Timothee Ravier si Red Hat, onye na-elekọta Fedora Silverblue na Fedora Kinoite oru, tụpụtara ụzọ iji zere iji sudo utility, nke na-eji suid bit na-ebuli ihe ùgwù. Kama sudo, maka onye ọrụ nkịtị iji mebie iwu nwere ikike mgbọrọgwụ, a na-atụ aro iji ssh utility nwere njikọ mpaghara na otu usoro site na oghere UNIX na nkwenye nke ikike dabere na igodo SSH.
Iji ssh kama sudo na-enye gị ohere iwepu mmemme suid na sistemu ahụ wee mee ka mmezu nke iwu dị mkpa na mpaghara nnabata nke nkesa na-eji akụrụngwa kewapụ akpa, dị ka Fedora Silverblue, Fedora Kinoite, Fedora Sericea na Fedora Onyx. Iji machibido ịnweta, enwere ike ijikwa nkwenye nke ikike site na iji akara USB (dịka ọmụmaatụ, Yubikey).
Ihe atụ nke ịhazi ihe nkesa OpenSSH maka ịnweta site na oghere Unix dị na mpaghara (a ga-eji faịlụ nhazi ya malite ihe atụ sshd dị iche):
/etc/systemd/system/sshd-unix.socket: [Unit] Nkọwa=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Nabata=ee [Wụnye] WantedBy=sockets.target
/etc/systemd/system/sshd-unix@.service: [Unit] Nkọwa=OpenSSH kwa-njikọ ihe nkesa daemon (Unix socket) Documentation = nwoke: sshd (8) nwoke: sshd_config (5) chọrọ = sshd-keygen.target Mgbe = sshd-keygen.target/sshd-keygen.target/ecusrshd-eusrshd. -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Na-ahapụ naanị igodo nyocha PermitRootLogin prohibit-password PasswordAuthentication no PermitEmptyPasswords no GSSAPIAuthentication mba # na-egbochi ohere ndị ọrụ ahọpụtara AllowUsers mgbọrọgwụ adminusername # Hapụ naanị iji .sshizedkeyssh/authorouts. ssh igodo /authorized_ igodo # mee ka sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Mee ma malite nkeji sistemụ: sudo systemctl daemon-reload sudo systemctl nwee ike -ugbu a sshd-unix.socket
Tinye igodo SSH gị na /root/.ssh/authorized_keys
Ịtọlite onye ahịa SSH.
Wụnye akụrụngwa socat: sudo dnf wụnye socat
Anyị na-agbakwụnye / .ssh / config site na ịkọwa socat dị ka onye nnọchiteanya maka ịnweta site na oghere UNIX: Host host.local User root # Jiri / run / host / run kama / na-agba ọsọ na-arụ ọrụ site na arịa ProxyCommand socat - UNIX-CLIENT: / run/host/run/sshd.sock # Ụzọ gaa na igodo SSH IdentityFile ~/.ssh/keys/localroot # Kwado nkwado TTY maka shei mmekọrịta RequestTTY ee # Wepu mmepụta na-enweghị isi LogLevel QUIET
N'ụdị ya ugbu a, aha njirimara onye ọrụ ga-enwe ike ịme iwu dị ka mgbọrọgwụ na-etinyeghị paswọọdụ. Lelee ọrụ a: $ ssh host.local [mgbọrọgwụ ~]
Anyị na-emepụta sudohost utu aha na bash iji mee "ssh host.local", dị ka sudo: sudohost () {ọ bụrụ [[${#} -eq 0]]; wee ssh host.local "cd \"${PWD}\"; exec \"${SHELL}" --login ọzọ ssh host.local "cd \"${PWD}\"; exec \"${@}\" fi }
Lelee: $ sudohost id uid = 0 (mgbọrọgwụ) gid = 0 (mgbọrọgwụ) otu = 0 (mgbọrọgwụ)
Anyị na-agbakwunye nzere ma mee ka nyocha ihe abụọ, na-enye ohere ịnweta mgbọrọgwụ naanị mgbe etinyere akara USB Yubikey.
Anyị na-enyocha algọridim ndị Yubikey dị adị na-akwado: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{bipụta $2}'
Ọ bụrụ na mmepụta bụ 5.2.3 ma ọ bụ karịa, jiri ed25519-sk mgbe ị na-emepụta igodo, ma ọ bụghị jiri ecdsa-sk: ssh-keygen -t ed25519-sk ma ọ bụ ssh-keygen -t ecdsa-sk
Na-agbakwunye igodo ọha na /root/.ssh/authorized_keys
Tinye otu igodo ụdị njikọ na nhazi sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com
Anyị na-amachibido ohere ịnweta oghere Unix maka naanị onye ọrụ nwere ike ibuli ihe ùgwù (na atụ anyị, aha njirimara). Na /etc/systemd/system/sshd-unix.socket tinye: [Socket] ... SocketUser = aha njirimara SocketGroup = aha njirimara SocketMode = 0660
isi: opennet.ru
