Hauv cov ntawv tshaj tawm no, peb yuav tsim cov txheej txheem rau kev nkag mus rau qhov xwm txheej ceev rau SSH cov tswv siv kho vajtse ruaj ntseg yuam sij offline. Qhov no tsuas yog ib txoj hauv kev, thiab koj tuaj yeem hloov kho kom haum rau koj cov kev xav tau. Peb yuav khaws SSH daim ntawv pov thawj txoj cai rau peb cov tswv ntawm lub hardware security key. Cov tswv yim no yuav ua haujlwm ntawm yuav luag txhua qhov OpenSSH, suav nrog SSH nrog ib qho kev kos npe rau.
Qhov no yog dab tsi? Zoo, qhov no yog qhov kev xaiv kawg. Qhov no yog qhov rov qab uas yuav tso cai rau koj nkag mus rau koj lub server thaum rau qee yam tsis muaj dab tsi ua haujlwm.
Vim li cas thiaj siv daim ntawv pov thawj es tsis txhob siv cov yuam sij rau pej xeem / ntiag tug rau kev siv thaum muaj xwm txheej ceev?
- Tsis zoo li cov yuam sij pej xeem, daim ntawv pov thawj tuaj yeem muaj lub neej luv luv. Koj tuaj yeem tsim daim ntawv pov thawj uas siv tau rau 1 feeb lossis 5 vib nas this. Tom qab lub sijhawm no, daim ntawv pov thawj yuav siv tsis tau rau kev sib txuas tshiab. Qhov no yog qhov zoo tagnrho rau kev nkag mus rau qhov xwm txheej ceev.
- Koj tuaj yeem tsim daim ntawv pov thawj rau txhua tus account ntawm koj tus tswv tsev thiab, yog tias tsim nyog, xa cov ntawv pov thawj "ib zaug" rau cov npoj yaig.
Koj xav tau dab tsi
- Hardware security keys uas txhawb cov neeg nyob hauv cov yuam sij.
Cov yuam sij nyob hauv yog cov yuam sij cryptographic uas tau khaws cia hauv tus yuam sij ruaj ntseg. Qee zaum lawv raug tiv thaiv los ntawm tus lej lej PIN. Cov pej xeem ntawm tus yuam sij nyob hauv tuaj yeem raug xa tawm los ntawm tus yuam sij kev nyab xeeb, xaiv tau nrog rau tus yuam sij ntiag tug. Piv txwv li, Yubikey 5 series USB keys txhawb cov yuam sij nyob hauv zos. Rau cov ntawv no kuv tsuas yog siv ib tus yuam sij xwb, tab sis koj yuav tsum muaj ib qho ntxiv rau thaub qab. - Qhov chaw nyab xeeb khaws cov yuam sij ntawd.
- OpenSSH version 8.2 lossis siab dua ntawm koj lub khoos phis tawj hauv zos thiab ntawm cov servers koj xav kom muaj xwm txheej ceev rau. Ubuntu 20.04 nkoj nrog OpenSSH 8.2.
- (xaiv tau, tab sis pom zoo) CLI cuab yeej rau kev kuaj xyuas daim ntawv pov thawj.
Kev cob qhia
Ua ntej, koj yuav tsum tsim ib daim ntawv pov thawj txoj cai uas yuav nyob rau ntawm tus yuam sij kho vajtse. Ntxig tus yuam sij thiab khiav:
$ ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID]Raws li kev tawm tswv yim (-C) kuv tau qhia [email tiv thaiv]yog li koj tsis txhob hnov ββqab tus yuam sij kev ruaj ntseg no daim ntawv pov thawj txoj cai belongs rau.
Ntxiv rau qhov ntxiv tus yuam sij rau Yubikey, ob cov ntaub ntawv yuav raug tsim tawm hauv zos:
- sk-user-ca, tus tuav tseem ceeb uas hais txog tus yuam sij ntiag tug khaws cia hauv tus yuam sij ruaj ntseg,
- sk-user-ca.pub, uas yuav yog tus yuam sij rau pej xeem rau koj daim ntawv pov thawj txoj cai.
Tab sis tsis txhob txhawj, Yubikey khaws lwm tus yuam sij ntiag tug uas tsis tuaj yeem rov qab tau. Yog li ntawd, txhua yam yog txhim khu kev qha ntawm no.
Ntawm cov tswv, raws li hauv paus, ntxiv (yog tias koj tsis tau) cov hauv qab no rau koj qhov kev teeb tsa SSHD (/etc/ssh/sshd_config):
TrustedUserCAKeys /etc/ssh/ca.pubTom qab ntawd ntawm tus tswv tsev, ntxiv tus yuam sij pej xeem (sk-user-ca.pub) rau /etc/ssh/ca.pub
Restart lub daemon:
# /etc/init.d/ssh restartTam sim no peb tuaj yeem sim nkag mus rau tus tswv tsev. Tab sis ua ntej peb xav tau daim ntawv pov thawj. Tsim ib khub tseem ceeb uas yuav cuam tshuam nrog daim ntawv pov thawj:
$ ssh-keygen -t ecdsa -f emergencyDaim ntawv pov thawj thiab SSH khub
Qee lub sij hawm nws ntxias siv daim ntawv pov thawj los hloov pauv rau pej xeem / ntiag tug tus khub tseem ceeb. Tab sis daim ntawv pov thawj ib leeg tsis txaus los lees paub tus neeg siv. Txhua daim ntawv pov thawj kuj muaj tus yuam sij ntiag tug cuam tshuam nrog nws. Qhov no yog vim li cas peb thiaj li yuav tsum tsim qhov "kev kub ntxhov" tus khub tseem ceeb ua ntej peb muab daim ntawv pov thawj rau peb tus kheej. Qhov tseem ceeb yog tias peb pom daim ntawv pov thawj kos npe rau tus neeg rau zaub mov, qhia txog tus khub tseem ceeb uas peb muaj tus yuam sij ntiag tug.Yog li kev sib pauv tseem ceeb ntawm pej xeem tseem muaj sia nyob thiab zoo. Qhov no ua haujlwm txawm nrog daim ntawv pov thawj. Cov ntawv pov thawj tsuas yog tshem tawm qhov xav tau rau lub server khaws cov yuam sij pej xeem.
Tom ntej no, tsim daim ntawv pov thawj nws tus kheej. Kuv xav tau ubuntu tus neeg siv kev tso cai hauv 10 feeb ib ntus. Koj tuaj yeem ua koj li.
$ ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m:+5m emergencyKoj yuav raug nug kom kos npe rau daim ntawv pov thawj siv koj tus ntiv tes. Koj tuaj yeem ntxiv cov npe siv ntxiv sib cais los ntawm commas, piv txwv li -n ubuntu, carl, ec2-neeg siv
Qhov ntawd yog nws, tam sim no koj muaj daim ntawv pov thawj! Tom ntej no koj yuav tsum qhia kom meej qhov tseeb permissions:
$ chmod 600 emergency-cert.pubTom qab ntawd, koj tuaj yeem saib cov ntsiab lus ntawm koj daim ntawv pov thawj:
$ step ssh inspect emergency-cert.pubNov yog qhov kuv zoo li:
emergency-cert.pub
Type: [email protected] user certificate
Public key: ECDSA-CERT SHA256:EJSfzfQv1UK44/LOKhBbuh5oRMqxXGBSr+UAzA7cork
Signing CA: SK-ECDSA SHA256:kLJ7xfTTPQN0G/IF2cq5TB3EitaV4k3XczcBZcLPQ0E
Key ID: "test-key"
Serial: 0
Valid: from 2020-06-24T16:53:03 to 2020-06-24T17:03:03
Principals:
ubuntu
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rcNtawm no yog tus yuam sij rau pej xeem yog tus yuam sij thaum muaj xwm ceev uas peb tsim, thiab sk-user-ca yog txuam nrog cov ntawv pov thawj txoj cai.
Thaum kawg peb npaj txhij los khiav SSH hais kom ua:
$ ssh -i emergency ubuntu@my-hostname
ubuntu@my-hostname:~$- Tam sim no koj tuaj yeem tsim daim ntawv pov thawj rau txhua tus neeg siv ntawm tus tswv tsev uas tso siab rau koj daim ntawv pov thawj txoj cai.
- Koj tuaj yeem tshem tawm qhov xwm txheej ceev. Koj tuaj yeem txuag sk-user-ca, tab sis koj tsis tas yuav vim nws tseem nyob ntawm tus yuam sij ruaj ntseg. Tej zaum koj kuj tseem xav kom tshem tawm tus tseem ceeb PEM pej xeem los ntawm koj tus tswv (piv txwv li hauv ~/.ssh/authorized_keys rau tus neeg siv ubuntu) yog tias koj siv nws rau kev nkag mus rau xwm txheej ceev.
Emergency Access: Action Plan
Paste tus yuam sij kev ruaj ntseg thiab khiav cov lus txib:
$ ssh-add -KQhov no yuav ntxiv daim ntawv pov thawj txoj cai tseem ceeb rau pej xeem thiab tus piav qhia tseem ceeb rau tus neeg sawv cev SSH.
Tam sim no export tus yuam sij pej xeem los ua daim ntawv pov thawj:
$ ssh-add -L | tail -1 > sk-user-ca.pubTsim ib daim ntawv pov thawj nrog hnub tas sij hawm ntawm, piv txwv li, tsis pub ntau tshaj ib teev:
$ ssh-keygen -t ecdsa -f emergency
$ ssh-keygen -Us sk-user-ca.pub -I test-key -n [username] -V -5m:+60m emergency
$ chmod 600 emergency-cert.pubThiab tam sim no SSH dua:
$ ssh -i emergency username@hostYog tias koj cov ntaub ntawv .ssh/config ua rau qee qhov teeb meem thaum txuas, koj tuaj yeem khiav ssh nrog -F tsis muaj kev xaiv los hla nws. Yog tias koj xav tau xa daim ntawv pov thawj rau cov npoj yaig, qhov yooj yim tshaj plaws thiab kev nyab xeeb tshaj plaws yog . Txhawm rau ua qhov no, koj tsuas yog xav tau ob cov ntaub ntawv - hauv peb rooj plaub, xwm txheej ceev thiab xwm txheej ceev-cert.pub.
Qhov kuv nyiam txog txoj hauv kev no yog kev txhawb nqa kho vajtse. Koj tuaj yeem tso koj cov yuam sij kev nyab xeeb rau hauv qhov chaw nyab xeeb thiab lawv yuav tsis mus qhov twg.
Rau Txoj Cai Kev Tshaj Tawm
Epic servers Yog nrog cov processors haib los ntawm AMD, CPU core zaus mus txog 3.4 GHz. Qhov siab tshaj plaws configuration tso cai rau koj los daws yuav luag txhua yam teeb meem - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Koom nrog peb!
Tau qhov twg los: www.hab.com