martin-lizner / trezor-ssh-agent Goto Github PK

View Code? Open in Web Editor NEW

55.0 7.0 8.0 2.06 MB

Trezor SSH Agent for Windows (Putty, WinSCP and more) + KeepKey supported!

License: MIT License

Java 100.00%

ssh-agent trezor bitcoin ssh putty keepkey pageant

trezor-ssh-agent's Introduction

Status:

Trezor SSH Agent for Windows (Putty, WinSCP and more)

Supported devices: Trezor, KeepKey (see KeepKey Users section)
Supported keys: ecdsa-sha2-nistp256, ssh-ed25519

Trezor SSH Agent is a Windows application that allows users to authenticate to UNIX/Linux SSH servers using their favorite apps like Putty, WinSCP or other Pageant-compatible clients (e.g. git) together with their bitcoin hardware wallet. Trezor SSH Agent is a GUI-enabled tray application that emulates Pageant process in Windows. It receives identity requests from SSH client (which gets it from SSH server), uses wallet hardware to sign challenge and sends data back. All this is framed in secure Elliptic curve cryptography (ECC) and PIN obfuscation approach giving user the cutting edge security while authenticating to SSH server.

It is absolutely safe to use Trezor SSH Agent. No harm can be caused to your bitcoins or the wallet. Application never asks device for any Bitcoin related action, e.g. it never asks to sign tx.

Limitations

ssh-rsa is not supported by the device HW.
No other device app (like myTREZOR webpage or KeepKey Chrome extension) can be running simultaneously.
Pageant cannot run simultaneously.
BIP32 path is fixed by constant Identity URI. In PIN-only mode this produces just one public key per device. Turning on passphrase security on your device gives you unique key per every passhrase. Alternatively you can change the path in the settings file (see Advanced)
There are small troubles on USB level that makes Trezor init last a bit longer (20-30 sec) in certain situations.

Getting started

Start

Download and run JAR or EXE binary from latest release.
Java 1.8 is required.
Or you can build your own java (see bellow) and run class com.trezoragent.gui.StartAgentGUI main.

Build

Trezor SSH Agent uses the standard Maven build process and can be used without having external hardware attached. Just do the usual:

$ cd <project directory>
$ mvn clean install

Troubleshooting

Edit logger.properties file and set com.trezoragent.level = FINE for more detailed logging.
Application log is saved in your C:\Users\...\ directory under default name: Trezor_Agent.log
You can also access log by using the "Open Log File" item in the application tray menu.
If you are getting "Device not ready" message, try closing your Chrome browser and re-plug the device
Also make sure that SSH Server you are connecting to supports ECC:
- ECDSA is generally supported since OpenSSH 5.7
- But there are backports to some older openSSH versions, e.g. Redhat/CentOS 5.3p1-112

Usage

Please download Putty or WinSCP version that supports ECDSA keys. Certified Putty versions: 0.67+, 0.66, 0.65
After started the app, find Trezor icon in Windows tray area and right click to open menu.
Click "Show Public Key" to get your openSSH public key. Provide PIN/Passphrase if asked. Place key on SSH server in your user authorized_keys file.
Start Putty with "Attempt authentication using Pageant" option selected (Connection->SSH->Auth).
Use Putty to connect to your favorite SSH server.
Provide PIN/Passphrase if asked.
Confirm identity sign operation on the device - "SSH login to: btc.rulez".

KeepKey Users

Make sure Chrome browser is switched off if you have KeepKey extension installed - else you may get KeepKey not ready warning.
After started the Trezor SSH Agent use "Edit Settings" menu item to set DEVICE=keepkey property in the settings file.
- You can also access settings file in your Windows user directory under name Trezor_Agent.properties
After you have made changes to settings file, please restart the Trezor SSH Agent.

Advanced

Using the "Edit Settings" menu you can edit some Trezor SSH Agent properties saved in the settings file. After you make the changes, make sure you restart the app for changes to take effect.
You can customize the BIP32 URI and Index values that are used to derive your unique device key. This is also text which is displayed on the device when confirming the login operation. Please be aware that BIP32_URI must comfor [Java URI] (http://www.ietf.org/rfc/rfc2396.txt) as well as SLIP-0013 so avoid using chars like underscore.
SESSION_TIMEOUT property defines minutes of idle time after device automatically locks itself. Display stays on, but PIN and passphrase cache is reseted after timeout. Idle time is zeroed after each successful pubkey or sign operation.
CURVE_NAME property = {nist256p1 | ed25519} specifies which key type will be requested from the device. Please keep in mind, that ed25519 support is available since Trezor 1.3.6 and KeepKey 3.0.17 firmwares.

