[wiredfool]

I tried to use a chromebook as an on-the-go machine where I wouldn't be too worried if it was stolen, but I wasn't successful. The requirements were:

  * Not Developer mode. I want the full security of verified boot.

  * All Security keys and whatnot needed to be on the yubi key.

The ssh client did work with ssh-agent and the yubi keys, so that was good. Establishing ssh sessions from remote machines in parallel didn't work well (e.g., using capistrano), but that's an easyish hack to do serially. I found the ssh client to be a little wonky and not terribly stable.

Termux seemed to be a good alternative, but I couldn't get gpg-agent working with the yubi key.

[keenerd]

> Not Developer mode. I want the full security of verified boot.

So you ran something inside of ChromeOS? It seems like a better option would be to replace the bootloader with CoreBoot (which doesn't have a dev mode) and you can add your own keys for whatever OS you choose.

[wiredfool]

Which seems the hard way to get to an os that I have to manage myself. If I wanted a linux machine, I'd get a thinkpad or something and do it that way.

I have to trust something, somewhere. With ChromeOS + ssh and the keys stored on a yubi key,I'm pretty sure that if someone lifts the machine without the key, there's not a whole lot they can do with it, other then factory reset it and move on.

In doing that though, I am trusting a few bits of software from the chrome app store, and that's probably the weakest link. But it's an order of magnitude less code than a linux distro.

[fortes]

How did you setup ssh-agent?

[wiredfool]

I'm using nassh, with the smart card connector and openpgp smartcard support.

In the nassh ssh relay server options, I'm using '--ssh-agent=gdbjpffhcollcplpbjehfhpfcpdoicob'

https://chrome.google.com/webstore/detail/secure-shell/pnhec...

https://chrome.google.com/webstore/detail/secure-shell-openp...

https://chrome.google.com/webstore/detail/smart-card-connect...