Ma kēia pou, e hoʻomohala mākou i kahi kaʻina hana no ke komo ʻana i ka ulia pōpilikia i nā pūʻali SSH me ka hoʻohana ʻana i nā kī palekana hardware ma waho. He hoʻokahi wale nō ala kēia, a hiki iā ʻoe ke hoʻololi iā ia e kūpono i kāu mau pono. E mālama mākou i ka mana palapala SSH no kā mākou mau pūʻali ma ke kī palekana lako. E hana ana kēia hoʻolālā ma kahi kokoke i nā OpenSSH, me SSH me kahi hōʻailona hoʻokahi.
No ke aha kēia? ʻAe, he koho hope loa kēia. He puka hope kēia e hiki ai iā ʻoe ke komo i kāu kikowaena inā no kekahi kumu ʻaʻohe mea e hana.
No ke aha e hoʻohana ai i nā palapala hōʻoia ma mua o nā kī lehulehu/pilikia no ke komo pilikia?
- ʻAʻole like me nā kī lehulehu, hiki i nā palapala hōʻoia ke ola pōkole loa. Hiki iā ʻoe ke hana i kahi palapala hōʻoia kūpono no 1 mau minuke a i ʻole 5 kekona. Ma hope o kēia manawa, hiki ʻole ke hoʻohana ʻia ka palapala hōʻoia no nā pili hou. He kūpono kēia no ke komo pilikia.
- Hiki iā ʻoe ke hana i kahi palapala hōʻoia no kēlā me kēia moʻokāki ma kāu mau mea hoʻokipa a, inā pono, e hoʻouna i nā palapala hōʻoia "hoʻokahi manawa" i nā hoahana.
ʻO kāu mea e pono ai
- Nā kī palekana lako e kākoʻo ana i nā kī noho.
ʻO nā kī noho he mau kī cryptographic i mālama ʻia i loko o ke kī palekana. I kekahi manawa ua pale ʻia lākou e kahi PIN alphanumeric. Hiki ke hoʻokuʻu ʻia ka ʻāpana lehulehu o ke kī noho mai ke kī palekana, ke koho pū me ke kī pilikino. No ka laʻana, kākoʻo nā kī USB ʻo Yubikey 5 i nā kī kamaʻāina. He mea pono e hoʻolālā wale ʻia lākou no ke komo pilikia i ka mea hoʻokipa. No kēia pou e hoʻohana wale wau i hoʻokahi kī, akā pono ʻoe e loaʻa i kahi kī hou no ke kākoʻo. - He wahi palekana e mālama ai i kēlā mau kī.
- ʻO OpenSSH version 8.2 a i ʻole ma luna o kāu kamepiula kūloko a ma nā kikowaena āu e makemake ai e loaʻa i ka pilikia pilikia. ʻO nā moku ʻo Ubuntu 20.04 me OpenSSH 8.2.
- (koho, akā paipai ʻia) He mea hana CLI no ka nānā ʻana i nā palapala hōʻoia.
ʻO ka hoʻomākaukauʻana
ʻO ka mea mua, pono ʻoe e hana i kahi mana hōʻoia e kau ʻia ma ke kī palekana hardware. E hoʻokomo i ke kī a holo:
$ ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID]
Ma ke ʻano he manaʻo (-C) ua hōʻike wau [pale ʻia ka leka uila]no laila mai poina ʻoe i ke kī palekana nona kēia mana palapala.
Ma waho aʻe o ka hoʻohui ʻana i ke kī i ka Yubikey, e hana ʻia nā faila ʻelua ma ka ʻāina:
- sk-user-ca, kahi kī kī e pili ana i ke kī pilikino i mālama ʻia ma ke kī palekana,
- sk-user-ca.pub, ʻo ia ke kī lehulehu no kāu mana palapala.
Mai hopohopo, mālama ʻo Yubikey i kekahi kī pilikino ʻaʻole hiki ke kiʻi ʻia. No laila, hilinaʻi nā mea a pau ma ʻaneʻi.
Ma nā pūʻali, e like me ke kumu, hoʻohui (inā ʻaʻole ʻoe) i kēia i kāu hoʻonohonoho SSHD (/etc/ssh/sshd_config):
TrustedUserCAKeys /etc/ssh/ca.pub
A laila ma ka mea hoʻokipa, hoʻohui i ke kī lehulehu (sk-user-ca.pub) i /etc/ssh/ca.pub
E hoʻomaka hou i ka daemon:
# /etc/init.d/ssh restart
I kēia manawa hiki iā mākou ke hoʻāʻo e komo i ka host. Akā pono mua mākou i kahi palapala. E hana i kahi kī e pili pū me ka palapala hōʻoia:
$ ssh-keygen -t ecdsa -f emergency
Nā palapala hōʻoia a me nā hui SSH
I kekahi manawa, hoʻowalewale ʻia ka hoʻohana ʻana i kahi palapala hōʻoia ma ke ʻano he pani no kahi hui kī lehulehu / pilikino. Akā ʻaʻole lawa ka palapala hōʻoia e hōʻoia i ka mea hoʻohana. Loaʻa i kēlā me kēia palapala hōʻoia kahi kī pilikino e pili pū me ia. ʻO ia ke kumu e pono ai mākou e hoʻopuka i kēia hui kī "emergency" ma mua o ka hoʻopuka ʻana i kahi palapala hōʻoia. ʻO ka mea nui e hōʻike mākou i ka palapala hōʻailona i ke kikowaena, e hōʻike ana i ka pālua kī i loaʻa iā mākou kahi kī pilikino.No laila ke ola mau nei ka hoʻololi kī lehulehu. Hana pū kēia me nā palapala hōʻoia. Hoʻopau wale nā palapala hōʻoia i ka pono o ke kikowaena e mālama i nā kī lehulehu.
