Setting up SSH Keys with the Chrome OS Secure Shell Extension

For this exercise the client system is a Chromebook, and the server system is an Ubuntu VM running on Google Compute Engine.

The SSH client of choice on Chrome OS devices is Secure Shell. Per its own documentation, it is possible to use public key-based authentication with the Secure Shell client. However, Secure Shell cannot generate its own keys. My goal here is to be able to SSH into a Google Compute Engine VM running Ubuntu Linux, so I generated the keypair on the target Linux VM using the browser-based SSH client offered by https://console.cloud.google.com/, and then imported them into Secure Shell on my Chromebook. This is appealing because it avoids the need to configure passwords for SSH altogether.

Security note: Generating the keypair on the target machine into which possession of that keypair authorizes access is reasonable. If an attacker already has a foothold in that system, you already lose. However, once that keypair is imported into Secure Shell on one’s client device, it can be convenient to use that key for access to other systems. Consider how much you trust the VM image where ssh-keygen executes before deciding whether to use the same keypair to authorize access to any other systems. Also consider the note about HTML5 filesystems being a relatively young technology in the above link to the Secure Shell documentation about SSH keys. A topic for another day is how to integrate with a physical hardware token like a Yubikey, so that the private SSH key is never exposed to any client device software.

# don’t allow the private key to be written to disk
cd /dev/shm
# generate the actual keypair
ssh-keygen -f gce-instance-ssh
# to SSH into the system where keys are being generated,
# authorize the public key
cat gce-instance-ssh.pub >> ~/.ssh/authorized_keys

This creates files gce-instance-ssh and gce-instance-ssh.pub. Both of these files need to be copied onto the Chromebook for importing into Secure Shell. I decided to do this using cat gce-instance-ssh and cat gce-instance-ssh.pub and then copy-pasting the contents of each. The destination was a Chrome extension that can create and edit plain text files. Secure Shell requires that both gce-instance-ssh and gce-instance-ssh.pub be available to import a keypair. I shift-clicked when selecting the files for the Import (to the right of the Identity: field in the Secure Shell connection dialog) dialog box. When selecting only the private key file, there seems to be little or no UI feedback that anything has happened at all.

If successful, the drop-down next to Identity: will have a new entry, whose name appears to be the basename of the imported key files. In this case, gce-instance-ssh.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s