cbouvet-ledger
commented
1 year ago - Split code to make it more readable
- Fix challenge parsing on newer versions of ssh servers
Closed cbouvet-ledger closed 1 year ago
cbouvet-ledger
commented
1 year ago 
ilap
commented
1 year ago Hi @xchapron-ledger
When do we expect this branch merged into the master and its availability in the the Ledger Live?
Cheers
xchapron-ledger
commented
1 year ago Hi @xchapron-ledger
When do we expect this branch merged into the master and its availability in the the Ledger Live?
Cheers
I think @cbouvet-ledger is performing some additional tests before merging. As for the deployment, I'm not sure yet, maybe @cbouvet-ledger has more info?
cbouvet-ledger
commented
1 year ago @ilap I think this week !
ilap
commented
1 year ago Hi @cbouvet-ledger
When do we expect the updated ssh agent in LedgerLive's App catalog? As the latest still only has the SSH/PGP Agent v0.0.7.
Cheers
Pal
cbouvet-ledger
commented
1 year ago Hello @ilap ,
i've just versionned the new app as 0.0.8 and notified the ledger_agent (pip package) developer that he will need to modify his agent. (https://github.com/romanz/trezor-agent/issues/414)
We will now deploy the app, sorry for the delay. Please ensure that you use the latest agent.py from this repo until romanz updates his ledger_agent if you use the pip package.
Cheers
ilap
commented
1 year ago Hi @cbouvet-ledger,
Thank you
cbouvet-ledger
commented
1 year ago hello @ilap,
I've started the deployment, but it's not on the official servers yet. Will ping you once it's there, sorry for the delay
cbouvet-ledger
commented
1 year ago hello @ilap, it should be available as of yesterday :smile:
ilap
commented
1 year ago Hi @cbouvet-ledger
Thx for that, but it does not seem to me working. I installed SSH/PGP v0.0.8 and using the trezor-agent's master repo but it's always failing back to password despite it's disabled. Tried with Ubuntu 20.04 LTS (OpenSSH v8.2p1) and 22.04 LTS (OpenSSH v8.9p1). Though, I am using ed25519.
UPDATED
2023-02-07 13:10:04,250 DEBUG parsed identity: {'proto': 'ssh', 'user': 'user', 'host': 'server', 'port': None, 'path': None} [interface.py:30]
2023-02-07 13:10:04,251 DEBUG identity parts: ['ssh://', 'user@', 'server'] [interface.py:46]
2023-02-07 13:10:04,251 INFO identity #0: <ssh://user@server|ed25519> [__init__.py:273]
2023-02-07 13:10:04,256 WARNING DISPLAY not defined [ui.py:92]
2023-02-07 13:10:04,256 INFO using [b'ttyname=/dev/ttys000'] for pinentry options [ui.py:94]
HID => b001000000
HID <= 010d5353482f504750204167656e7405302e302e3801029000
2023-02-07 13:10:04,278 DEBUG running app bytearray(b'SSH/PGP Agent'), version bytearray(b'0.0.8') [ledger.py:55]
2023-02-07 13:10:04,278 DEBUG identity parts: ['ssh://', 'user@', 'server'] [interface.py:46]
2023-02-07 13:10:04,278 DEBUG bip32 address string: b'\x00\x00\x00\x00ssh://user@server' [interface.py:88]
2023-02-07 13:10:04,278 DEBUG apdu: b"\x80\x02\x00\x02\x15\x05\x80\x00\x00\r\xa4~!#\x9aQ\x10d\xb7\xbe\xc2'\xf8\xfa\x07\x8d" [ledger.py:94]
