Hardware-based SSH/PGP agent
romanz, updated
π₯
2023-02-07 18:27:59
Hardware-based SSH/GPG/age agent
This project allows you to use various hardware security devices to operate GPG, SSH and age. Instead of keeping your key on your computer and decrypting it with a passphrase when you want to use it, the key is generated and stored on the device and never reaches your computer. Read more about the design here.
You can do things like sign your emails, git commits, and software packages, manage your passwords (with pass and passage, among others), authenticate web tunnels and file transfers, and more.
See the following blog posts about this tool:
- TREZOR Firmware 1.3.4 enables SSH login
- TREZOR Firmware 1.3.6βββGPG Signing, SSH Login Updates and Advanced Transaction Features for Segwit
- TREZOR Firmware 1.4.0βββGPG decryption support
- A Step by Step Guide to Securing your SSH Keys with the Ledger Nano S
Currently TREZOR One, TREZOR Model T, Keepkey, Ledger Nano S, and OnlyKey are supported.
Components
This repository contains source code for one library as well as agents to interact with several different hardware devices:
libagent: shared librarytrezor-agent: Using Trezor as hardware-based SSH/PGP/age agentledger_agent: Using Ledger as hardware-based SSH/PGP agentjade_agent: Using Blockstream Jade as hardware-based SSH/PGP agentkeepkey_agent: Using KeepKey as hardware-based SSH/PGP agentonlykey-agent: Using OnlyKey as hardware-based SSH/PGP agent
The /releases page on Github contains the libagent
releases.
Documentation
- Installation instructions are here
-
SSH instructions and common use cases are here
Note: If you're using Windows, see trezor-ssh-agent by Martin LΓzner.
-
GPG instructions and common use cases are here
- age instructions and common use cases are here
- Instructions to configure a Trezor-style PIN entry program are here
Issues
Cannot initialize ledger-gpg on ledger nano S
opened on 2023-03-01 22:55:10 by teddykissesHello,
I am on linux (ubuntu 22.04). I have a problem initializing ledger-gpg. The main trezor agent and ledger agent installations seemed to be successful. I am trying to install the ledger-gpg support without installing ledger ssh support. Would that cause any problem? Please see below for the output.
Thank you so much!
Best wishes, Teddy
==== Command Line Output ``` $pip3 install --user -e trezor-agent
Obtaining file:///home/myusername/Downloads/trezor-agent Preparing metadata (setup.py) ... done Requirement already satisfied: ConfigArgParse>=0.12.1 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (1.5.3) Requirement already satisfied: backports.shutil_which>=3.5.1 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (3.5.2) Requirement already satisfied: bech32>=1.2.0 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (1.2.0) Requirement already satisfied: cryptography>=3.4.6 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (38.0.4) Requirement already satisfied: docutils>=0.14 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (0.19) Requirement already satisfied: ecdsa>=0.13 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (0.18.0) Requirement already satisfied: mnemonic>=0.18 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (0.20) Requirement already satisfied: pymsgbox>=1.0.6 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (1.0.9) Requirement already satisfied: pynacl>=1.4.0 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (1.5.0) Requirement already satisfied: python-daemon>=2.1.2 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (2.3.2) Requirement already satisfied: semver>=2.2 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (2.13.0) Requirement already satisfied: unidecode>=0.4.20 in /home/myusername/.local/lib/python3.10/site-packages (from libagent==0.14.7) (1.3.6) Requirement already satisfied: wheel>=0.32.3 in /usr/lib/python3/dist-packages (from libagent==0.14.7) (0.37.1) Requirement already satisfied: cffi>=1.12 in /home/myusername/.local/lib/python3.10/site-packages (from cryptography>=3.4.6->libagent==0.14.7) (1.15.1) Requirement already satisfied: six>=1.9.0 in /usr/lib/python3/dist-packages (from ecdsa>=0.13->libagent==0.14.7) (1.16.0) Requirement already satisfied: setuptools in /usr/lib/python3/dist-packages (from python-daemon>=2.1.2->libagent==0.14.7) (59.6.0) Requirement already satisfied: lockfile>=0.10 in /home/myusername/.local/lib/python3.10/site-packages (from python-daemon>=2.1.2->libagent==0.14.7) (0.12.2) Requirement already satisfied: pycparser in /home/myusername/.local/lib/python3.10/site-packages (from cffi>=1.12->cryptography>=3.4.6->libagent==0.14.7) (2.21) Installing collected packages: libagent Attempting uninstall: libagent Found existing installation: libagent 0.14.7 Uninstalling libagent-0.14.7: Successfully uninstalled libagent-0.14.7 Running setup.py develop for libagent Successfully installed libagent
$pip3 install --user -e trezor-agent/agents/ledger
Obtaining file:///home/myusername/Downloads/trezor-agent/agents/ledger Preparing metadata (setup.py) ... done Requirement already satisfied: ledgerblue>=0.1.8 in /home/myusername/.local/lib/python3.10/site-packages (from ledger-agent==0.9.0) (0.1.45) Requirement already satisfied: libagent>=0.9.0 in ./trezor-agent (from ledger-agent==0.9.0) (0.14.7) Requirement already satisfied: pillow>=3.4.0 in /usr/lib/python3/dist-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (9.0.1) Requirement already satisfied: hidapi>=0.7.99 in /home/myusername/.local/lib/python3.10/site-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (0.13.1) Requirement already satisfied: python-u2flib-host>=3.0.2 in /home/myusername/.local/lib/python3.10/site-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (3.0.3) Requirement already satisfied: protobuf>=2.6.1 in /home/myusername/.local/lib/python3.10/site-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (4.22.0) Requirement already satisfied: ecpy>=0.9.0 in /home/myusername/.local/lib/python3.10/site-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (1.2.5) Requirement already satisfied: future in /home/myusername/.local/lib/python3.10/site-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (0.18.3) Requirement already satisfied: nfcpy>=1.0.4 in /home/myusername/.local/lib/python3.10/site-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (1.0.4) Requirement already satisfied: pycryptodomex>=3.6.1 in /home/myusername/.local/lib/python3.10/site-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (3.17) Requirement already satisfied: websocket-client>=0.56.0 in /home/myusername/.local/lib/python3.10/site-packages (from ledgerblue>=0.1.8->ledger-agent==0.9.0) (1.5.1) Requirement already satisfied: ConfigArgParse>=0.12.1 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (1.5.3) Requirement already satisfied: backports.shutil_which>=3.5.1 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (3.5.2) Requirement already satisfied: bech32>=1.2.0 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (1.2.0) Requirement already satisfied: cryptography>=3.4.6 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (38.0.4) Requirement already satisfied: docutils>=0.14 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (0.19) Requirement already satisfied: ecdsa>=0.13 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (0.18.0) Requirement already satisfied: mnemonic>=0.18 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (0.20) Requirement already satisfied: pymsgbox>=1.0.6 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (1.0.9) Requirement already satisfied: pynacl>=1.4.0 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (1.5.0) Requirement already satisfied: python-daemon>=2.1.2 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (2.3.2) Requirement already satisfied: semver>=2.2 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (2.13.0) Requirement already satisfied: unidecode>=0.4.20 in /home/myusername/.local/lib/python3.10/site-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (1.3.6) Requirement already satisfied: wheel>=0.32.3 in /usr/lib/python3/dist-packages (from libagent>=0.9.0->ledger-agent==0.9.0) (0.37.1) Requirement already satisfied: cffi>=1.12 in /home/myusername/.local/lib/python3.10/site-packages (from cryptography>=3.4.6->libagent>=0.9.0->ledger-agent==0.9.0) (1.15.1) Requirement already satisfied: six>=1.9.0 in /usr/lib/python3/dist-packages (from ecdsa>=0.13->libagent>=0.9.0->ledger-agent==0.9.0) (1.16.0) Requirement already satisfied: setuptools>=19.0 in /usr/lib/python3/dist-packages (from hidapi>=0.7.99->ledgerblue>=0.1.8->ledger-agent==0.9.0) (59.6.0) Requirement already satisfied: libusb1 in /home/myusername/.local/lib/python3.10/site-packages (from nfcpy>=1.0.4->ledgerblue>=0.1.8->ledger-agent==0.9.0) (3.0.0) Requirement already satisfied: ndeflib in /home/myusername/.local/lib/python3.10/site-packages (from nfcpy>=1.0.4->ledgerblue>=0.1.8->ledger-agent==0.9.0) (0.3.3) Requirement already satisfied: pyserial in /home/myusername/.local/lib/python3.10/site-packages (from nfcpy>=1.0.4->ledgerblue>=0.1.8->ledger-agent==0.9.0) (3.5) Requirement already satisfied: pydes in /home/myusername/.local/lib/python3.10/site-packages (from nfcpy>=1.0.4->ledgerblue>=0.1.8->ledger-agent==0.9.0) (2.0.1) Requirement already satisfied: lockfile>=0.10 in /home/myusername/.local/lib/python3.10/site-packages (from python-daemon>=2.1.2->libagent>=0.9.0->ledger-agent==0.9.0) (0.12.2) Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from python-u2flib-host>=3.0.2->ledgerblue>=0.1.8->ledger-agent==0.9.0) (2.25.1) Requirement already satisfied: pycparser in /home/myusername/.local/lib/python3.10/site-packages (from cffi>=1.12->cryptography>=3.4.6->libagent>=0.9.0->ledger-agent==0.9.0) (2.21) Installing collected packages: ledger-agent Attempting uninstall: ledger-agent Found existing installation: ledger-agent 0.9.0 Uninstalling ledger-agent-0.9.0: Successfully uninstalled ledger-agent-0.9.0 Running setup.py develop for ledger-agent Successfully installed ledger-agent
