For six months now, I have been a bad person. Love can make a person do funny things: to make compromises, to re-evaluate one's own principles. In my case, it was the love of my Cr-48. It is sleek and lightweight, simple and not fancy. I do not ask for much and in return it gave me the two things I really ever needed in a laptop operating system: a web browser and SSH.
As attractive as the Cr-48 is, it blinded me to a major flaw in its SSH client. It lacked any and all support for SSH keys. I overlooked this flaw and made a compromise; I decided to allow password authentication on my home server, exposing my poor little machine to the evils that lurk in the dark corners of the internet. Fear not, I have since re-disabled passwords. I would like to say that it was because I learned my lesson and repented from my slovenly ways, but I am not disabling password authentication because it is the right thing to do. It is rather that Chrome OS now supports SSH keys.
SSH key support has been available in Chrome OS since at least before May, but it was not until today that I noticed it. There is no SSH agent, and the syntax to use a key while connecting to a host is a little annoying, but these are some freedoms I am willing to give up for security.
From crosh, the Chrome OS terminal, this is how I discovered the ability to use SSH keys:
crosh> ssh
ssh> help
connect - connect
dynamic-forward port - dynamic socks proxy (-D)
forward port:host:port - static port forward (-L)
help - this
host <hostname> - remote hostname
key <file> - sets private key to use (-i)
nocmd - don't execute command (-N)
port <num> - port on remote host (-p)
exit - exit ssh subsystem
user <username> - username on remote host
Note that this program can only bind local ports in the range
8000-8999, inclusive.
ssh> key
File '' is not a valid key file. Key files must reside
under /media or /home/chronos/user. Key files in the Downloads directory may
be specified with an unqualified name.The next few sections will be a step by step setup guide for using keys on SSH.
Generate a Public/Private Key Pair
I generated the keys on my home server. Your syntax may vary.
$ ssh-keygen -f vinz-clortho
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in vinz-clortho.
Your public key has been saved in vinz-clortho.pub.
The key fingerprint is:
01:23:45:67:89:ab:cd:ef:fe:dc:ba:98:76:54:32:10 zuul@example
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| o . .E .|
| . = .o..+.|
| S .. oo++|
| . .*.=|
| oo.*|
| o=|
| o|
+-----------------+Add Public Key to Server
After the keys are generated, the public key needs to be appended to the SSH authorized keys listing.
$ cat vinz-clortho.pub >> ~/.ssh/authorized_keysAdd Private Key to Chromebook
I copied the public and private keys from my SD Card to my Downloads directory. To open up the file browser, hit ctrl + m.
Establish SSH Connection
Even though the SSH help mentions a -i option, I cannot seem to get it to
work, and I am stuck with the following syntax:
crosh> ssh
ssh> host example.com
ssh> user zuul
ssh> key vinz-clortho
ssh> connect
Enter passphrase for key '/home/chronos/user/.ssh/key-123...abc':Shut Off Password Authentication
Finally, lets secure this sucker.
$ sudoedit /etc/ssh/sshd_configSet "PasswordAuthentication no".
$ sudo reload ssh