Ethan Spoelstra espoelstra

Newer Chromebooks block sudo in crosh, so you need to Ctrl+Alt+F2 (or higher) to get to a vty where you can login as root directly. Then you should run chromeos-setdevpasswd so that you can login as chronos in the VTY and use sudo with its password to perform any necessary elevations. It still won't allow sudo in the crosh shell in a GUI session (while older ChromeOS releases do), but the vast majority of scripts like Chromebrew/et al that use sudo expect you to NOT run directly as root, so enabling sudo this way is the best option and allows you to still use some of those tools via the VTY.

#Ctrl+Alt+F2
root
chromeos-setdevpasswd
#'yourpassword'
#'yourpassword'#again
exit #or Ctrl+d

Logout of the root session and switch back to the GUI and then logout/exit any chronos session in Crosh and start a new one by typing shell in Crosh.

Using the ChromeOS host shell aka crosh for SOCKS5 tunneling

Prerequisites

Set up SSH access to the host sshd, either manually starting it or by removing the read-only protection on the rootfs. See this gist on how to do it manually which is the safest and least intrusive option. https://gist.github.com/espoelstra/c910a8f5de6ba16d09fdb2014a5d843c

Once you've gotten ssh access to the chronos user's shell you can setup an SSH config that allows forwarding of your SSH key to the next host, in this case the jump server or bastion host.

https://gist.github.com/mtds/dc1e3df84e84318b3713cce26dd54f24#socks-proxy

If you want to run some scripts and don't want to deal with copying it from Crouton or Crostini into Crosh after extracting, there are some ways to use the available tools to do everything purely in Crosh in Developer Mode.

Unzip alternative

CLI recovery.sh instead of GUI/Chrome App

If you need to make git commits you'll either need to dev_install (when they fix it) or use chromebrew.

Yubikey + Crosh

Why oh why

I want to develop some scripts for things like Chrx, Chromebrew, MrChromebox scripts etc and I don't want to register a new SSH key to my account every time I need to powerwash or use recovery on one of my Chromebooks because I messed it up. I already use my Yubikey for GPG/FIDO/U2F/SSH on all the other systems I develop on, and I only needed the SSH portion to work for this particular use case. I also didn't want to deal with using Crouton or Crostini since that requires additional downloads and more configuration and complexity.

Challenges

Since the Crosh userland doesn't have scdaemon or pcscd for talking to the smart card, I had to come up with another way to access the Yubikey and make the SSH key available. I ended up trying a few different things to make it work, but overall the solution ended up being brilliantly straightforward. Originally I tried using Chromebrew to install one of the smartcard access/manager packages, but the dependency chain ended up pulling in Gnome keyring and a

Yubikey/Nitrokey HSM/Vault

https://doc.primekey.com/ejbca/ejbca-integration/hardware-security-modules-hsm/nitrokey-hsm

https://support.yubico.com/hc/en-us/articles/360013730739-YubiHSM-2-for-EJBCA-Deployment-Guide-Securing-PrimeKey-EJBCA-with-YubiHSM-2

https://www.vaultproject.io/docs/configuration

https://www.vaultproject.io/docs/configuration/entropy-augmentation

Command:

curl https://git.io/ -i -F "url=https://github.com/YOUR_GITHUB_URL" -F "code=YOUR_CUSTOM_NAME"

URLs that can be created is from:

https://github.com/*
https://*.github.com
https://*.github.com/*
https://*.github.io

	# Copyright 2019 The ChromiumOS Authors
	# Distributed under the terms of the GNU General Public License v2

	#
	# Special keyboard mapping for the Sarien project. The keyboard emits both
	# function and action scan codes depending on Fn-modifier key.

	evdev:atkbd:dmi:bvn:bvr:bd:svnDell:pnSarien:pvr*
	evdev:atkbd:dmi:bvn:bvr:bd:svnDell:pnArcada:pvr*
	evdev:atkbd:dmi:bvn:bvr:bd:svnDell:pnDrallion:pvr*

	#!/bin/bash
	# Can execute if this is only being run once, or source it to keep the Python server around
	cleanup() { pkill python3 2>/dev/null; unset CHRX_WEB_ROOT; }
	# Don't want previous `pkill -P $$` which would kill parent session if sourced?
	# trap cleanup EXIT

	# Set to Web Server for Chrome and will attempt to fallback to Python or fail
	# Use Web Server for Chrome if user doesn't pass a custom host
	: ${CHRX_WEB_ROOT:="http://localhost:8887/"}

	#!/bin/bash
	# Executed with bash unzip-file.sh someFiles.zip [destpath]
	# Destination by default is ~/Downloads/ you can override but may end up with extra folders if the zip contains one at the root
	# For long term use mkdir -p /usr/local/bin/ and put this file in that folder as `unzip` and `chmod a+x /usr/local/bin/unzip`
	ZIP_MOUNT_DIR=/media/archive/user

	ensure_archive_user_exists() {
	sudo mkdir -p ${ZIP_MOUNT_DIR}
	sudo chmod a+rwx ${ZIP_MOUNT_DIR}
	}

	#!/bin/bash
	# Manual Grub fixing for Chrx
	# This exports any variables set between -a/+a
	# while the := allows passing in an alternate path to mount/
	# Temporarily stealing /dev/sd* /dev/mmcblk* /dev/nvme* case from Chrx functions to print partitions properly
	set -a
	: ${CHRX_INSTALL_ROOT:=/tmp/chrxroot} \
	${CHRX_ROOT_DISK:=$(rootdev -s -d)} \
	${CHRX_TARGET_DISK:=$(rootdev -s -d)}
	set +a