HID => 8002000215058000000da47e21239a511064b7bec227f8fa078d
HID <= 410451458c3b50fcd0e5dda7171da57f6e9bbdd47e65174bf9a6d66e9e5c620078fa6014f998b2fe8b44dd39bb65f202a033ec72a71f8d8e5c3e34f404db448604c89000
2023-02-07 13:10:06,651 DEBUG result: bytearray(b'A\x04QE\x8c;P\xfc\xd0\xe5\xdd\xa7\x17\x1d\xa5\x7fn\x9b\xbd\xd4~e\x17K\xf9\xa6\xd6n\x9e\\b\x00x\xfa`\x14\xf9\x98\xb2\xfe\x8bD\xdd9\xbbe\xf2\x02\xa03\xecr\xa7\x1f\x8d\x8e\\>4\xf4\x04\xdbD\x86\x04\xc8') [ledger.py:96]
2023-02-07 13:10:06,652 DEBUG identity parts: ['ssh://', 'user@', 'server'] [interface.py:46]
2023-02-07 13:10:06,652 DEBUG fingerprint: 05:95:10:07:7e:d7:a2:88:98:4a:4b:5e:7a:08:68:79 [formats.py:213]
2023-02-07 13:10:06,661 DEBUG local SSH version: b'OpenSSH_9.0p1, LibreSSL 3.3.6\n' [__init__.py:132]
2023-02-07 13:10:06,662 DEBUG serving on /var/folders/3n/qptpz9lx1p9gfrphp6fyx6d00000gn/T/trezor-ssh-agent-9ft991kk [server.py:30]
2023-02-07 13:10:06,662 DEBUG server thread started [server.py:121]
2023-02-07 13:10:06,662 DEBUG waiting for connection on /var/folders/3n/qptpz9lx1p9gfrphp6fyx6d00000gn/T/trezor-ssh-agent-9ft991kk [server.py:129]
2023-02-07 13:10:06,662 INFO running ['ssh', '-l', 'user', '-o', 'IdentityFile=/var/folders/3n/qptpz9lx1p9gfrphp6fyx6d00000gn/T/trezor-ssh-pubkey-e_7835ye', '-o', 'IdentitiesOnly=true', 'server'] with {'SSH_AUTH_SOCK': '/var/folders/3n/qptpz9lx1p9gfrphp6fyx6d00000gn/T/trezor-ssh-agent-9ft991kk', 'SSH_AGENT_PID': '57014'} [server.py:156]
2023-02-07 13:10:06,664 DEBUG subprocess 57017 is running [server.py:163]
2023-02-07 13:10:06,943 DEBUG welcome agent [server.py:90]
2023-02-07 13:10:06,944 DEBUG waiting for connection on /var/folders/3n/qptpz9lx1p9gfrphp6fyx6d00000gn/T/trezor-ssh-agent-9ft991kk [server.py:129]
2023-02-07 13:10:06,944 DEBUG request: 208 bytes [protocol.py:97]
2023-02-07 13:10:06,944 DEBUG calling _unsupported_extension() [protocol.py:105]
2023-02-07 13:10:06,944 DEBUG reply: 5 bytes [protocol.py:108]
2023-02-07 13:10:06,944 DEBUG request: 1 bytes [protocol.py:97]
2023-02-07 13:10:06,944 DEBUG calling list_pubs() [protocol.py:105]
2023-02-07 13:10:06,944 DEBUG loading SSH public key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgEhkTbBPQ0PlyOjR+ncuwzoALyZbs53USL/rKY+RRg <ssh://user@server|ed25519>\n' [formats.py:220]
2023-02-07 13:10:06,945 DEBUG key type: b'ssh-ed25519' [formats.py:58]
2023-02-07 13:10:06,945 DEBUG loaded ssh-ed25519 public key: 05:95:10:07:7e:d7:a2:88:98:4a:4b:5e:7a:08:68:79 [formats.py:226]
2023-02-07 13:10:06,945 DEBUG available keys: [b'<ssh://user@server|ed25519>'] [protocol.py:117]
2023-02-07 13:10:06,945 DEBUG 1) 05:95:10:07:7e:d7:a2:88:98:4a:4b:5e:7a:08:68:79 [protocol.py:119]
2023-02-07 13:10:06,945 DEBUG reply: 96 bytes [protocol.py:108]
2023-02-07 13:10:07,093 DEBUG request: 291 bytes [protocol.py:97]
2023-02-07 13:10:07,093 DEBUG calling sign_message() [protocol.py:105]
2023-02-07 13:10:07,093 DEBUG key type: b'ssh-ed25519' [formats.py:58]