Agent Forwarding

You can also use Trezor SSH Agent with "agent forwarding" option set in SSH client. This would enable chaining connections back to original agent. Example:

Open SSH to UNIX with agent forwarding enabled in Putty.
From UNIX shell command line open another ssh connection (e.g. ssh root@localhost) to server which trusts your public key.
Confirm operation on the device and you are logged in.

Public Key Example

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKJHh8o1FNgyEXzPLIc7tlk4n+4/mLlCs/m/SY7+WsUhdoajyHiyP0Zdo+VuWAizLTApW68QIzqWY73fur+i7nk= Trezor

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK66qZJ26L1x5XEeUKewwerLqvltSf8yvx884ObsvwB3 TrezorDEV

Credits

Martin Lizner - author
Gary Rowe (MultiBit) - Trezor Java API
Roman Zeyde - Trezor SSH Agent in Python

Bitcoin donations: 1QEKWJFAqwkCxPotJoGpfaFDnaShjiNtb5

trezor-ssh-agent's People

Contributors

Stargazers

Watchers

Forkers

stepanort aussiehash petrgasparik kliyer proteanblank ferasawwad kebinuchiousu

trezor-ssh-agent's Issues

WARNING: Trezor not ready after show public key command

Hi Martin,
I've downloaded trezor-ssh-agent v 1.0.3 running on Windows 10 64b.
Trezor T connected, PIN provided.
When I run agent, it appears as tray icon.

Observation:
I click Show public key and nothing happens. (NOK)

Expected:
Show key for copy paste.

I tried to close chrome, reconnect device, restart PC.

This is what log shows:

[22.04.2018 16:44:30] INFO: Java version: 1.8.0_91-b15 (64-bit)
[22.04.2018 16:44:30] INFO: Java home: C:\Program Files\Java\jre1.8.0_91
[22.04.2018 16:44:30] INFO: Trezor SSH Agent 1.0.3 started successfully
[22.04.2018 16:44:30] INFO: Existing settings file loaded: C:\Users\e558972\Trezor_Agent.properties
[22.04.2018 16:44:30] INFO: Trezor Service Started
[22.04.2018 16:44:31] INFO: Received USB event: SHOW_DEVICE_DETACHED
[22.04.2018 16:45:11] INFO: Java version: 1.8.0_91-b15 (64-bit)
[22.04.2018 16:45:11] INFO: Java home: C:\Program Files\Java\jre1.8.0_91
[22.04.2018 16:45:11] INFO: Trezor SSH Agent 1.0.3 started successfully
[22.04.2018 16:45:11] INFO: Existing settings file loaded: C:\Users\e558972\Trezor_Agent.properties
[22.04.2018 16:45:11] INFO: Trezor Service Started
[22.04.2018 16:45:12] INFO: Received USB event: SHOW_DEVICE_DETACHED
[22.04.2018 16:45:39] INFO: Request for operation: SSH2_AGENT_GET_IDENTITIES
[22.04.2018 16:45:39] WARNING: Trezor not ready.
[22.04.2018 16:45:55] INFO: Request for operation: SSH2_AGENT_GET_IDENTITIES
[22.04.2018 16:45:55] WARNING: Trezor not ready.

Will trezor-ssh-agent support Trezor T?

Yes. Stay tuned :-)

Intent to support Ledger Nano S?

Do you have any intent on supporting the Ledger Nano S?

Unfork from multibit-hardware repo

Github treats this repo as if it was a fork of multibit-hardware repo. This creates a few problems. Forked repositories cannot be searched and have several other disadvantages.

I am not aware of other way of unforking than just deleting the repo, creating a new one with the same name and pushing back the git contents.

Can the Trezor be put to sleep after a certain timeout?

If I leave my Trezor plugged in while the agent is running, the screen stays on. Could it somehow blank the screen/turn it off after a while so we don't risk burn-in when leaving the Trezor connected for extended periods of time?

