Conversation

This Tweet was deleted by the Tweet author. Learn more

It mostly applies to the Trezor One, but it doesn't have on-device passphrase entry and I think U2F is only based on the seed and didn't require unlocking with the PIN and providing the passphrase. Trezor One also only has a partial workaround for secure PIN entry and recovery.

Replying to

Having the touchscreen able to provide sophisticated on-device input is a killer feature able to improve security a lot, since you don't expose passphrases or any details about the PIN. The same thing goes for not exposing details about the recovery seed during a recovery.

Replying to

- I wasn't aware it mostly applied to the Trezor One. Are there plans to write it for the Trezor T, and to integrate the security features of the pin+passphrase? (For U2F and anything else that used only the seed?)

Replying to

and

- how does integration with existing software compare with the

Replying to

and

Using trezor-agent is painless for SSH and GPG. U2F doesn't require any additional software. It works with standard U2F support. For recovery, you need to restore the U2F counter too, and their suggestion of using Unix time works well for that.

Replying to

$ trezor-agent -e ed25519 sample_user@sample_host ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4o34x0NrKCFhqLgO44DQDOmmnGv7StO/MxvEzJ1vjN <ssh://sample_user@sample_host|ed25519>

Replying to

And with that in .ssh/authorized_keys: $ trezor-agent -e ed25519 sample_user@sample_host -- ssh -p 7777 strcat@localhost [confirmation required on Trezor to sign SSH for sample_user@sample_host] Last login: Fri Nov 2 19:24:04 2018 from ::1 strcat@thinktank i ~ master %

Replying to

Can also run trezor-agent as an agent of course. It supports more than just the Trezor too so there are a couple other compatible options for recovery if the device dies.

6:55 PM · Nov 3, 2018Twitter Web Client