2023-02-07 13:10:07,093 DEBUG looking for 05:95:10:07:7e:d7:a2:88:98:4a:4b:5e:7a:08:68:79 [protocol.py:131]
2023-02-07 13:10:07,093 DEBUG loading SSH public key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgEhkTbBPQ0PlyOjR+ncuwzoALyZbs53USL/rKY+RRg <ssh://user@server|ed25519>\n' [formats.py:220]
2023-02-07 13:10:07,093 DEBUG key type: b'ssh-ed25519' [formats.py:58]
2023-02-07 13:10:07,093 DEBUG loaded ssh-ed25519 public key: 05:95:10:07:7e:d7:a2:88:98:4a:4b:5e:7a:08:68:79 [formats.py:226]
2023-02-07 13:10:07,093 DEBUG using key b'<ssh://user@server|ed25519>' (05:95:10:07:7e:d7:a2:88:98:4a:4b:5e:7a:08:68:79) [protocol.py:138]
2023-02-07 13:10:07,093 DEBUG signing 227-byte blob with "<ssh://user@server|ed25519>" key [protocol.py:145]
2023-02-07 13:10:07,094 DEBUG blob: b'\x00\x00\x00 T\x12\xd5@\xecZI\xcd\x8f\xc3)\xcah\xf6\xfd"\x9c\x0b\x935\x1e\x08s0\x9aM/Y2)\xd1T2\x00\x00\x00\x03user\x00\x00\x00\x0essh-connection\x00\x00\x00#publickey-hostbound-v00@openssh.com\x01\x00\x00\x00\x0bssh-ed25519\x00\x00\x003\x00\x00\x00\x0bssh-ed25519\x00\x00\x00 \xc8\x04\x86D\xdb\x04\xf44>\\\x8e\x8d\x1f\xa7r\xec3\xa0\x02\xf2e\xbb9\xddD\x8b\xfe\xb2\x98\xf9\x14`\x00\x00\x003\x00\x00\x00\x0bssh-ed25519\x00\x00\x00 1m\x91\xfe\x10z\xa7\xe4\x9b\x9c\xee\xf0D%\xdc\x9d\xc5\xd9\xe4\xb1\x89~\xd6\x8a\xff\x9by~\xf6|l\xd6' [client.py:34]
2023-02-07 13:10:07,094 DEBUG key type: b'ssh-ed25519' [formats.py:58]
2023-02-07 13:10:07,094 WARNING unparsed blob: b'\x00\x00\x003\x00\x00\x00\x0bssh-ed25519\x00\x00\x00 1m\x91\xfe\x10z\xa7\xe4\x9b\x9c\xee\xf0D%\xdc\x9d\xc5\xd9\xe4\xb1\x89~\xd6\x8a\xff\x9by~\xf6|l\xd6' [client.py:81]
2023-02-07 13:10:07,094 DEBUG b'ssh-connection': user b'user' via b'publickey-hostbound-v00@openssh.com' (b'ssh-ed25519') [client.py:40]
2023-02-07 13:10:07,094 DEBUG nonce: b'T\x12\xd5@\xecZI\xcd\x8f\xc3)\xcah\xf6\xfd"\x9c\x0b\x935\x1e\x08s0\x9aM/Y2)\xd1T' [client.py:42]
2023-02-07 13:10:07,094 DEBUG fingerprint: 05:95:10:07:7e:d7:a2:88:98:4a:4b:5e:7a:08:68:79 [client.py:44]
2023-02-07 13:10:07,094 DEBUG hidden challenge size: 227 bytes [client.py:45]
2023-02-07 13:10:07,094 DEBUG identity parts: ['ssh://', 'user@', 'server'] [interface.py:46]
2023-02-07 13:10:07,094 INFO please confirm user "user" login to "<ssh://user@server|ed25519>" using LedgerNanoS... [client.py:47]
HID => b001000000
HID <= 010d5353482f504750204167656e7405302e302e3801029000
2023-02-07 13:10:07,110 DEBUG running app bytearray(b'SSH/PGP Agent'), version bytearray(b'0.0.8') [ledger.py:55]
2023-02-07 13:10:07,110 DEBUG identity parts: ['ssh://', 'user@', 'server'] [interface.py:46]
2023-02-07 13:10:07,110 DEBUG bip32 address string: b'\x00\x00\x00\x00ssh://user@server' [interface.py:88]
2023-02-07 13:10:07,110 DEBUG apdu: b'\x80\x04\x00\x82\xf8\x05\x80\x00\x00\r\xa4~!#\x9aQ\x10d\xb7\xbe\xc2\'\xf8\xfa\x07\x8d\x00\x00\x00 T\x12\xd5@\xecZI\xcd\x8f\xc3)\xcah\xf6\xfd"\x9c\x0b\x935\x1e\x08s0\x9aM/Y2)\xd1T2\x00\x00\x00\x03user\x00\x00\x00\x0essh-connection\x00\x00\x00#publickey-hostbound-v00@openssh.com\x01\x00\x00\x00\x0bssh-ed25519\x00\x00\x003\x00\x00\x00\x0bssh-ed25519\x00\x00\x00 \xc8\x04\x86D\xdb\x04\xf44>\\\x8e\x8d\x1f\xa7r\xec3\xa0\x02\xf2e\xbb9\xddD\x8b\xfe\xb2\x98\xf9\x14`\x00\x00\x003\x00\x00\x00\x0bssh-ed25519\x00\x00\x00 1m\x91\xfe\x10z\xa7\xe4\x9b\x9c\xee\xf0D%\xdc\x9d\xc5\xd9\xe4\xb1\x89~\xd6\x8a\xff\x9by~\xf6|l\xd6' [ledger.py:133]
