For this exercise the client system is a Chromebook, and the server system is an Ubuntu VM running on Google Compute Engine.
The SSH client of choice on Chrome OS devices is Secure Shell. Per its own documentation, it is possible to use public key-based authentication with the Secure Shell client. However, Secure Shell cannot generate its own keys. My goal here is to be able to SSH into a Google Compute Engine VM running Ubuntu Linux, so I generated the keypair on the target Linux VM using the browser-based SSH client offered by https://console.cloud.google.com/, and then imported them into Secure Shell on my Chromebook. This is appealing because it avoids the need to configure passwords for SSH altogether.
Security note: Generating the keypair on the target machine into which possession of that keypair authorizes access is reasonable. If an attacker already has a foothold in that system, you already lose. However, once that keypair is imported into Secure Shell on one’s client device, it can be convenient to use that key for access to other systems. Consider how much you trust the VM image where
ssh-keygen executes before deciding whether to use the same keypair to authorize access to any other systems. Also consider the note about HTML5 filesystems being a relatively young technology in the above link to the Secure Shell documentation about SSH keys. A topic for another day is how to integrate with a physical hardware token like a Yubikey, so that the private SSH key is never exposed to any client device software.
# don’t allow the private key to be written to disk cd /dev/shm # generate the actual keypair ssh-keygen -f gce-instance-ssh # to SSH into the system where keys are being generated, # authorize the public key cat gce-instance-ssh.pub >> ~/.ssh/authorized_keys
This creates files
gce-instance-ssh.pub. Both of these files need to be copied onto the Chromebook for importing into Secure Shell. I decided to do this using
cat gce-instance-ssh and
cat gce-instance-ssh.pub and then copy-pasting the contents of each. The destination was a Chrome extension that can create and edit plain text files. Secure Shell requires that both
gce-instance-ssh.pub be available to import a keypair. I shift-clicked when selecting the files for the Import (to the right of the Identity: field in the Secure Shell connection dialog) dialog box. When selecting only the private key file, there seems to be little or no UI feedback that anything has happened at all.
If successful, the drop-down next to Identity: will have a new entry, whose name appears to be the basename of the imported key files. In this case,