Public key authentication about connectbot HOT 25 CLOSED

This might be due to submenus changing in the newest SDK.

generating sshkeys on the device is interesting, but i think we should push 
this to a
later version.

people might be copying over existing keys on their /sdcard.

interestingly, we should consider an "automation" framework.  it might run "cat
'[key]' >> ~/.ssh/authorized_keys" upon login.  other usage might include users
saying run "screen -dr" on connect, etc.

I would like to suggest that this is a higher priority than "low" ... I can't 
use ssh
for anything real without key based auth.  I'm sure there are other people out 
there
who are similarly paranoid about their ssh requirements.

I think this was marked "low" because you can always generate the actual keys on
another machine and then migrate them to the phone.  Judging from irc chatter, 
this
was considered the best solution because they didn't want to have to vouch for 
the
safety of the java sshkey generation and didn't want another debian/ubuntu-style
clusterfuck on their hands.

There was some debate on irc as to the best way to get an ssh keypair (or at 
least
the private key) to the phone-- ota methods like web and email were ruled out 
for
security reasons.  The SDcard import looks to be the safest way.

As for the actual sshkey-auth method, I believe it is going in as we speak.  
Just
generate your keys on another machine and move it to your phone when this thing 
is
ready (which I hear may be Monday)

Kudos to Jeff Sharkey and the other developers!

W

[deleted comment]

Will it just find the private key on the SD card?  or do I need to put it 
somewhere
specific?

I personally would not put my private key on the SD card.  I believe any 
Android app
can access the entire SD card with no permissions.

However, I also think the app should not generate the private key.  I have 
doubts
about the quality of the devices RNG.

If the app could implement SCP, that would be best.  Or perhaps offer a menu 
item to
"copy and paste" the private key from an active (password-authenticated) 
session into
the private keystore?

There have been a few discussions about how to import a key.  if you do it off 
the SDCard it will be imported 
and then you could delete it-- it wouldn't need to be there long.  Someone 
could have a service constantly 
scanning the card looking for keys, but you'd have to have run that program...

Alternatives discussed on IRC included mailing the key (insecure), IMing the 
key (insecure), etc etc.  SCP or 
copy/paste from a secure session would be good, but you'd need a secure 
connection (via password) in the 
first place...

Personally I think the app generating the key is a good idea... cuz at least if 
there are problems you can shut 
down access to this one key...  then again, people have their public key 
already on 50 machines so maybe they 
do want to import...

W

I just added rudimentary publickey support in SVN r86.

Right now you can only generate public keys on the device itself. Randomness is
generated by the user, so people don't have to worry about weak entropy sources.

RSA and DSA keys can be copied to the clipboard and deleted only for right now.

While I realize keygen isn't expected to work fully in SVN r86, I thought you 
should
be aware that while generating a key in landscape mode you can't see all of the
options and there is no ability to scroll.

I made a change in SVN r87 to allow scrolling in landscape mode until we get
something better looking in there. 

I just downloaded the App from the Android market, and cannot find a way to 
provide 
my key even though there seems to be at least "some way" to do it (see comment 
9). 
Could it be that version on the Android Market is older and does not yet have 
this 
feature? 
Thanks

The version in the market is r85 (
http://code.google.com/p/connectbot/source/detail?r=85 ). Public key generation
started in r86. Note that it's public key *generation*; import doesn't work yet.
Also, while it can generate keys with a passphrase it can't yet use those to 
login
(although eys without a passphrase work beautifully). 

I imagine that the app won't be updated on the market again until public keys 
are
more fully supported, but I'm not on the dev team so I don't know. In the 
meantime
there are instructions on the project homepage about how to install the latest
development builds. Also, if you haven't seen it this page is an easy way to 
keep up
with the dev. build process:

http://code.google.com/p/connectbot/updates/list

I'm going to wait for this to be complete to release 1.2

I added support for password-protected pubkeys in SVN r102

latest svn now has support for importing existing keys from /sdcard, which 
includes
any openssh-formatted keys (with or without passphrases).  format similar to:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0000000000000000

OhHaiImRand0mBase64T3xt...

-----END RSA PRIVATE KEY-----

I'm considering pubkey authentication complete. Any defects should be opened up 
as a
new issue. Thanks for the import function, Jeffrey.

This works, but the current language is slightly confusing.  When there are no 
keys,
it says "Tap Menu to create or import public keys."  However, what you are 
really
doing is creating key pairs or importing your _private_ keys.

Oh, also... when the sd card is not available (not inserted or currently 
mounted by
computer), you get the "pick from sdcard" dialog with nothing listed.  Ideally 
it
would tell you that the sdcard is not available (otherwise this dialog is kinda
confusing).

And one more note, the file list from the sdcard is in no discernible order.  
It'd be
great if it were alphabetical.

Hi folks 

I may be extremely dense, but could anyone point me to where and how one can 
mount
/sdcard. It definitely is neither mounted nor available on my htc magic. 

Also it would be extremely helpful if the accepted import format for rsa 
private keys
could be defined somewhere. 

Where is the pubic key exported to and how can it be copied to the target 
machine.
Basically I would expect it to be stored somewherre on the sdcard and accessible
through all normal usb mass storage operation, but then...

I made a video tutorial on how to use pubkey authentication. That and other 
videos
can be reached at http://code.google.com/p/connectbot/wiki/UserInterface

There's not a way to export the pubkey to the SD card, but there is a ticket 
open for
that. Right now it just copies it to the clipboard for pasting in another 
application.

I'd love to have it be able to read from any folder in the SD card. Only after I
found this ticket was I able to get my private key imported, and I use SSH 
literally
hundreds of times a day, with multiple private keys, on multiple operating 
systems.

I am going to make a quick post explaining how to import your private key 
because this was not obvious to me.

1 - Plug in your phone
2 - Go to the status menu pulldown on the home screen and click something like 
"USB Connected" from the menu
3 - Click MOUNT
4 - Go to My Computer (if you are using Windows) and double click the new drive 
letter which should be your SD Card.   If you are using Linux then mount the 
new drive (in KDE you click on the USB notification on the bottom right then 
open it with Nautilus). 
5 - Copy your private key to the root of the SD card (don't put it in a folder 
or you cannot import it into ConnectBot).
6 - Unmount the folder on Linux.  If you are using Windows then double click 
the Safely Remove Device icon on the bottom right hand corner of your screen.   
(If not sure how to navigate the complicated device removal wizard then convert 
to Ubuntu because it is easier.)
7 - Go back to your phone, go back to the status drag-down menu, click Turn Off 
USB Storage, click TurnOff
8 - Launch ConnectBot
9 - Click MENU -> Manage Public Keys -> Click the MENU key again -> Click IMPORT
10 - You should see your private key in the list.  Click on it to import it.
11 - You should now see your private key in the list of available keys.   You 
have to unlock the key by clicking on the red lock once and you may have to 
enter your key's passphrase/passcode.  Once loaded your "lock" should turn 
green and look like an open padlock.  You can also automatically load the key 
by pressing and holding your finger on the key until the menu appears.  Check 
"Load key on start".

I hope this helps someone. 

Regarding importing public/private keys -- I put my keys into the root of my 
sdcard and connectbot didn't see them.  After many different changes which I 
won't bore you with, I found another post which said to connect via the local 
command-line.  

I ended up copying my .ssh folder from my desktop and placing it onto my sdcard 
(as 'ssh' not '.ssh').  Then from connectbot's "local" shell:
cd /sdcard
cp ssh/id* .

At this point the permissions were automatically set to something connectbot 
could see.  Maybe because I don't have root on this device? After reading in 
the keys with connectbot I deleted them from the sdcard.