$ledger-gpg init "User Name username@abc.com" -v
2023-02-24 09:35:40,678 WARNING This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [init.py:118]
2023-02-24 09:35:40,693 INFO device name: ledger [init.py:126]
2023-02-24 09:35:40,693 INFO GPG home directory: /home/myusername/.gnupg/ledger [init.py:131]
2023-02-24 09:35:40,711 WARNING NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [init.py:33]
Traceback (most recent call last):
File "/home/myusername/.local/bin/ledger-gpg", line 33, in
packaging.requirements.InvalidRequirement: Expected end or semicolon (after version specifier) python-pyscard>=1.6.12-4build1
opened on 2023-02-13 20:56:38 by antonionardellaEnvironment
Python 3.10.9 Setuptools 67.2.0 Packaging 23.0
Issue, when I run ledger-agent the following error pops-up:
``` Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/pkg_resources/init.py", line 2711, in _dep_map return self.dep_map File "/usr/lib/python3.10/site-packages/pkg_resources/__init.py", line 2826, in getattr raise AttributeError(attr) AttributeError: _Distribution__dep_map
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/packaging/requirements.py", line 35, in init parsed = parse_requirement(requirement_string) File "/usr/lib/python3.10/site-packages/packaging/_parser.py", line 64, in parse_requirement return _parse_requirement(Tokenizer(source, rules=DEFAULT_RULES)) File "/usr/lib/python3.10/site-packages/packaging/_parser.py", line 82, in _parse_requirement url, specifier, marker = _parse_requirement_details(tokenizer) File "/usr/lib/python3.10/site-packages/packaging/_parser.py", line 126, in _parse_requirement_details marker = _parse_requirement_marker( File "/usr/lib/python3.10/site-packages/packaging/_parser.py", line 147, in _parse_requirement_marker tokenizer.raise_syntax_error( File "/usr/lib/python3.10/site-packages/packaging/_tokenizer.py", line 163, in raise_syntax_error raise ParserSyntaxError( packaging._tokenizer.ParserSyntaxError: Expected end or semicolon (after version specifier) python-pyscard>=1.6.12-4build1 ~~~~~~~~~~^
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/antonio/.local/bin/ledger-agent", line 8, in
I found these issues https://github.com/pypa/setuptools/issues/3801 with this information:
The requirement
python-pyscard>=1.6.12-4build1has an invalid version (ref: PEP 440, PEP 508).
And this related issue: https://github.com/pypa/setuptools/issues/3772#issuecomment-1384342813
Still, I do not know how to fix it.
Would anyone know what is to be done to get the ledger-agent to work again?
Thanks
Add the ability to add additional identities via the command line
opened on 2023-01-30 19:58:04 by rustafarian-dev NoneAdd Support for ED25519 ssh-certificates
opened on 2022-03-23 08:24:45 by SenjuuThis should enable the usage of SSH-certificates using the ED25519 curve.
Possible to Create Subkeys for Master GPG Key?
opened on 2022-02-21 22:36:46 by talosgtI want to create a subkey for my master key, but I only found this comment by Roman:
The --subkey feature is usually used to add TREZOR-based GPG keys to non-TREZOR-based existing GPG keys, e.g. see the following example for adding NISTP-256 TREZOR-based subkeys to existing RSA-2048 non-TREZOR-based GPG identity: https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md#generate-gnupg-subkeys.
Am I only able to use the master key created by my Trezor to use for GPG? I would like to create individual keys for signing, authenticating, etc and leave the master key alone.
Even if I try to create subkeys for an exsting NON-Trezor key, it doesn't seem to work as I get errors.
If I create a GPG key pair on my regular mac desktop, I am able to see it with "gpg -k". If I update my environment .bash_profile with export GNUPGHOME=~/.gnupg/trezor, I will not see this key that I created on my mac and only see the keys I created with the trezor. If I want to go by what Roman had said above where creating subkeys are really for existing NON-Trezor-based keys, then I'm unable to do so because these are in 2 different files.
Is there a way to create subkeys and use them normally?
I also noticed I'm unable to choose the key size, like 4096, is that because it's tied with the seed phrase of the Trezor when I initialized it?
Thanks!
Replace Unix-dependend daemon dependency by cross-platform compatible alternative, e.g. Daemoniker
opened on 2022-01-27 18:55:46 by zommuterUnfortunately on Windows the daemon import causes a confusing
ModuleNotFoundError: No module named 'pwd'
whereas, to my understanding, python-daemon just does not support Windows at all. Could you please use a cross-platform compatible alternative? I've found Daemoniker https://daemoniker.readthedocs.io/en/latest/ which might do the trick, or maybe something mentioned on https://stackoverflow.com/q/12843903/321973
python ssh gpg agent trezor keepkey ledger crypto hardware pgp gnupg