A laila, hana i ka palapala hōʻoia iā ia iho. Pono wau i ka mana mea hoʻohana ubuntu i 10 mau minuke. Hiki iā ʻoe ke hana i kāu ala.
$ ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m:+5m emergency
E noi ʻia ʻoe e kau inoa i ka palapala hōʻoia me ka hoʻohana ʻana i kou manamana lima. Hiki iā ʻoe ke hoʻohui i nā inoa inoa hou i hoʻokaʻawale ʻia e nā koma, no ka laʻana -n ubuntu,carl,ec2-user
ʻO ia, aia kāu palapala hōʻoia! A laila pono ʻoe e kuhikuhi i nā ʻae kūpono:
$ chmod 600 emergency-cert.pub
Ma hope o kēia, hiki iā ʻoe ke nānā i nā mea o kāu palapala hōʻoia:
$ step ssh inspect emergency-cert.pub
ʻO kēia ke ʻano o koʻu ʻano:
emergency-cert.pub
Type: [email protected] user certificate
Public key: ECDSA-CERT SHA256:EJSfzfQv1UK44/LOKhBbuh5oRMqxXGBSr+UAzA7cork
Signing CA: SK-ECDSA SHA256:kLJ7xfTTPQN0G/IF2cq5TB3EitaV4k3XczcBZcLPQ0E
Key ID: "test-key"
Serial: 0
Valid: from 2020-06-24T16:53:03 to 2020-06-24T17:03:03
Principals:
ubuntu
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
Eia ke kī lehulehu ke kī pilikia a mākou i hana ai, a pili ʻo sk-user-ca me ka mana hōʻoia.
Ma hope ua mākaukau mākou e holo i ke kauoha SSH:
$ ssh -i emergency ubuntu@my-hostname
ubuntu@my-hostname:~$
- Hiki iā ʻoe ke hana i nā palapala hōʻoia no kēlā me kēia mea hoʻohana ma kahi host e hilinaʻi nei i kāu mana palapala.
- Hiki iā ʻoe ke wehe i ka pilikia. Hiki iā ʻoe ke mālama iā sk-user-ca, akā ʻaʻole pono ʻoe no ka mea aia ma ke kī palekana. Makemake paha ʻoe e wehe i ke kī lehulehu PEM kumu mai kāu mau pūʻali (e laʻana ma ~/.ssh/authorized_keys no ka mea hoʻohana ubuntu) inā ʻoe i hoʻohana ia mea no ke komo pilikia.
Loaʻa i ka pilikia: Hoʻolālā Hana
Hoʻopili i ke kī palekana a holo i ke kauoha:
$ ssh-add -K
E hoʻohui kēia i ke kī ākea o ka mana palapala a me ka wehewehe kī i ka luna SSH.
I kēia manawa e hoʻokuʻu aku i ke kī lehulehu e hana i kahi palapala hōʻoia:
$ ssh-add -L | tail -1 > sk-user-ca.pub
E hana i palapala hōʻoia me ka lā pau o, no ka laʻana, ʻaʻole i ʻoi aku ma mua o hoʻokahi hola:
$ ssh-keygen -t ecdsa -f emergency
$ ssh-keygen -Us sk-user-ca.pub -I test-key -n [username] -V -5m:+60m emergency
$ chmod 600 emergency-cert.pub
A i kēia manawa SSH hou:
$ ssh -i emergency username@host
Inā pilikia kāu faila .ssh/config i ka wā e hoʻopili ai, hiki iā ʻoe ke holo i ka ssh me ke koho -F ʻaʻohe koho e kāpae iā ia. Inā pono ʻoe e hoʻouna i kahi palapala hōʻoia i kahi hoa hana, ʻo ka koho maʻalahi a paʻa loa
ʻO kaʻu makemake e pili ana i kēia ala ʻo ia ke kākoʻo ʻana i ka ʻenehana. Hiki iā ʻoe ke waiho i kāu mau kī palekana i loko o kahi palekana a ʻaʻole lākou e hele i kahi.
Nā Pono o ka hoʻolaha
Nā kikowaena epic Ua
Source: www.habr.com