Timothee Ravier los ntawm Red Hat, tus saib xyuas ntawm Fedora Silverblue thiab Fedora Kinoite tej yaam num, tau npaj ib txoj hauv kev kom tsis txhob siv sudo utility, uas siv cov suid me ntsis kom nce kev cai. Hloov chaw sudo, rau ib tus neeg siv ib txwm ua cov lus txib nrog cov cai hauv paus, nws tau thov kom siv cov khoom siv ssh nrog kev sib txuas hauv zos rau tib lub cev ntawm UNIX lub qhov (socket) thiab kev txheeb xyuas kev tso cai raws li SSH yuam sij.
Siv ssh es tsis txhob sudo tso cai rau koj kom tshem tawm cov kev pab cuam suid ntawm lub kaw lus thiab pab kom ua tiav cov cai tswj hwm hauv thaj chaw tswj hwm ntawm kev faib khoom uas siv cov khoom sib cais, xws li Fedora Silverblue, Fedora Kinoite, Fedora Sericea thiab Fedora Onyx. Txhawm rau txwv kev nkag mus, kev lees paub ntawm txoj cai siv USB token (piv txwv li, Yubikey) tuaj yeem siv ntxiv.
Ib qho piv txwv ntawm kev teeb tsa OpenSSH server Cheebtsam rau kev nkag ntawm lub qhov (socket) Unix hauv zos (sshd piv txwv yuav raug tso tawm nrog nws tus kheej cov ntaub ntawv teeb tsa):
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Txais = yog [Nruab] WantedBy=sockets.target
/ thiab lwm yam / systemd / system /[email tiv thaiv]: [Unit] Description = OpenSSH per-connection server daemon (Unix socket) Cov ntaub ntawv = txiv neej: sshd(8) txiv neej: sshd_config(5) Xav=sshd-keygen.target Tom qab=sshd-keygen.target [Service] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Nplooj tsuas yog qhov tseem ceeb authentication PermitRootLogin txwv-password PasswordAuthentication tsis muaj PermitEmptyPasswords tsis muaj GSSAPIAuthentication tsis # txwv tsis pub nkag mus rau cov neeg siv xaiv AllowUsers hauv paus adminusername # Nplooj tsuas yog siv .ssh/Authentication (Authentication .ssh/Authentication) .ssh /authorized_ keys # pab sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Qhib thiab tso lub systemd unit: sudo systemctl daemon-reload sudo systemctl pab - tam sim no sshd-unix.socket
Ntxiv koj tus yuam sij SSH rau /root/.ssh/authorized_keys
Teeb tsa tus neeg siv SSH.
Nruab socat utility: sudo dnf nruab socat
Peb ntxiv /.ssh/config los ntawm kev qhia socat ua tus tso npe rau kev nkag los ntawm UNIX lub qhov (socket): Host host.local Tus neeg siv hauv paus # Siv /run/host/run es tsis txhob /khiav mus ua haujlwm ntawm ntim ProxyCommand socat - UNIX-CLIENT: / run/host/run/sshd.sock # Txoj kev mus rau qhov tseem ceeb SSH IdentityFile ~/.ssh/keys/localroot # Pab txhawb TTY rau lub plhaub sib tham RequestTTY yog # Tshem tawm cov khoom tsis tsim nyog LogLevel QUIET
Nyob rau hauv nws daim ntawv tam sim no, tus neeg siv adminusername tam sim no tuaj yeem ua tiav cov lus txib raws li hauv paus yam tsis tau nkag mus rau tus password. Tshawb xyuas cov haujlwm: $ ssh host.local [root ~]#
Peb tsim ib tug sudohost alias nyob rau hauv bash khiav "ssh host.local", zoo ib yam li sudo: sudohost() {yog [[${#} -eq 0]]; ces ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" else ssh host.local "cd \"${PWD}\"; exec \»${@}\»» fi }
Kos: $ sudohost id uid=0(root) gid=0(root) pawg=0(root)
Peb ntxiv cov ntaub ntawv pov thawj thiab ua kom muaj ob qhov kev lees paub tseeb, tso cai rau hauv paus nkag tsuas yog thaum lub cim Yubikey USB token tso.
Peb xyuas cov algorithms uas tau txais kev txhawb nqa los ntawm Yubikey uas twb muaj lawm: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | aw '{print $2}'
Yog tias cov zis yog 5.2.3 lossis ntau dua, siv ed25519-sk thaum tsim cov yuam sij, txwv tsis pub siv ecdsa-sk: ssh-keygen -t ed25519-sk lossis ssh-keygen -t ecdsa-sk
Ntxiv tus yuam sij pej xeem rau /root/.ssh/authorized_keys
Ntxiv hom tseem ceeb khi rau sshd configuration: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [email tiv thaiv],[email tiv thaiv]
Peb txwv kev nkag mus rau Unix qhov (socket) rau tsuas yog tus neeg siv uas tuaj yeem muaj cai nce siab (hauv peb qhov piv txwv, adminusername). Hauv /etc/systemd/system/sshd-unix.socket ntxiv: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Tau qhov twg los: opennet.ru