Timothee Ravier from Red Hat, a maintainer of the Fedora Silverblue and Fedora Kinoite projects, proposed a way to avoid using the sudo utility, which uses the suid bit to escalate privileges. Instead of sudo, for a normal user to execute commands with root rights, it is proposed to use the ssh utility with a local connection to the same system via a UNIX socket and verification of permissions based on SSH keys.
Using ssh instead of sudo allows you to get rid of suid programs on the system and enable the execution of privileged commands in the host environment of distributions that use container isolation components, such as Fedora Silverblue, Fedora Kinoite, Fedora Sericea and Fedora Onyx. To restrict access, confirmation of authority using a USB token (for example, Yubikey) can be additionally used.
An example of configuring OpenSSH server components for access via a local Unix socket (a separate sshd instance will be launched with its own configuration file):
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Accept=yes [Install] WantedBy=sockets.target
/ etc / systemd / system /[email protected]: [Unit] Description=OpenSSH per-connection server daemon (Unix socket) Documentation=man:sshd(8) man:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [Service] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Leaves only key authentication PermitRootLogin prohibit-password PasswordAuthentication no PermitEmptyPasswords no GSSAPIAuthentication no # restricts access to selected users AllowUsers root adminusername # Leaves only the use of .ssh/authorized_keys (without .ssh/authorized_keys2 AuthorizedKeysFile .ssh/authorized_ keys # enable sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Activate and launch the systemd unit: sudo systemctl daemon-reload sudo systemctl enable βnow sshd-unix.socket
Add your SSH key to /root/.ssh/authorized_keys
Setting up the SSH client.
Install the socat utility: sudo dnf install socat
We supplement /.ssh/config by specifying socat as a proxy for access via a UNIX socket: Host host.local User root # Use /run/host/run instead of /run to work from containers ProxyCommand socat - UNIX-CLIENT: /run/ host/run/sshd.sock # Path to the SSH key IdentityFile ~/.ssh/keys/localroot # Enable TTY support for the interactive shell RequestTTY yes # Remove unnecessary output LogLevel QUIET
In its current form, the user adminusername will now be able to execute commands as root without entering a password. Checking the operation: $ ssh host.local [root ~]#
We create a sudohost alias in bash to run βssh host.localβ, similar to sudo: sudohost() { if [[ ${#} -eq 0 ]]; then ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" else ssh host.local "cd \"${PWD}\"; exec \Β»${@}\»» fi }
Check: $ sudohost id uid=0(root) gid=0(root) groups=0(root)
We add credentials and enable two-factor authentication, allowing root access only when a Yubikey USB token is inserted.
We check which algorithms are supported by the existing Yubikey: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
If the output is 5.2.3 or greater, use ed25519-sk when generating keys, otherwise use ecdsa-sk: ssh-keygen -t ed25519-sk or ssh-keygen -t ecdsa-sk
Adds the public key to /root/.ssh/authorized_keys
Add a key type binding to the sshd configuration: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [email protected],[email protected]
We restrict access to the Unix socket to only the user who can have privileges elevated (in our example, adminusername). In /etc/systemd/system/sshd-unix.socket add: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru