For six months now, I have been a bad person. Love can make a person do funny things: to make compromises, to re-evaluate one’s own principles. In my case, it was the love of my Cr-48. It is sleek and lightweight, simple and not fancy. I do not ask for much and in return it gave me the two things I really ever needed in a laptop operating system: a web browser and SSH.
As attractive as the Cr-48 is, it blinded me to a major flaw in its SSH client. It lacked any and all support for SSH keys. I overlooked this flaw and made a compromise; I decided to allow password authentication on my home server, exposing my poor little machine to the evils that lurk in the dark corners of the internet. Fear not, I have since re-disabled passwords. I would like to say that it was because I learned my lesson and repented from my slovenly ways, but I am not disabling password authentication because it is the right thing to do. It is rather that Chrome OS now supports SSH keys.
SSH key support has been available in Chrome OS since at least before May, but it was not until today that I noticed it. There is no SSH agent, and the syntax to use a key while connecting to a host is a little annoying, but these are some freedoms I am willing to give up for security.
From crosh, the Chrome OS terminal, this is how I discovered the ability to use SSH keys:
crosh> ssh ssh> help connect - connect dynamic-forward port - dynamic socks proxy (-D) forward port:host:port - static port forward (-L) help - this host <hostname> - remote hostname key <file> - sets private key to use (-i) nocmd - don't execute command (-N) port <num> - port on remote host (-p) exit - exit ssh subsystem user <username> - username on remote host Note that this program can only bind local ports in the range 8000-8999, inclusive. ssh> key File '' is not a valid key file. Key files must reside under /media or /home/chronos/user. Key files in the Downloads directory may be specified with an unqualified name.
The next few sections will be a step by step setup guide for using keys on SSH.
Generate a Public/Private Key Pair
I generated the keys on my home server. Your syntax may vary.
$ ssh-keygen -f vinz-clortho Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in vinz-clortho. Your public key has been saved in vinz-clortho.pub. The key fingerprint is: 01:23:45:67:89:ab:cd:ef:fe:dc:ba:98:76:54:32:10 zuul@example The key's randomart image is: +--[ RSA 2048]----+ | | | | | o . .E .| | . = .o..+.| | S .. oo++| | . .*.=| | oo.*| | o=| | o| +-----------------+
Add Public Key to Server
After the keys are generated, the public key needs to be appended to the SSH authorized keys listing.
$ cat vinz-clortho.pub >> ~/.ssh/authorized_keys
Add Private Key to Chromebook
I copied the public and private keys from my SD Card to my Downloads directory. To open up the file browser, hit ctrl + m.
Establish SSH Connection
Even though the SSH help mentions a
-i option, I cannot seem to get it to
work, and I am stuck with the following syntax:
crosh> ssh ssh> host example.com ssh> user zuul ssh> key vinz-clortho ssh> connect Enter passphrase for key '/home/chronos/user/.ssh/key-123...abc':
Shut Off Password Authentication
Finally, lets secure this sucker.
$ sudoedit /etc/ssh/sshd_config
Set “PasswordAuthentication no”.
$ sudo reload ssh
(Secure Shell Public/Private Key Pairs)