diff --git a/doc/README-SSH.md b/doc/README-SSH.md index a4272ab..4816b68 100644 --- a/doc/README-SSH.md +++ b/doc/README-SSH.md @@ -226,12 +226,47 @@ automatically when the socket is opened. ##### 4. SSH will now automatically use your device key in all terminals. +##### 5. Signatures with ssh and trezor + +SSH and ssh-keygen can make and verify signatures, See +[ssh_signatures](https://www.agwa.name/blog/post/ssh_signatures) + +See here for more ssh protocol details: +https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig +https://github.com/openssh/openssh-portable/blob/master/sshsig.c +openssh/openssh-portable@2a9c9f7 + + +## generate SSH public key +$ trezor-agent -e ed25519 git@github.com | tee ~/.ssh/trezor-github.pub +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvcbhXyaXXNytCLTDfEMlLuwEhtfo0XmPP1U5RsnOZ4 + +## sign the given file using TREZOR +$ trezor-agent -e ed25519 git@github.com -- ssh-keygen -Y sign -f ~/.ssh/trezor-github.pub -n file README.md +Signing file README.md +Write signature to README.md.sig + +## set allowed identities for verification (using the above public key) +$ cat allowed +git@github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvcbhXyaXXNytCLTDfEMlLuwEhtfo0XmPP1U5RsnOZ4 + +## verify the above signature +$ ssh-keygen -Y verify -f allowed -I git@github.com -n file -s README.md.sig -vvv < README.md +debug1: sshsig_verify_fd: signature made with hash "sha512" +debug1: sshsig_wrap_verify: verify message length 64 +debug1: Valid (unverified) signature from key SHA256:6UBhPb5SOoCUfasGC1/aCBegYov0/P3ajd6eNbYg77A +debug1: parse_principals_key_and_options: allowed:1: matched principal "git@github.com" +debug1: allowed:1: matched key and principal +Good "file" signature for git@github.com with ED25519 key SHA256:6UBhPb5SOoCUfasGC1/aCBegYov0/P3ajd6eNbYg77A +# + + ## 4. Troubleshooting If SSH connection fails to work, please open an [issue](https://github.com/romanz/trezor-agent/issues) with a verbose log attached (by running `trezor-agent -vv`) . -##### `IdentitiesOnly` SSH option +#### `IdentitiesOnly` SSH option Note that your local SSH configuration may ignore `trezor-agent`, if it has `IdentitiesOnly` option set to `yes`.