WARNING: Trezor not ready

Trezor One, Firmware version 1.7.1

I had been previously able to use trezor-ssh-agent, but since I last used it I have:
Restarted the PC
Updated my Trezor Firmware

The Trezor works fine on the wallet website, but when using the app and selecting 'Show Public Key' I received the message 'Trezor not ready'.

Steps for recreation:

Chrome not running
Trezor connected and showing logo
Start trezor-ssh-agent
Right click, choose 'Show Public Key'

Log:

[12.11.2018 09:31:45] INFO: Java version: 1.8.0_191-b12 (32-bit)
[12.11.2018 09:31:45] INFO: Java home: C:\Program Files (x86)\Java\jre1.8.0_191
[12.11.2018 09:31:45] INFO: Trezor SSH Agent 1.0.3 started successfully
[12.11.2018 09:31:45] INFO: Existing settings file loaded: C:\Users\drew\Trezor_Agent.properties
[12.11.2018 09:31:45] INFO: Trezor Service Started
[12.11.2018 09:31:45] INFO: Received USB event: SHOW_DEVICE_DETACHED
[12.11.2018 09:31:49] INFO: Request for operation: SSH2_AGENT_GET_IDENTITIES
[12.11.2018 09:31:49] WARNING: Trezor not ready.

Will trezor-ssh-agent support per host public key?

Probably not. But it may support multiple keys per wallet and let user decide which key to use.

This application is built with concept that let users keep their ssh clients like Putty or WinSCP. While this brings flexibility for end users it also means that agent is unaware of hostname that client is connecting to. This is different from application romanz/trezor-agent which starts client and agent from single script.

SSH Agent (Pageant) is a bit hazy protocol, so there might be smth Im missing. Im open to any help here.

SSH Agent showed "Trezor not ready" for Trezor T

Hi this is the first time I report an issue, I hope this is the right place to do so. This issue I have posted on reddit too: https://www.reddit.com/r/TREZOR/comments/9uefl4/ssh_agent/

I tried to use SSH agent for the first time, followed every step here https://github.com/martin-lizner/trezor-ssh-agent but it just showed : Trezor not ready. I am not sure why. A similar case I found is https://github.com/martin-lizner/trezor-ssh-agent that it is not compatible with Trezor T, but that post was back in April so I would assume now Trezor T should be supported. Trezor already plugged in and unlocked with PIN but still the same. Will appreciate any help. Thanks.

This is the log file:

[05.11.2018 23:09:12] INFO: Java version: 1.8.0_191-b12 (64-bit)

[05.11.2018 23:09:12] INFO: Java home: C:\Program Files\Java\jre1.8.0_191

[05.11.2018 23:09:13] INFO: Trezor SSH Agent 1.0.3 started successfully

[05.11.2018 23:09:13] INFO: Existing settings file loaded: C:\Users\User\Trezor_Agent.properties

[05.11.2018 23:09:13] INFO: Trezor Service Started

[05.11.2018 23:09:13] INFO: Received USB event: SHOW_DEVICE_DETACHED

[05.11.2018 23:09:19] INFO: Request for operation: SSH2_AGENT_GET_IDENTITIES

[05.11.2018 23:09:19] WARNING: Trezor not ready.

[05.11.2018 23:09:40] INFO: Request for operation: SSH2_AGENT_GET_IDENTITIES

[05.11.2018 23:09:40] WARNING: Trezor not ready.

[05.11.2018 23:09:45] INFO: Request for operation: SSH2_AGENT_GET_IDENTITIES

[05.11.2018 23:09:45] WARNING: Trezor not ready.

Possible update required

Your solution seems like the only relatively simple Windows solution out there, re: SSH and Windows, but now that trezord is obsolete, and the tray icon is no longer there on the taskbar, I wonder what the easiest solution is to display the pubkey on a Windows machine.

The Trezor Wallet app allows me to sign and verify messages, but I don't see a way to display the pubkey there, apart from the Bitcoin addresses. I would love to follow your manual and try it out for myself, but I'm not sure how to retrieve the pubkey on this box at the moment.

Am I making a user boo boo, or could the readme use an update? If it's the latter, feel free to let me know if there's anything I can do to help.

