Individual Entry

ssh-ecurity — Part 10: Android Paranoid

The summer season is here again! The pool is open and the dinner comestibles are a welcome anything I prepare on the grill. This year, to replace aging outdoor speakers, I purchased a Bluetooth sound system for my backyard oasis. The plan was to broadcast to it from iTunes on my MacBook Pro or the IMac in the bedroom, but the distance to either yielded undesired sound quality. So, it was either lug out the MacBook Pro — which I was reluctant to do after a recent costly repair to it due to a spilt coffee — and risk getting it splashed from the pool shenanigans, or invest in something else that I could use for streaming internet radio to the Bluetooth sound system. I finally opted for an Android tablet. A couple of downloaded apps and I was streaming Aural Moon to the Bluetooth system. Now, armed with a new toy, my inner geek was pining for other things that I could do with this tablet. The first thing that came to mind was configuring terminal access into my OpenVMS, Mac and Linux systems; securely, of course!

My first thoughts were to find a terminal app that performed well; especially, one that could do a reasonable VT100 emulation. I went into the Android's app store (called the Play Store) to see what existed for Terminal apps. I selected several. I installed them, tested them, and uninstalled all but one. It did the best, albeit far from perfect by any stretch of the imagination, VT emulation based upon running the VTTEST suite which I have setup on one of my OpenVMS systems as a CAPTIVE account. I then tried typing 'ssh' at the terminal's local command prompt. No such luck. There was no 'ssh' installed by default with Android. So, back to the Play Store to search for an ssh client.

Entering 'ssh' into the Play Store search bar, I was presented with a long list of ssh apps. I read through some of their descriptions, and I installed and uninstalled them one-by-one. None of them gave me a command line 'ssh' command. I then decided that I should look for a version of PuTTY for Android because it contains, at least on other platforms, a GUI based ssh configuration. What I found and tested didn't provide me with an interface I'd be comfortable using. I then opted for the JuiceSSH app. Also GUI, it did appear, after preliminary test, to have terminal performance and emulation that might suit my needs.

After installing it, I was able to ssh into my OpenVMS systems with username and password; however, I'd much rather have and use public and private key authentication. This JuiceSSH app maintains connections in one list and another list is maintained for identity. In the identify list, there are options for generation of public and private key pairs. So, I selected my identity — created when I engaged JuiceSSH to connect via username and password — and clicked the option button to create public and private key pairs. In typical GUI fashion, the button changed it title to Update / Clear; thus, indicating that a key pair existed. Now, how do I get to these keys? After all, the public key has to be deposited on the system(s) to which I wanted to connect. Albeit, it's not intuitive, clicking on the identity in the list will open a popup privinging management functions for the identity. Under this heading was Export Public Key. Selecting this option, yet another popup appeared with options to share the key: Bluetooth, Gmail, Google+ Hangouts, Send Tab To Devices, and Term here. I selected Gmail which allowed me to email the public key to one of my accounts on my OpenVMS systems.

On the OpenVMS system, I opened the email containing the public key. Of course, it was not in a format usable with OpenVMS. For details, read: ssh-security — Look Ma', no passwords! I could have used the OpenVMS editor on this key file to massage it into the format acceptable to OpenVMS but, instead, I passed the key file to my Ubuntu Linux laptop where I could generate the OpenVMS format using ssh-keygen. I still do not understand why the OpenVMS ssh_keygen can not perform this same function. Regardless, once the key was formatted to be acceptable to OpenVMS, I passed it back to the OpenVMS system. I put the key file into the account's [.SSH2] directory and modified the AUTHORIZATION. file to add this new key.

Back on the Android tablet, I clicked on the connection list in JuiceSSH and connected to the OpenVMS system on which I just updated the keys. The connection was successful. The JuiceSSH had even indicated that it used the public and private keys for authentication.

I proceeded to move the tablet's public key to other systems that I might wish to ssh into. I then moved the public key to Eisner, the DECUServe system. However, there, my username is not SYSTEM and the JuiceSSH, because I setup the keys with the SYSTEM identity, wanted to connect with the SYSTEM username. So, I created another identity in JuiceSSH. I could not connect to Eisner with the appropriate username. Now, all I needed to do was pair up this new identity with the private key I'd created for the SYSTEM identity. In the same fashion as I found the Export Public Key" I found an option to export the private key. I clicked on Export Private Key. This gave me all the same sharing options as before; however, I'm leary of putting private keys in the hands of entities I don't trust. In the present case, this would be Google via their Gmail. Sending my private key through Google's email servers meant that somewhere there would be an archive of that key — unless, of course, Lois Lerner and her miscreant rouges of government/IRS conspiratorial cover-up, technology challenged dimwits, are running Gmail. I opted to simply generate a new public and private key pair for the account name associated with my Eisner account. I exported the public key, as before, converted it to the OpenVMS acceptable format, and placed it in the [.SSH2] directory of my account on Eisner.

The next task at hand — getting X11 tunneled over ssh to the X11 server that I installed on the tablet. Perhaps, this will be detailed in the next installment.

One or more comments are waiting for approval by an editor.


To thwart automated comment SPAM, you must answer this question to post.

Comment moderation is enabled. Your comment(s) will not be visisble until approved.
Remember personal info?
Hide email?
All html tags, with the exception of <b> and <i>, will be removed from your comment. You can make links by simply typing the url or email-address.
Powered by…