ʻO Timothee Ravier mai Red Hat, he mea mālama i ka Fedora Silverblue a me Fedora Kinoite papahana, ua manaʻo i kahi ala e pale aku ai i ka hoʻohana ʻana i ka pono sudo, e hoʻohana ana i ka suid bit e hoʻonui i nā pono. Ma kahi o sudo, no ka mea hoʻohana maʻamau e hoʻokō i nā kauoha me nā kuleana kumu, ua manaʻo ʻia e hoʻohana i ka pono ssh me kahi pilina kūloko i ka ʻōnaehana hoʻokahi ma o kahi kumu UNIX a me ka hōʻoia o nā ʻae e pili ana i nā kī SSH.
ʻO ka hoʻohana ʻana i ka ssh ma kahi o sudo e hiki ai iā ʻoe ke hoʻopau i nā polokalamu suid ma ka ʻōnaehana a hiki i ka hoʻokō ʻana i nā kauoha pono i loko o ka puni hoʻokipa o ka hoʻohele ʻana e hoʻohana ana i nā mea hoʻokaʻawale pahu, e like me Fedora Silverblue, Fedora Kinoite, Fedora Sericea a me Fedora Onyx. No ke kaohi ʻana i ke komo ʻana, hiki ke hoʻohana ʻia ka hōʻoia ʻana o ka mana me ka hoʻohana ʻana i kahi hōʻailona USB (no ka laʻana, Yubikey).
ʻO kahi hiʻohiʻona o ka hoʻonohonoho ʻana i nā mea kikowaena OpenSSH no ke komo ʻana ma o kahi kumu Unix kūloko (e hoʻomaka ʻia kahi ʻano sshd ʻokoʻa me kāna faila hoʻonohonoho ponoʻī):
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Accept=yes [Hoʻouka] WantedBy=sockets.target
/ a me / ʻōnaehana / ʻōnaehana /[pale ʻia ka leka uila]: [Unit] Hōʻike = OpenSSH no kēlā me kēia kikowaena kikowaena daemon (Unix socket) Palapala = kanaka: sshd (8) kanaka: sshd_config (5) Makemake = sshd-keygen. /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Haʻalele i ka hōʻoia kī wale nō PermitRootLogin pāpā-password PasswordAuthentication no PermitEmptyPasswords no GSSAPIAuthentication no # hoʻopaʻa i ke komo ʻana i nā mea hoʻohana i koho ʻia AllowUsers root adminusername # Haʻalele wale i ka hoʻohana ʻana o .ssh/authorized_keys_keys. /authorized_ kī # hiki iā sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Hoʻoulu a hoʻomaka i ka ʻāpana systemd: sudo systemctl daemon-reload sudo systemctl enable —now sshd-unix.socket
E hoʻohui i kāu kī SSH i /root/.ssh/authorized_keys
Hoʻonohonoho i ka mea kūʻai aku SSH.
E hoʻouka i ka pono socat: sudo dnf hoʻokomo i ka socat
Hoʻohui mākou i /.ssh/config ma ke kuhikuhi ʻana i ka socat ma ke ʻano he koho no ke komo ʻana ma o kahi kumu UNIX: Host host.local User root # E hoʻohana i /run/host/run ma kahi o /run e hana mai nā pahu ProxyCommand socat - UNIX-CLIENT: / run/ host/run/sshd.sock # Ala i ke kī SSH IdentityFile ~/.ssh/keys/localroot # E ho'ā i ke kākoʻo TTY no ka shell interactive RequestTTY ʻae # Wehe i ka mea pono ʻole LogLevel QUIET
Ma kona ʻano i kēia manawa, hiki i ka mea hoʻohana adminusername ke hoʻokō i nā kauoha ma ke ʻano he kumu me ka ʻole e hoʻokomo i kahi ʻōlelo huna. Ke nānā nei i ka hana: $ ssh host.local [root ~]#
Hana mākou i kahi inoa sudohost ma bash e holo "ssh host.local", e like me sudo: sudohost() {inā [[ ${#} -eq 0 ]]; a laila ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" else ssh host.local "cd \"${PWD}\"; exec \»${@}\»» fi }
E nānā: $ sudohost id uid=0(aʻa) gid=0(aʻa) pūʻulu=0(aʻa)
Hoʻohui mākou i nā hōʻoia a hiki i ka hōʻoia ʻelua kumu, e ʻae i ke aʻa i ka wā i hoʻokomo ʻia ai kahi hōʻailona USB Yubikey.
Nānā mākou i nā algorithms i kākoʻo ʻia e ka Yubikey e kū nei: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Inā he 5.2.3 a ʻoi paha ka hopena, e hoʻohana i ka ed25519-sk i ka wā e hana ai i nā kī, a i ʻole e hoʻohana i ka ecdsa-sk: ssh-keygen -t ed25519-sk a i ʻole ssh-keygen -t ecdsa-sk
Hoʻohui i ke kī lehulehu i /root/.ssh/authorized_keys
Hoʻohui i kahi ʻano kī paʻa i ka hoʻonohonoho sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [pale ʻia ka leka uila],[pale ʻia ka leka uila]
Hoʻopaʻa mākou i ke komo ʻana i ka socket Unix i ka mea hoʻohana wale nō i hiki ke loaʻa nā kuleana i hoʻokiʻekiʻe ʻia (ma kā mākou laʻana, adminusername). I loko o /etc/systemd/system/sshd-unix.socket hoʻohui: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru