Timothee Ravier saka Red Hat, sing njaga proyek Fedora Silverblue lan Fedora Kinoite, ngusulake cara supaya ora nggunakake utilitas sudo, sing nggunakake bit suid kanggo nambah hak istimewa. Tinimbang sudo, kanggo pangguna normal nglakokake perintah kanthi hak root, disaranake nggunakake sarana ssh kanthi sambungan lokal menyang sistem sing padha liwat soket UNIX lan verifikasi ijin adhedhasar tombol SSH.
Nggunakake ssh tinimbang sudo ngidini sampeyan nyisihake program suid ing sistem lan ngaktifake eksekusi perintah istimewa ing lingkungan host distribusi sing nggunakake komponen isolasi wadhah, kayata Fedora Silverblue, Fedora Kinoite, Fedora Sericea lan Fedora Onyx. Kanggo matesi akses, konfirmasi wewenang nggunakake token USB (contone, Yubikey) bisa tambahan digunakake.
Conto konfigurasi komponen server OpenSSH kanggo akses liwat soket Unix lokal (kayata sshd sing kapisah bakal diluncurake karo file konfigurasi dhewe):
/etc/systemd/system/sshd-unix.socket: [Unit] Keterangan=Dokumentasi Soket Unix Server OpenSSH=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Accept=yes [Instal] WantedBy=sockets.target
/ lsp / systemd / sistem /[email dilindhungi]: [Unit] Katrangan=Daemon server OpenSSH saben sambungan (soket Unix) Dokumentasi=man:sshd(8) man:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [Layanan] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=soket
/etc/ssh/sshd_config_unix: # Mung ninggalake otentikasi tombol PermitRootLogin nglarang-sandiPasswordAuthentication ora PermitEmptyPasswords ora GSSAPIAuthentication ora # mbatesi akses menyang pangguna sing dipilih AllowUsers root adminusername # Godhong mung nggunakake .ssh/withoutthorized _keyssh. /authorized_ keys # ngaktifake sftp Subsistem sftp /usr/libexec/openssh/sftp-server
Aktifake lan bukak unit systemd: sudo systemctl daemon-reload sudo systemctl enable βnow sshd-unix.socket
Tambah tombol SSH kanggo /root/.ssh/authorized_keys
Nyetel klien SSH.
Instal utilitas socat: sudo dnf nginstal socat
Kita nambah /.ssh/config kanthi nemtokake socat minangka proxy kanggo akses liwat soket UNIX: Host host.local User root # Gunakake /run/host/run tinimbang /run kanggo nggarap kontainer ProxyCommand socat - UNIX-CLIENT: / run/ host/run/sshd.sock # Path to the SSH key IdentityFile ~/.ssh/keys/localroot # Aktifake dhukungan TTY kanggo shell interaktif RequestTTY ya # Mbusak output sing ora perlu LogLevel QUIET
Ing wangun saiki, jeneng pangguna admin saiki bakal bisa nglakokake perintah minangka root tanpa ngetik sandhi. Priksa operasi: $ ssh host.local [root ~]#
Kita nggawe alias sudohost ing bash kanggo mbukak "ssh host.local", padha karo sudo: sudohost () {yen [[ ${#} -eq 0 ]]; banjur ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" else ssh host.local "cd \"${PWD}\"; eksekusi \»${@}\»» fi }
Priksa: $ sudohost id uid=0(root) gid=0(root) grup=0(root)
Kita nambah kapercayan lan ngaktifake otentikasi rong faktor, ngidini akses root mung nalika token USB Yubikey dipasang.
Kita mriksa algoritma sing didhukung dening Yubikey sing ana: lsusb -v 2> / dev / null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Yen output 5.2.3 utawa luwih, gunakake ed25519-sk nalika ngasilake tombol, digunakake ecdsa-sk: ssh-keygen -t ed25519-sk utawa ssh-keygen -t ecdsa-sk
Nambahake kunci umum menyang /root/.ssh/authorized_keys
Nambahake jinis kunci kanggo konfigurasi sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [email dilindhungi],[email dilindhungi]
Kita matesi akses menyang soket Unix mung kanggo pangguna sing bisa duwe hak istimewa (ing conto kita, adminusername). Ing /etc/systemd/system/sshd-unix.socket nambah: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru