Timothee Ravier a Red Hat, assertor Fedorae Silverblue et Fedorae Kinoite inceptis, viam proposuit ad vitandam sudo utilitatem, quae suid frenum utitur ad privilegia escarum capienda. Loco sudo, ad usorem normalem ad mandata cum iuribus radicibus exequenda, proponitur utilitas ssh uti cum locali connexione ad eandem rationem per UNIX nervum et confirmationem permissionum in clavibus SSH fundatarum.
Usura ssh loco sudo permittit ut programmata suid in systemate depellere et exsecutionem mandatorum praeclarorum in exercitu ambitus distributionum efficias, quae continentis solitariae partes utuntur, ut Fedora Silverblue, Fedora Kinoite, Fedora Sericea et Fedora Onyx. Ad restringere accessum, confirmatio auctoritatis USB indicio (exempli gratia Yubikey) adhiberi potest.
Exemplum figurandi OpenSSH servo componentium ad accessum per Unix nervum localem (instantia sshd separata cum lima sua conformatione mittetur);
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Accipe=sic [Install] WantedBy=sockets.target
/ Etc / systemd / systematis /[Inscriptio protected]: [Unit] Description=OpenSSH per-connexio servo daemonis (Unix socket) Documentation=man:sshd(8) homo:sshd_config(5) Wants=sshd-keygen.target Post=sshd-keygen.target [Service] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Folia tantum clavis authenticas PermitRootLogin prohibent-password PasswordAuthentication nullum PermitEmptyPasswords nullum GSSAPIAuthentication nullum # aditum ad electos utentes AllowUsers radix adminusername # Folia tantum usum .ssh/authorised_keys (sine .ssh/authorized_keys (sine . /authoris_ keys # enable sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Activate et deducendi systemd unitatis: sudo systemctl daemonis-reload sudo systemctl enable nunc sshd-unix.socket
Tuas SSH key ad /root/.ssh/authorised_keys
Constituens SSH client.
Install socat utilitatem: sudo dnf install socat
Supplemus /.ssh/config nominando socat ut procuratorem accessum per UNIX nervum: Hostiam host.local Radix User # Usus /run/host/run pro /currere ad operandum ex vasis ProxyCommandi socat - UNIX-CLIEN: / run/ host/run/sshd.sock # Via ad SSH key IdentityFile ~/.ssh/key/localroot # Admitte TTY subsidium interactive testam RequestTTY sic # Remove necesse output LogLevel QUIES
In forma currenti, adminisername usoris nunc imperia radicis exsequi poterit quin tesseram intrans. Reperiens operationem: $ssh host.local [root ~]#
Creamus sudohost alias in bash ad "ssh host.local", simile sudo: sudohost() {si [[${#} -eq 0 ]]; tunc ssh host.local "cd \"${ PWD}\"; exec \"${ CONCHA}\" --login" aliud ssh host.local "cd \"${ PWD}\"; exec \»${@}\»» fi }
Perscriptio: $ sudohost id uid = 0(radix) gid=0(radix) coetus = 0(radix)
Documentorum addimus et duos factores authenticas efficimus, radicitus accessum permittens tantum cum tessera USB Yubikey inseritur.
Reprimimus quae algorithms exsistentes Yubikey innituntur: lsusb -v 2>/dev/nulli | grep -A2 Yubico | grep "bcdDevice" | genere '{print $2}'
Si output est 5.2.3 vel maius, utere ed25519-sk claves generantes, secus ecdsa-sk utuntur: ssh-keygen -t ed25519-sk vel ssh-keygen t ecdsa-sk.
Clavem publicam addit ad /root/.ssh/authorised_keys
Clavem typum addere ligamen ad configurationem sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [Inscriptio protected],[Inscriptio protected]
Accessum ad Unix nervum restringimus ad solum utentem, qui privilegia elevata habere potest (in exemplo nostro, adminusername). In /etc/systemd/system/sshd-unix.socket add: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru