Timothee Ravier daga Red Hat, mai kula da ayyukan Fedora Silverblue da Fedora Kinoite, ya ba da shawarar hanyar da za a guje wa amfani da sudo mai amfani, wanda ke amfani da suid bit don haɓaka gata. Maimakon sudo, don mai amfani na yau da kullun don aiwatar da umarni tare da haƙƙin tushen, an ba da shawarar yin amfani da mai amfani ssh tare da haɗin gida zuwa tsarin iri ɗaya ta hanyar soket na UNIX da kuma tabbatar da izini dangane da maɓallan SSH.
Yin amfani da ssh maimakon sudo yana ba ku damar kawar da shirye-shiryen suid akan tsarin kuma ku ba da damar aiwatar da umarni masu gata a cikin mahalli na rarrabawa waɗanda ke amfani da abubuwan keɓance akwati, kamar Fedora Silverblue, Fedora Kinoite, Fedora Sericea da Fedora Onyx. Don ƙuntata isa ga, ana iya amfani da tabbacin ikon yin amfani da alamar USB (misali, Yubikey).
Misali na daidaita abubuwan uwar garken OpenSSH don samun dama ta hanyar soket na Unix na gida (za a ƙaddamar da wani misali na sshd daban tare da fayil ɗin sanyi na kansa):
/etc/systemd/system/sshd-unix.socket: [Unit] Bayani = Buɗe SSH Server Unix Socket Documentation = mutum: sshd (8) mutum: sshd_config (5) [Socket] ListenStream = / run/sshd.sock Yarda = ee [Shigar] WantedBy=sockets.target
/ sauransu / tsarin / tsarin /[email kariya]: [Naúrar] Bayani = Buɗe SSH kowane haɗin haɗin daemon (Unix socket) Takardun = mutum: sshd (8) mutum: sshd_config (5) Yana son = sshd-keygen.target Bayan = sshd-keygen.target [Sabis] ExecStart = - /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput= soket
/etc/ssh/sshd_config_unix: # Yana barin gaskatawar maɓalli kawai PermitRootLogin hana kalmar sirri PasswordAuthentication no PermitEmptyPasswords no GSSAPIAuthentication babu # ƙuntata damar masu amfani da aka zaɓa Ba izinin tushen adminusername # Yana barin kawai amfani da .ssh/authorizedkeyssh/author ssh / maɓallan izini_ # ba da damar sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Kunna kuma ƙaddamar da naúrar tsarin: sudo systemctl daemon-reload sudo systemctl kunna -yanzu sshd-unix.socket
Ƙara maɓallin SSH ɗin ku zuwa /root/.ssh/authorized_keys
Saita abokin ciniki na SSH.
Shigar da kayan aikin socat: sudo dnf shigar socat
Muna ƙara /.ssh/config ta hanyar ƙayyade socat a matsayin wakili don samun dama ta hanyar UNIX soket: Mai watsa shiri mai amfani. Tushen Mai amfani na gida # Yi amfani da / run / run / run maimakon / gudu don aiki daga kwantena ProxyCommand socat - UNIX-CLIENT: / run/host/run/sshd.sock # Hanya zuwa maɓallin SSH IdentityFile ~/.ssh/keys/localroot # Kunna tallafin TTY don ma'amalar harsashi RequestTTY ee # Cire fitowar da ba dole ba LogLevel QUIET
A halin yanzu, sunan mai amfani zai iya aiwatar da umarni a matsayin tushen ba tare da shigar da kalmar sirri ba. Duba aikin: $ ssh host.local [tushen ~]#
Mun ƙirƙiri sunan sudohost a cikin bash don gudanar da "ssh host.local", kama da sudo: sudohost () {idan [[${#} -eq 0]]; sai ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" kuma ssh host.local "cd \"${PWD}\"; exec \"${@}" fi}
Duba: $ sudohost id uid = 0 (tushen) gid = 0 (tushen) ƙungiyoyi = 0 (tushen)
Muna ƙara takaddun shaida kuma muna ba da damar tantance abubuwa biyu, ba da damar tushen tushen kawai lokacin da aka saka alamar USB ta Yubikey.
Muna duba waɗanne algorithms ke tallafawa ta Yubikey na yanzu: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{buga $2}'
Idan fitarwa ta kasance 5.2.3 ko mafi girma, yi amfani da ed25519-sk lokacin samar da maɓalli, in ba haka ba yi amfani da ecdsa-sk: ssh-keygen -t ed25519-sk ko ssh-keygen -t ecdsa-sk
Yana ƙara maɓallin jama'a zuwa /root/.ssh/authorized_keys
Ƙara nau'in maɓalli mai ɗaure zuwa tsarin sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [email kariya],[email kariya]
Muna ƙuntata damar shiga soket ɗin Unix ga mai amfani kawai wanda zai iya samun gata mai girma (a cikin misalinmu, sunan mai amfani). A cikin /etc/systemd/system/sshd-unix.socket ƙara: [Socket] ... SocketUser= sunan mai amfani SocketGroup=adminusername SocketMode=0660
source: budenet.ru