4.2 KiB
SSH Agent
1. Configuration
SSH requires no configuration, but you may put common command line options in ~/.ssh/agent.conf
to avoid repeating them in every invocation.
See (trezor|keepkey|ledger)-agent -h
for details on the configuration file format.
2. Usage
To get your public key so you can add it to authorized_hosts
or allow
ssh access to a service that supports it, run:
(trezor|keepkey|ledger)-agent identity@myhost
There are two main ways to use invoke SSH:
1. Run your command with the agent's environment
If you run:
$ (trezor|keepkey|ledger)-agent _ COMMAND --WITH --ARGUMENTS
the agent is started in the background and the command is executed with environment variables set up to use the SSH agent. The _
is an ignored parameter. The agent will exit after the command completes.
As a shortcut you can run
$ (trezor|keepkey|ledger)-agent _ -s
to start a shell with the proper environment.
2. Connect to a server directly via (trezor|keepkey|ledger)-agent
If you just want to connect to a server this is the simplest way to do it:
$ (trezor|keepkey|ledger)-agent user@remotehost -c ARGS FOR SSH
3. Common Use Cases
Start a single SSH session
Start multiple SSH sessions from a sub-shell
This feature allows using regular SSH-related commands within a subprocess running user's shell.
SSH_AUTH_SOCK
environment variable is defined for the subprocess (pointing to the SSH agent, running as a parent process).
This way the user can use SSH-related commands (e.g. ssh
, ssh-add
, sshfs
, git
, hg
), while authenticating via the hardware device.
Load different SSH identities from configuration file
Implement passwordless login
Run:
/tmp $ trezor-agent user@ssh.hostname.com -v > hostname.pub
2015-09-02 15:03:18,929 INFO getting "ssh://user@ssh.hostname.com" public key from Trezor...
2015-09-02 15:03:23,342 INFO disconnected from Trezor
/tmp $ cat hostname.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGSevcDwmT+QaZPUEWUUjTeZRBICChxMKuJ7dRpBSF8+qt+8S1GBK5Zj8Xicc8SHG/SE/EXKUL2UU3kcUzE7ADQ= ssh://user@ssh.hostname.com
Append hostname.pub
contents to /home/user/.ssh/authorized_keys
configuration file at ssh.hostname.com
, so the remote server
would allow you to login using the corresponding private key signature.
Access remote Git/Mercurial repositories
Copy your public key and register it in your repository web interface (e.g. GitHub):
$ trezor-agent -v -e ed25519 git@github.com | xclip
Use the following Bash alias for convenient Git operations:
$ alias git_hub='trezor-agent -v -e ed25519 git@github.com -- git'
Replace git
with git_hub
for remote operations:
$ git_hub push origin master
The same works for Mercurial (e.g. on BitBucket):
$ trezor-agent -v -e ed25519 git@bitbucket.org -- hg push
4. Troubleshooting
If SSH connection fails to work, please open an issue
with a verbose log attached (by running trezor-agent -vv
) .
Incompatible SSH options
Note that your local SSH configuration may ignore trezor-agent
, if it has IdentitiesOnly
option set to yes
.
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity files configured in
the ssh_config files, even if ssh-agent(1) or a PKCS11Provider offers more identities.
The argument to this keyword must be “yes” or “no”.
This option is intended for situations where ssh-agent offers many different identities.
The default is “no”.
If you are failing to connect, try running:
$ trezor-agent -vv user@host -- ssh -vv -oIdentitiesOnly=no user@host