Secure Shell ssh known hosts

93 views
Skip to first unread message

Y Wang

unread,
Feb 25, 2025, 7:58:52 PMFeb 25
to chromium-hterm
Hi everyone, I'm trying to add ssh known hosts. I understand I could simply edit the /etc/ssh/ssh_known_hosts through the nassh_preferences_editor

But if I have multiple machines that I'm managing, what's the best way to manage this? Is there a similar way as adding a /etc/ssh/ssh_known_hosts file on a macbook?

Mike Frysinger

unread,
Feb 25, 2025, 9:20:08 PMFeb 25
to Y Wang, chromium-hterm
/etc/ssh/ssh_known_hosts is labeled as a synced preference in the options page, so if you change it, the settings show up on all systems.
to be clear, this only affects the extension.  there is no way for the extension to read/write system or user files.
(i mean, it could be implemented to a degree, but it's really not worth the hassle, nor the terrible UX.)

so if you're asking how to sync settings between native `ssh` run on your system with the Secure Shell extension, the answer is "you have to do it by hand".
-mike

On Tue, Feb 25, 2025 at 4:58 PM Y Wang <janu...@gmail.com> wrote:
Hi everyone, I'm trying to add ssh known hosts. I understand I could simply edit the /etc/ssh/ssh_known_hosts through the nassh_preferences_editor

But if I have multiple machines that I'm managing, what's the best way to manage this? Is there a similar way as adding a /etc/ssh/ssh_known_hosts file on a macbook?

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hter...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/1fd1dacf-5872-4260-bddc-9ca5b8dba910n%40chromium.org.

Y Wang

unread,
Feb 25, 2025, 11:51:47 PMFeb 25
to chromium-hterm, vap...@chromium.org, chromium-hterm, Y Wang
Thanks so much Mike for the response!

I've got a few enterprise-managed Chromebooks where I need to distribute SSH known_hosts information. Do you know what might be the best way to do so, except asking user to manually copy and paste?
Is there a similar way such as using Puppet to distribute such information somewhere?

Also here is an answer some AI assistant told me. The second option might not be feasible because these Chromebooks don't have Linus enabled.
  • SSH Known Hosts Policy:
    • In the Google Admin console, navigate to Devices > Chrome > Settings
    • Find the "Linux development environment" section
    • Look for SSH policies, specifically for configuring known hosts
    • You can upload your known_hosts file content here and it will be deployed to all managed Chromebooks
  • If direct SSH known_hosts policy isn't available:
    • Use the "Linux container initial user shell script" policy
    • Create a script that writes to /home/username/.ssh/known_hosts within the Linux container
    • This script will run when the Linux environment is first set up on each device

Liam Murphy

unread,
Feb 25, 2025, 11:51:47 PMFeb 25
to chromium-hterm, Mike Frysinger, chromium-hterm, Y Wang
Thanks for the clarification Mike.


When we saw https://chromium-review.googlesource.com/c/apps/libapps/+/5468432 we thought it meant syncing from the local device.

Mike Frysinger

unread,
Feb 25, 2025, 11:58:07 PMFeb 25
to Liam Murphy, chromium-hterm, Y Wang
i get how it can be confusing, and we should prob add clarifying docs/text to the options page to explain things.  maybe even just a FAQ to start with.

the referenced CL talks about paths inside the virtual filesystem that wassh implements.  WASM is basically a bare-metal environment which means we have to implement the OS (syscalls) and similar support services (e.g. filesystems, network stacks, etc...).
-mike

Mike Frysinger

unread,
Feb 26, 2025, 12:02:28 AMFeb 26
to Y Wang, chromium-hterm
this has been a periodic request from Google corp ... i've outlined what we need to pull it off, but since i don't have the cycles to implement it, and no one in CrOS is asking for it, the request seems to fizzle out.  at least, until the next person comes along ;).  there was even a doc or two written at some point.

https://issuetracker.google.com/41451622 is the key starting point.
-mike

Y Wang

unread,
Feb 26, 2025, 5:14:55 AMFeb 26
to chromium-hterm, vap...@chromium.org, chromium-hterm, Y Wang
Thank you Mike for the kind response!

Regarding the issue you raised, I'm wondering roughly what be required, do you know?
And how do people contribute to it if they have the time, e.g. myself?

Mike Frysinger

unread,
Feb 26, 2025, 12:40:32 PMFeb 26
to Y Wang, chromium-hterm
go/secure-shell-managed-profiles was a previous discussion for distributing configs.  part of it was host CA certificates for host keys.  i don't know if that covers your use case.

i'm not familiar with the admin side of things and how much flexibility there is for distributing diff configs to diff subsets of users.

Secure Shell extension is open source, so anyone can propose changes.

Y Wang

unread,
Feb 26, 2025, 7:07:03 PMFeb 26
to chromium-hterm, vap...@chromium.org, chromium-hterm, Y Wang
Thanks Mike for the response. I cannot seem to open the go link, not from corp account either :(

Mike Frysinger

unread,
Feb 26, 2025, 7:11:05 PMFeb 26
to Y Wang, chromium-hterm
heh, they wrote the go/ link in the doc, but didn't create it.  i set it up now, so please retry.
-mike
Reply all
Reply to author
Forward
0 new messages