HID => 80040082f8058000000da47e21239a511064b7bec227f8fa078d000000205412d540ec5a49cd8fc329ca68f6fd229c0b93351e0873309a4d2f593229d154320000000373706f0000000e7373682d636f6e6e656374696f6e000000237075626c69636b65792d686f7374626f756e642d763030406f70656e7373682e636f6d010000000b7373682d65643235353139000000330000000b7373682d6564323535313900000020c8048644db04f4343e5c8e8d1fa772ec33a002f265bb39dd448bfeb298f91460000000330000000b7373682d6564323535313900000020316d91fe107aa7e49b9ceef04425dc9dc5d9e4b1897ed68aff9b797ef67c6cd6
HID <= 9000
2023-02-07 13:10:07,120 DEBUG result: bytearray(b'') [ledger.py:142]
2023-02-07 13:10:07,121 DEBUG signature: b'' [protocol.py:154]
sign_and_send_pubkey: signing failed for ED25519 "/var/folders/3n/qptpz9lx1p9gfrphp6fyx6d00000gn/T/trezor-ssh-pubkey-e_7835ye" from agent: communication with agent failed
2023-02-07 13:10:07,121 WARNING error: [server.py:100]
Traceback (most recent call last):
File "/Users/ilap/Projects/trezor-agent/libagent/server.py", line 95, in handle_connection
reply = handler.handle(msg=msg)
File "/Users/ilap/Projects/trezor-agent/libagent/ssh/protocol.py", line 106, in handle
reply = method(buf=buf)
File "/Users/ilap/Projects/trezor-agent/libagent/ssh/protocol.py", line 157, in sign_message
sig_bytes = key['verifier'](sig=signature, msg=blob)
File "/Users/ilap/Projects/trezor-agent/libagent/formats.py", line 112, in ed25519_verify
assert len(sig) == 64
AssertionError
(user@server) Password:
@ilap does it work with the agent.py in this repository?
your APDUs look wrong, are you running the latest trezor-agent from the github repo or from pypi ?
ilap
commented
1 year ago Hi @cbouvet-ledger,
I have not tested with agent.py. Do you have some example how to use it?
I use the the latest trezor-agent from the github repo.
cbouvet-ledger
commented
1 year ago Hello @ilap, I'll test with ed225519 keys first
cbouvet-ledger
commented
1 year ago @ilap can you share how you use trezor-agent?
cbouvet-ledger
commented
1 year ago I managed to reproduce, now looking for the issue, thanks
ilap
commented
1 year ago @ilap can you share how you use trezor-agent?
# Uninstall the installed PIP packages.
pip3 uninstall ledger_agent libagent
# Download Ledger agent and
git clone https://github.com/romanz/trezor-agent
pip3 install --user -e trezor-agent
pip3 install --user -e trezor-agent/agents/ledger
# use it
ledger-agent -e ed25519 -c ssh://user@server -vvvvvfond the issue, will patch it :bow:
cbouvet-ledger
commented
1 year ago @ilap this should do it https://github.com/romanz/trezor-agent/pull/417 feel free to try
ilap
commented
1 year ago @ilap this should do it romanz/trezor-agent#417 feel free to try
It's working thx.