md.sig -## set allowed identities for verification (using the above public key) +##### set allowed identities for verification (using the above public key) $ cat allowed git@github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvcbhXyaXXNytCLTDfEMlLuwEhtfo0XmPP1U5RsnOZ4 -## verify the above signature +##### verify the above signature $ ssh-keygen -Y verify -f allowed -I git@github.com -n file -s README.md.sig -vvv < README.md debug1: sshsig_verify_fd: signature made with hash "sha512" debug1: sshsig_wrap_verify: verify message length 64 From 7c76bb4df75bb41bdff3731c0493a2bfcc36fe43 Mon Sep 17 00:00:00 2001 From: Iskra Delta Date: Tue, 17 Jan 2023 20:40:30 +0000 Subject: [PATCH 3/4] Update README-SSH.md --- doc/README-SSH.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/README-SSH.md b/doc/README-SSH.md index 6b49245..4e39fc4 100644 --- a/doc/README-SSH.md +++ b/doc/README-SSH.md @@ -238,19 +238,23 @@ openssh/openssh-portable@2a9c9f7 ##### generate SSH public key +``` $ trezor-agent -e ed25519 git@github.com | tee ~/.ssh/trezor-github.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvcbhXyaXXNytCLTDfEMlLuwEhtfo0XmPP1U5RsnOZ4 - +``` ##### sign the given file using TREZOR +``` $ trezor-agent -e ed25519 git@github.com -- ssh-keygen -Y sign -f ~/.ssh/trezor-github.pub -n file README.md Signing file README.md Write signature to README.md.sig - +``` ##### set allowed identities for verification (using the above public key) +``` $ cat allowed git@github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvcbhXyaXXNytCLTDfEMlLuwEhtfo0XmPP1U5RsnOZ4 - +``` ##### verify the above signature +``` $ ssh-keygen -Y verify -f allowed -I git@github.com -n file -s README.md.sig -vvv < README.md debug1: sshsig_verify_fd: signature made with hash "sha512" debug1: sshsig_wrap_verify: verify message length 64 @@ -258,8 +262,7 @@ debug1: Valid (unverified) signature from key SHA256:6UBhPb5SOoCUfasGC1/aCBegYov debug1: parse_principals_key_and_options: allowed:1: matched principal "git@github.com" debug1: allowed:1: matched key and principal Good "file" signature for git@github.com with ED25519 key SHA256:6UBhPb5SOoCUfasGC1/aCBegYov0/P3ajd6eNbYg77A -# - +``` ## 4. Troubleshooting From c7384d7e0ef2ddfe94bbb6716e6c03295ec92ce4 Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Wed, 18 Jan 2023 21:02:43 +0200 Subject: [PATCH 4/4] Reformat --- doc/README-SSH.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/doc/README-SSH.md b/doc/README-SSH.md index 4e39fc4..5a84127 100644 --- a/doc/README-SSH.md +++ b/doc/README-SSH.md @@ -1,6 +1,6 @@ # SSH Agent -## 1. Configuration +## Configuration SSH requires no configuration, but you may put common command line options in `~/.ssh/agent.conf` to avoid repeating them in every invocation. @@ -8,7 +8,7 @@ See `(trezor|keepkey|ledger|jade|onlykey)-agent -h` for details on supported opt If you'd like a Trezor-style PIN entry program, follow [these instructions](README-PINENTRY.md). -## 2. Usage +## Usage Use the `(trezor|keepkey|ledger|jade|onlykey)-agent` program to work with SSH. It has three main modes of operation: @@ -57,7 +57,7 @@ $ (trezor|keepkey|ledger|jade|onlykey)-agent user@remotehost -c The identity `user@remotehost` is used as both the destination user and host as well as for key derivation, so you must generate a separate key for each host you connect to. -## 3. Common Use Cases +## Common Use Cases ### Start a single SSH session [![Demo](https://asciinema.org/a/22959.png)](https://asciinema.org/a/22959) @@ -226,15 +226,15 @@ automatically when the socket is opened. ##### 4. SSH will now automatically use your device key in all terminals. -## 5. Signatures with ssh and trezor +## SSH Signatures -SSH and ssh-keygen can make and verify signatures, See -[ssh_signatures](https://www.agwa.name/blog/post/ssh_signatures) +SSH and ssh-keygen can make and verify signatures, see https://www.agwa.name/blog/post/ssh_signatures. See here for more ssh protocol details: -https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig -https://github.com/openssh/openssh-portable/blob/master/sshsig.c -openssh/openssh-portable@2a9c9f7 + + - https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig + - https://github.com/openssh/openssh-portable/blob/master/sshsig.c + - https://github.com/openssh/openssh-portable/commit/2a9c9f7272c1e8665155118fe6536bebdafb6166 ##### generate SSH public key @@ -264,7 +264,7 @@ debug1: allowed:1: matched key and principal Good "file" signature for git@github.com with ED25519 key SHA256:6UBhPb5SOoCUfasGC1/aCBegYov0/P3ajd6eNbYg77A ``` -## 4. Troubleshooting +## Troubleshooting If SSH connection fails to work, please open an [issue](https://github.com/romanz/trezor-agent/issues) with a verbose log attached (by running `trezor-agent -vv`) .