Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSH CA generation #493

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Support SSH CA generation #493

wants to merge 2 commits into from

Conversation

romanz
Copy link
Owner

@romanz romanz commented Nov 23, 2024
edited
Loading

Fixes #491.

Usage example:

## generate TREZOR-based SSH CA public key
$ trezor-agent -v 'SSH Certificate Authority' > /etc/ssh/trezor-ca.pub
$ echo 'TrustedUserCAKeys /etc/ssh/trezor-ca.pub' | sudo tee -a /etc/ssh/sshd_config
$ sudo systemctl restart ssh
    
## generate user-specific SSH key and certify it using trezor-agent
$ ssh-keygen -t ed25519 -f user-key
$ trezor-agent -v 'SSH Certificate Authority' -- \
      ssh-keygen -Us trezor-ca.pub -V '+10m' -I user-id -n user user-key.pub
...
Signed user key user-key-cert.pub: id "user-id" serial 0 for user valid from 2024-11-23T20:25:00 to 2024-11-23T20:36:27

Certification requires the following on-device approval:
image

## use the certificate to login
ssh -v user@localhost -o CertificateFile=user-key-cert.pub -i user-key
...
debug1: Will attempt key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
debug1: Will attempt key: user-key ED25519 SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
...
debug1: Offering public key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
debug1: Server accepts key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
Authenticated to localhost ([::1]:22) using "publickey".

@romanz
Parse SSH identity with spaces
87f7117
@romanz
Support SSH CA generation
f1fe7b5 
Fixes #491.

Usage example:

  ## generate TREZOR-based SSH CA public key
  $ trezor-agent -v 'SSH Certificate Authority' > /etc/ssh/trezor-ca.pub
  $ echo 'TrustedUserCAKeys /etc/ssh/trezor-ca.pub' | sudo tee -a /etc/ssh/sshd_config
  $ sudo systemctl restart ssh

  ## generate user-specific SSH key and certify it using trezor-agent
  $ ssh-keygen -t ed25519 -f user-key
  $ trezor-agent -v 'SSH Certificate Authority' -- \
      ssh-keygen -Us trezor-ca.pub -V '+10m' -I user-id -n user user-key.pub
  ...
  Signed user key user-key-cert.pub: id "user-id" serial 0 for user valid from 2024-11-23T20:25:00 to 2024-11-23T20:36:27

  ## use the certificate to login
  ssh -v user@localhost -o CertificateFile=user-key-cert.pub -i user-key
  ...
  debug1: Will attempt key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
  debug1: Will attempt key: user-key ED25519 SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
  ...
  debug1: Offering public key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
  debug1: Server accepts key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
  Authenticated to localhost ([::1]:22) using "publickey".
  ...
@romanz romanz self-assigned this Nov 23, 2024
@romanz romanz mentioned this pull request Nov 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@romanz romanz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cannot sign certificate with Trezor as SSH CA
1 participant
@romanz