Guide for git use?

Your README says this is for

apps like Putty, WinSCP or other Pageant-compatible clients (e.g. git)

My only interest is using this as a way to access my git repositories, but the readme only covered Putty.

Is there a guide for using this app with git (which I use inside Git Bash), or am I missing something?

Thanks

Pageant failed to answer challenge

I have a KeepKey and when I use "Show Public Key", it works - asking for my PIN and showing a public key. But when I open PuTTY and try to connect, it also asks for my PIN, I see the "loading" bar on the device then an error: "Pageant failed to answer challenge".

In the log, I see:

[09.05.2018 00:02:32] INFO: Java version: 1.8.0_121-b13 (64-bit)
[09.05.2018 00:02:32] INFO: Java home: C:\Program Files\Java\jre8
[09.05.2018 00:02:32] INFO: Trezor SSH Agent 1.0.3 started successfully
[09.05.2018 00:02:32] INFO: Existing settings file loaded: C:\Users\NTICompass\Trezor_Agent.properties
[09.05.2018 00:02:33] INFO: KeepKey Service Started
[09.05.2018 00:02:34] INFO: Received USB event: SHOW_DEVICE_READY
[09.05.2018 00:02:38] INFO: Request for operation: SSH2_AGENT_GET_IDENTITIES
[09.05.2018 00:02:38] INFO: Received USB event: SHOW_PIN_ENTRY
[09.05.2018 00:02:53] INFO: Received USB event: PUBLIC_KEY_FOR_IDENTITY
[09.05.2018 00:02:53] INFO: Operation SSH2_AGENT_GET_IDENTITIES executed successfully
[09.05.2018 00:02:54] INFO: Request for operation: SSH2_AGENT_SIGN_REQUEST
[09.05.2018 00:02:54] INFO: Received USB event: SHOW_OPERATION_FAILED
[09.05.2018 00:02:54] INFO: Received USB event: SHOW_DEVICE_READY
[09.05.2018 00:02:54] INFO: Received USB event: SHOW_OPERATION_FAILED
[09.05.2018 00:02:54] SEVERE: Sign operation failed
com.trezoragent.exception.SignFailedException: Sign operation failed on HW.
	at com.trezoragent.sshagent.DeviceWrapper.signChallenge(DeviceWrapper.java:123)
	at com.trezoragent.sshagent.SSHAgent.processSignRequest(SSHAgent.java:253)
	at com.trezoragent.sshagent.SSHAgent.answerMessage(SSHAgent.java:170)
	at com.trezoragent.sshagent.SSHAgent.answerIfDevicePresent(SSHAgent.java:224)
	at com.trezoragent.sshagent.SSHAgent.processMessage(SSHAgent.java:149)
	at com.trezoragent.sshagent.SSHAgent.callback(SSHAgent.java:111)
	at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.sun.jna.CallbackReference$DefaultCallbackProxy.invokeCallback(CallbackReference.java:485)
	at com.sun.jna.CallbackReference$DefaultCallbackProxy.callback(CallbackReference.java:515)
	at com.sun.jna.Native.invokeInt(Native Method)
	at com.sun.jna.Function.invoke(Function.java:390)
	at com.sun.jna.Function.invoke(Function.java:323)
	at com.sun.jna.Library$Handler.invoke(Library.java:236)
	at com.sun.proxy.$Proxy0.GetMessage(Unknown Source)
	at com.trezoragent.sshagent.SSHAgent.startMainLoop(SSHAgent.java:96)
	at com.trezoragent.gui.TrayProcess.start(TrayProcess.java:96)
	at com.trezoragent.gui.StartAgentGUI.main(StartAgentGUI.java:50)

Cannot detect KeepKey after firmware update

I have a KeepKey and I was on firmware 5.10.2 and it was working with the agent for SSH.

I was curious about updating the KeepKey firmware, but I was worried about losing SSH support. I decided to upgrade to 6.4.0, and unfortunately SSH is not working anymore.

When I use the agent in Windows, I get the following error in the log:

WARNING: KeepKey not ready.

It seems the new upgrade may've changed the device's USB ID, or something like that. Is this is an issue with the KeepKey firmware or with the agent? Is this related to Issue #13 ?