Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot sign certificate with Trezor as SSH CA #491

Open
movefasta opened this issue Oct 18, 2024 · 4 comments · May be fixed by #493
Open

Cannot sign certificate with Trezor as SSH CA #491

movefasta opened this issue Oct 18, 2024 · 4 comments · May be fixed by #493
Labels
enhancement SSH

Comments

@movefasta
Copy link

Device: Trezor Model T
OS: NixOS 24.11.20241015.7881fbf (Vicuna)
Versions: trezor-agent=0.12.0, libagent=0.15.0

When i try to sign file it works fine:

> trezor-agent -e ed25519 [email protected] -- ssh-keygen -Y sign -f ~/.ssh/trezor-github.pub -n file README.md        
Signing file README.md
Write signature to README.md.sig
> cat README.md.sig                                                                                                                                                                                                                                               
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgAtOko3bPtNBNxLlyDKYV2MUt00
R5nHcDqYgXKOK7Y6cAAAAEZmlsZQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUx
OQAAAEAw7ANBx73olTBSW0TcbjozUJ8mgOeZuNCnc8wcY60IkeaZi0zXvv3DpIxF2Fd/MO
5UvTSCgAyM+XwzZahWsrIB
-----END SSH SIGNATURE-----

If i try to sign pubkey to create certificate with SSH libagent return EOFError:

trezor-agent -e ed25519 [email protected] -- ssh-keygen -Us ~/.ssh/trezor-github.pub -I 2024_ed25519 2024_ed25519.pub
2024-10-18 13:46:39,513 ERROR        signature with "<ssh://[email protected]|ed25519>" key failed                               [protocol.py:151]
Traceback (most recent call last):
  File "/nix/store/x4dypckndkdvqh3lvfv58wnayj2a0bla-python3.12-libagent-0.15.0/lib/python3.12/site-packages/libagent/ssh/protocol.py", line 147, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/x4dypckndkdvqh3lvfv58wnayj2a0bla-python3.12-libagent-0.15.0/lib/python3.12/site-packages/libagent/ssh/__init__.py", line 279, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/x4dypckndkdvqh3lvfv58wnayj2a0bla-python3.12-libagent-0.15.0/lib/python3.12/site-packages/libagent/ssh/client.py", line 35, in sign_ssh_challenge
    msg = parse_ssh_blob(blob)
          ^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/x4dypckndkdvqh3lvfv58wnayj2a0bla-python3.12-libagent-0.15.0/lib/python3.12/site-packages/libagent/ssh/client.py", line 71, in parse_ssh_blob
    res['user'] = util.read_frame(i)
                  ^^^^^^^^^^^^^^^^^^
  File "/nix/store/x4dypckndkdvqh3lvfv58wnayj2a0bla-python3.12-libagent-0.15.0/lib/python3.12/site-packages/libagent/util.py", line 53, in read_frame
    return recv(conn, size)
           ^^^^^^^^^^^^^^^^
  File "/nix/store/x4dypckndkdvqh3lvfv58wnayj2a0bla-python3.12-libagent-0.15.0/lib/python3.12/site-packages/libagent/util.py", line 40, in recv
    raise EOFError
EOFError
Couldn't certify 2024_ed25519.pub via agent: communication with agent failed
@romanz
Copy link
Owner

romanz commented Nov 2, 2024
edited
Loading

https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication

romanz added a commit that referenced this issue Nov 23, 2024
@romanz
Support SSH CA generation
ed67b9e 
Fixes #491.

Usage example:

```bash
trezor-agent -v 'SSH Certificate Authority' > /path/to/trezor-ca.pub

echo 'TrustedUserCAKeys /etc/ssh/trezor-ca.pub' | sudo tee -a /etc/ssh/sshd_config

ssh-keygen -t ed25519 -f user-key

trezor-agent -v 'SSH Certificate Authority' -- \
  ssh-keygen -Us trezor-ca.pub -V '+10m' -I user-id -n user user-key.pub

ssh user@localhost -o CertificateFile=user-key-cert.pub -i user-key
```
@romanz romanz linked a pull request Nov 23, 2024 that will close this issue
Open
romanz added a commit that referenced this issue Nov 23, 2024
@romanz
Support SSH CA generation
f1fe7b5 
Fixes #491.

Usage example:

  ## generate TREZOR-based SSH CA public key
  $ trezor-agent -v 'SSH Certificate Authority' > /etc/ssh/trezor-ca.pub
  $ echo 'TrustedUserCAKeys /etc/ssh/trezor-ca.pub' | sudo tee -a /etc/ssh/sshd_config
  $ sudo systemctl restart ssh

  ## generate user-specific SSH key and certify it using trezor-agent
  $ ssh-keygen -t ed25519 -f user-key
  $ trezor-agent -v 'SSH Certificate Authority' -- \
      ssh-keygen -Us trezor-ca.pub -V '+10m' -I user-id -n user user-key.pub
  ...
  Signed user key user-key-cert.pub: id "user-id" serial 0 for user valid from 2024-11-23T20:25:00 to 2024-11-23T20:36:27

  ## use the certificate to login
  ssh -v user@localhost -o CertificateFile=user-key-cert.pub -i user-key
  ...
  debug1: Will attempt key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
  debug1: Will attempt key: user-key ED25519 SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
  ...
  debug1: Offering public key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
  debug1: Server accepts key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit
  Authenticated to localhost ([::1]:22) using "publickey".
  ...
@romanz
Copy link
Owner

romanz commented Nov 25, 2024

@movefasta could you please try #493?

@movefasta
Copy link
Author

@movefasta could you please try #493?

Thank you very much.
I've tested branch ca-fixup and it works well:

ssh-keygen -Us ~/.ssh/trezor-github.pub -I 2024_ed25519 2024_ed25519.pub                                                                     
Signed user key 2024_ed25519-cert.pub: id "2024_ed25519" serial 0 valid forever

but my old Trezor S still view it on device screen as SSH login (same as sign git commit or tag)

@romanz
Copy link
Owner

romanz commented Nov 26, 2024

still view it on device screen as SSH login

Indeed, currently TREZOR firmware is signing the same blob passed from ssh-agent protocol (via SignIdentity.challenge_hidden bytes), without parsing it on-device:

trezor-agent/libagent/ssh/client.py

Lines 51 to 52 in e06f913

with self.device:
return self.device.sign(blob=blob, identity=identity)

Confirmation: https://github.com/trezor/trezor-firmware/blob/6f7fccaac26ddc8895af75069bcb3b0b34e5bea9/legacy/firmware/fsm_msg_crypto.h#L80-L81

Signature: https://github.com/trezor/trezor-firmware/blob/6f7fccaac26ddc8895af75069bcb3b0b34e5bea9/legacy/firmware/fsm_msg_crypto.h#L122-L124

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement SSH
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support SSH CA generation romanz/trezor-agent
2 participants
@romanz @movefasta