Ko Timothee Ravier mai i te Red Hat, he kaitiaki mo nga kaupapa Fedora Silverblue me Fedora Kinoite, he huarahi hei karo i te whakamahi i te taputapu sudo, e whakamahi ana i te moka suid ki te whakanui ake i nga mana. Engari i te sudo, mo te kaiwhakamahi noa ki te whakahaere i nga whakahau me nga mana pakiaka, ka whakaarohia kia whakamahia te taputapu ssh me te hononga o te rohe ki te punaha kotahi ma te turanga UNIX me te whakamana i nga whakaaetanga i runga i nga taviri SSH.
Ma te whakamahi i te ssh hei utu mo te sudo ka taea e koe te whakakore i nga kaupapa suid i runga i te punaha ka taea te whakahaere i nga whakahau whaimana i roto i te taiao manaaki o nga tohatoha e whakamahi ana i nga waahanga wehe ipu, penei i a Fedora Silverblue, Fedora Kinoite, Fedora Sericea me Fedora Onyx. Hei whakatiki i te uru, ka taea te whakamahi i te whakapumautanga mana ma te whakamahi i te tohu USB (hei tauira, Yubikey).
He tauira mo te whirihora i nga waahanga tūmau OpenSSH mo te uru mai ma te turanga Unix rohe (ka whakarewahia he tauira sshd motuhake me tana ake konae whirihoranga):
/etc/systemd/system/sshd-unix.socket: [Waeine] Whakaahuatanga=Tumau Tuwhera Unix Turanga Tuhinga=man:sshd(8) man:sshd_config(5) [Tupapa] ListenStream=/run/sshd.sock Whakaae=ae [Tāuta] WantedBy=sockets.target
/ etc / systemd / punaha /[email tiakina]: [Waeine] Whakaahuatanga=OpenSSH ia-hononga daemon tūmau (Tuhinga Unix) Tuhinga=man:sshd(8) man:sshd_config(5) Hiahia=sshd-keygen.target Muri=sshd-keygen.target [Ratonga] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=tupapa
/etc/ssh/sshd_config_unix: # Ka waiho he motuhēhēnga matua anake PermitRootLogin rāhuitia-kupuhipa KupuhipaAuthentication no PermitEmptyPasswords no GSSAPIAAuthentication no # ka aukati i te uru ki nga kaiwhakamahi kua tohua AllowUsers root adminusername # Waiho te whakamahi o .ssh/withoutauthorized_keys.keys_authorized. /maua_ mau taviri # whakahohea te sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Whakahohehia ka whakarewahia te waeine systemd: sudo systemctl daemon-reload sudo systemctl enable —now sshd-unix.socket
Tāpirihia tō kī SSH ki /root/.ssh/authorized_keys
Te whakarite i te kiritaki SSH.
Tāutahia te taputapu socat: sudo dnf tāuta socat
Ka taapirihia e matou te /.ssh/config ma te tohu i te socat hei takawaenga mo te uru ma te turanga UNIX: Host host.local Kaiwhakamahi pakiaka # Whakamahia te /run/host/run hei utu mo te /run ki te mahi mai i nga ipu ProxyCommand socat - UNIX-CLIENT: / run/ host/run/sshd.sock # Ara ki te kī SSH IdentityFile ~/.ssh/keys/localroot # Whakahohehia te tautoko TTY mo te anga tauwhitiwhiti RequestTTY ae # Tango i te putanga koretake LogLevel QUIET
I roto i tona ahua o naianei, ka taea e te ingoakaiwhakamahi kaiwhakamahi te whakahaere i nga whakahau hei putake me te kore e uru ki te kupuhipa. Takina te mahi: $ ssh host.local [pakiaka ~]#
Ka hangaia e matou he ingoa ingoa sudohost i roto i te bash hei whakahaere i te "ssh host.local", he rite ki te sudo: sudohost() { if [[ ${#} -eq 0 ]]; ka ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" else ssh host.local "cd \"${PWD}\"; whakahaere \»${@}\»» fi }
Taki: $ sudohost id uid=0(pakiaka) gid=0(pakiaka) roopu=0(pakiaka)
Ka taapirihia e matou nga tohu ka taea te whakamotuhēhēnga-rua, ka taea te uru pakiaka ina whakauruhia he tohu Yubikey USB.
Ka tirohia e matou ko wai nga algorithm e tautokohia ana e te Yubikey o mua: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Mena he 5.2.3 nui ake ranei te putanga, whakamahia te ed25519-sk i te wa e whakaputa ana i nga taviri, mena ka whakamahi ecdsa-sk: ssh-keygen -t ed25519-sk ranei ssh-keygen -t ecdsa-sk
Tāpirihia te kī tūmatanui ki /root/.ssh/authorized_keys
Tāpirihia he momo matua e herea ana ki te whirihoranga sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [email tiakina],[email tiakina]
Ka whakawhäitihia e mätou te uru ki te turanga Unix ki te kaiwhakamahi anake ka taea te whakanui ake i nga mana (i ta maatau tauira, adminusername). I roto i /etc/systemd/system/sshd-unix.socket tāpiri: [Tuku] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru