Domain Kiosk

Creative website design and internet marketing studio

Using Ledger Nano S to protect the SSH session to the Raspberry Pi 4b with LOC staking wallet

In this article we will make a setup that will allow to use Ledger Nano S to generate a pair of keys and use it to protect the SSH session to the LOC staking Raspberry Pi.

It is important to understand that the Ledger Nano S will protect the login to the remote SSH session, so you will be sure no hacker with a keylogger can grab (steal) your password and then use it to access your staking Pi remotely. Very often the reason for hacks is that the password has been "leaked" because of some silly mistake the user did. Using Ledger Nano S gives excellent protection against such mistakes too.

To fully protect your staking Pi however you have to read and understand the first three articles in my Guide to staking LOCs on Raspberry Pi 4b, then use the knowledge in this following article to elevate security to a next level.

Let's begin with a diagram showing the LAN setup to use the Ledger Nano S.  We need an extra Raspberry Pi (a Pi3b+ does an excellent job) to use it as a Gate to the LOC staking Pi. The Gate "pi@Lock" is connected to a monitor and to a keyboard/mouse. When all is set up the staking Pi should have a firewall configured to allow SSH access only from the IP address of the Gate Pi. Note that instead of the extra Raspberry Pi you can use any Linux or Mac machine as the Gate (the Remote machine). Here is the diagram:




Steps to set up the software on the Gate Pi, Staking Pi and Ledger Nano S


1. Make sure you have Python 3 and pip3 running on your Remote machine "pi@Lock" (

pi@Lock:~ $ which python3

you should see returned this:



pi@Lock:~ $ which pip3

should return this:



2. To have the command line tools communicate with Ledger Nano S, you also need libusb to be installed

Check if you already have libusb installed:

pi@Lock:~ $ ldconfig -p | grep libusb

If you have libusb installed you should be seeing this: (libc6,hard-sudfloat) => /usr/lib/arm-linux-gnueabihf/ (libc6,hard-float) => /lib/arm-linux-gnueabihf/

If installed already, as checked above, skip this step, otherwise install libusb:

pi@Lock:~ $ sudo apt install libffi-dev
pi@Lock:~ $ pip3 install cffi and pi@Lock:~ $ pip3 install libusb


3. Install Ledger Agent on the Remote machine

pi@Lock:~ $ pip3 install ledger_agent


4. Verify folders where Ledger Agent has been installed

pi@Lock:~ $ pip3 uninstall ledger_agent

Uninstalling ledger-agent-0.9.0:
Proceed (y/n)?n

Reply "no", as we are just using this to verify the Ledger Agent is installed, not to uninstall it.


5. Run this command to add udev-rules:

pi@Lock:~ $ wget -q -O - | sudo bash


6. Install the SSH/PGP Agent app on Ledger Nano S from Ledger Live

Turn on Developer mode in Ledger Live: Settings > Experimental features > Developer mode. Then you will find and be able to download from Ledger Live the SSH/PGP Agent app on your Ledger Nano S.


7. Generate your first SSH Key with the Ledger Nano S on your Remote machine using Ledger Agent

Plug and unlock your Ledger Nano S. Scroll through the applications, and select SSH/GPG Agent pressing both Ledger Nano S buttons. Once the app has launched, your Ledger Nano S should display "Application is ready".

Switch back to your terminal, and run:

pi@Lock:~ $ /home/pi/.local/bin/ledger-agent pi@Lock

Accept on Ledger Nano S. Now you have generated the SSH public key for the Protected machine "pi@Wallet-D" and it is displayed in the terminal:

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAQgjkaovZjENezel

5Md604dcUypaOFuX6L8r5xrkyubLtOJZAEL3aSoJ/HyQGx2M+6JKr/Ih6Mx4DaFuNDhCyo= <ssh://pi@Lock|nist256p1>


8. Copy-paste the whole string onto the Protected machine "pi@Wallet-D" ( into ~/.ssh/authorized_keys file

(pi@Wallet-D:~ $ mkdir ~/.ssh/)
pi@Wallet-D:~ $ nano ~/.ssh/authorized_keys

You're now ready to use SSH with your newly generated key.


9. Using the Ledger Agent shell wide

After the first key generation, the Ledger Agent printed a classic SSH ECDSA public key along with a string between < >. This is the string in our example:


This string is a Ledger Agent identity. Add it to a configuration file on the Remote machine, i.e. ~/.ssh/ledger.conf :

(pi@Lock:~ $ mkdir ~/.ssh/)
pi@Lock:~ $ echo "<ssh://pi@Lock|nist256p1>" >> ~/.ssh/ledger.conf

Then run the Ledger Agent:

pi@Lock:~ $ /home/pi/.local/bin/ledger-agent ~/.ssh/ledger.conf -s -v

2019-07-13 13:34:59,014 INFO         identity #0: <ssh://pi@Lock|nist256p1>         []
2019-07-13 13:34:59,023 INFO         using [b'ttyname=/dev/pts/1', b'display=:0.0'] for pinentry options         []
2019-07-13 13:34:59,043 INFO         running '/bin/bash' with {'SSH_AUTH_SOCK': '/tmp/trezor-ssh-agent-5fxmykuj', 'SSH_AGENT_PID': '982'}         []

This spawns a new shell with an SSH Agent using all the identities stored into the ledger.conf file.


10. Set up an alias on the Remote machine to easily start the Ledger Agent

pi@Lock:~ $ echo "alias ledger='/home/pi/.local/bin/ledger-agent ~/.ssh/ledger.conf -s -v'" >> ~/.bash_aliases
pi@Lock:~ $ source ~/.bash_aliases


11. Set up host file on the Remote machine to use hostname instead of IP address in the SSH session start command

pi@Lock:~ $ sudo bash -c 'echo " Wallet-D" >> /etc/hosts'


12. Now you can simply open a terminal and run:

pi@Lock:~ $ ledger
pi@Lock:~ $ ssh pi@Wallet-D
pi@Lock:~ $ ssh pi@Wallet-D -p 2784 (for custom SSH port)
pi@Lock:~ $ ssh pi@Wallet-D -p 2784 -L 5924: (for tunnel for VNC via SSH)

This will use the SSH key stored into the Ledger Nano S.

NOTE! Don't launch the ledger-agent from your .bashrc or .zshrc since it will spawn another and another in an infinite loop.


13. Make a custom command in "/usr/local/bin"

pi@Lock:~ $ sudo nano /usr/local/bin/sshtunnel-D

The content of the file is:

ssh pi@Wallet-D -p 2784 -L 5924:

Make it executable

pi@Lock:~ $ sudo chmod +x /usr/local/bin/sshtunnel-D


14. Turn "off" password authentication and turn "on" both key authentication and used key file on the Protected machine

pi@Wallet-D:~ $ sudo nano /etc/ssh/sshd_config

and change each of these lines:

PubkeyAuthentication yes


AuthirizedKeyFile  .ssh/authiruzed_keys


PasswordAuthentication no


15. Restart SSH service

pi@Wallet-D:~ $ sudo /etc/init.d/ssh restart


16. Switching between Ledger Nano S and Google 2FA

pi@Wallet-D:~ $ sudo nano /etc/ssh/sshd_config

and change this line:

ChallengeResponseAuthentication yes (Google 2FA will work and Ledger is "off")


ChallengeResponseAuthentication no  (Google 2FA is "off" and Ledger is "on")

and then restart the SSH service

pi@Wallet-D:~ $ sudo /etc/init.d/ssh restart


For additional information


Hardware used in this article

The Staking Pi (Protected machine) > pi@Wallet-D

  • - Raspberry Pi 4b;
  • - 5V/3A C-type connector power supply;
  • - Samsung 970 EVO Plus 250GB NVMe M.2 SSD;
  • - X870 NVMe M.2 SSD Storage Expansion Board (Adapter) - JMicron Technology Corp. chip set;
  • - Empty SD card;
  • - Armor case/heat sink for Raspberry Pi 4b;
  • - 12V low noise Jiesammy cooling fan, powered from the Pi;

The Gate Pi (Remote machine) > pi@Lock

  • - Raspberry Pi 3b+;
  • - 5V/3A Mini-type connector power supply;
  • - SanDisk Ultra microSDXC 16GB card;
  • - Acrylic ABS Plastic Case
  • - CNC Extreme Cooling Fan+Heatsink Kit For Raspberry Pi 3b+;
  • - 2.4G Wireless mini Keyboard with Touchpad for PC, Google Andriod TV Box;
  • - Ledger Nano S.


If you find inaccuracies in this article or ways to improve it, please leave a comment below.


Yours, Crypto Qu


Ways to support my work, if you find it helpful. Thank You!

How to run a healthy HYDRA staking node

This article is all about the health of your HYDRA staking node, and the important things you need to know to win block rewards on the HYDRA blockchain.

Read more ...

Using Ledger Nano S to protect the SSH session to the Raspberry Pi 4b with LOC staking wallet

In this article we will make a setup that will allow to use Ledger Nano S to generate a pair of keys and use it to protect the SSH session to the LOC staking Raspberry Pi.

Read more ...

Basic security check list for staking LOCs on Raspberry Pi 4 model b

Let's harden the security of our staking Pi. Our goal is to keep the minimal number of open ports on the Pi and secure them.

Read more ...

Recompiling and installing of LOC staking wallet with GUI on Raspberry Pi 4b

Let's use the tiny, yet powerful Raspberry Pi 4b to recompile the LOC staking wallet with GUI!

Read more ...

Raspberry Pi 4b - basic setup with Raspbian Buster and getting ready to install the LOC staking wallet

The new Raspberry Pi 4b has arrived! Let's set it up for best performance for staking with the LOC staking wallet!

Read more ...

How to protect the SSH session with 2FA on Raspberry Pi 3B+

In this third article we continue the series about making secure the Pi for staking LOCs. We will increase the security level of SSH by adding 2FA to the session login.

Read more ...

How to stake LOCs securely and conveniently on Raspberry Pi 3B+

This article is the second in a series that helps begin staking LOCs on the Raspberry Pi 3b+.

Read more ...

A step by step recompilation of LOC test staking wallet with GUI for Raspberry Pi 3B+

This is the first of a series of articles to help you recompile and set up a Raspberry Pi as a LOC staking wallet with GUI.

Read more ...

A Gem forged in the Crypto Hell of 2018

2018 was the year that crypto fell to earth with louder critics than ever. The industry had been hit with what some would say was a much-needed reality check.

Read more ...