ProHoster > Blog > Ulamuliro > Zidule zazing'ono za SSH

Zidule zazing'ono za SSH

Nkhaniyi ili ndi njira zathu zabwino zogwiritsira ntchito SSH bwino. M'menemo muphunzira momwe mungachitire:

  • Onjezani chinthu chachiwiri pakulowa kwa SSH
  • Gwiritsani ntchito kutumiza ma agent mosatetezeka
  • Tulukani mu gawo la SSH lomwe lasokonekera
  • Tsegulani terminal yokhazikika
  • Gawani gawo lakutali ndi mnzanu (palibe Zoom!)

Kuwonjezera chinthu chachiwiri ku SSH yanu

Mutha kuwonjezera chinthu chachiwiri chotsimikizirika kumalumikizidwe anu a SSH m'njira zisanu:

  1. Sinthani OpenSSH yanu ndikugwiritsa ntchito kiyi yobisa. Mu February 2020, OpenSSH idawonjezera chithandizo cha makiyi achinsinsi a FIDO U2F (Universal Second Factor). Ichi ndi chinthu chatsopano chatsopano, koma pali chenjezo: makasitomala okhawo ndi maseva omwe asinthidwa kukhala OpenSSH 8.2 ndi apamwamba azitha kugwiritsa ntchito makiyi achinsinsi, popeza kusintha kwa February kumawabweretsera mitundu yatsopano. Gulu ssh –V mutha kuyang'ana mtundu wa kasitomala wa SSH ndi mtundu wa seva ndi lamulo nc [servername] 22

    Mitundu iwiri yatsopano yamakiyi idawonjezedwa ku mtundu wa February - ecdsa-sk ndi ed25519-sk (pamodzi ndi ziphaso zofananira). Kuti mupange fayilo yayikulu, ingoikani kiyi yanu yobisa ndikuyendetsa lamulo:
    $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk

    Idzapanga makiyi apagulu ndi achinsinsi ndikuwaphatikiza ndi chipangizo chanu cha U2F. Ntchito ya kiyi yachinsinsi pa chipangizo cha U2F ndikuchotsa mawu ofotokozera achinsinsi pa disk pamene kiyi yachinsinsi yatsegulidwa.

    Kuphatikiza apo, ngati chinthu chachiwiri, mutha kupereka mawu achinsinsi a makiyi anu.

    Makiyi okhala ndi mtundu wina wa -sk key generation wothandizidwa ndi OpenSSH. Ndi njira iyi, chogwiriracho chimasungidwa pa chipangizo cha U2F ndikukulolani kuti mukhale nacho ndi kiyi yobisa pakafunika. Mutha kupanga kiyi yokhalamo ndi lamulo:

    $ ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/id_ecdsa_sk

    Kenako, kuti mubwezeretse chogwiriracho m'chikumbukiro pa chipangizo chatsopano, ikani kiyi yobisa ndikuyendetsa lamulo:

    $ ssh-add -K

    Mukalumikizana ndi wolandila, mudzafunikabe kuyambitsa kiyi ya encryption.

  2. Gwiritsani ntchito PIV+PKCS11 ndi Yubikey. Kulumikiza ku zida zomwe zili ndi mitundu yakale ya SSHD pogwiritsa ntchito kiyi ya encryption kudzafuna njira ina. Yubico ali ndi kalozera pakugwiritsa ntchito U2F+SSH ndi PIV/PKCS11. Izi sizili zofanana ndi FIDO U2F, ndipo ngakhale njirayo ikugwira ntchito, zimatengera ntchito yambiri kuti mudziwe zomwe matsenga akuyendetsa.
  3. Ikani yubikey-agent ssh wothandizira. Filippo Valsorda adalemba wothandizira wa SSH wa Yubikeys. Ndi yatsopano kwathunthu ndipo ili ndi mawonekedwe ochepa.
  4. Gwiritsani ntchito Touch ID ndi sekey. Sekey ndi gwero lotseguka lothandizira SSH lomwe limasunga makiyi achinsinsi mu enclave yotetezedwa pa Mac ndikulola ID ya Touch kuti igwiritsidwe ntchito kuti ipezeke.
  5. Gwiritsani Ntchito Single Sign Pa SSH. Ndinalemba phunziro kukuthandizani kukhazikitsa njira iyi. Chimodzi mwazabwino za chizindikiro chimodzi pa SSH ndikutha kugwiritsa ntchito mfundo zachitetezo cha omwe akukupatsani - kuphatikiza kuthandizira kutsimikizika kwazinthu zambiri (MFA).

Kugwiritsa ntchito motetezeka kutumiza othandizira

Kutumiza kwa SHH kumalola wolandila akutali kuti azitha kugwiritsa ntchito SSH ya chipangizo chanu chapafupi. Mukamagwiritsa ntchito SSH ndi kutumiza kwa wothandizira (nthawi zambiri kudzera pa ssh -A), padzakhala njira ziwiri zolumikizira: gawo lanu lolumikizana ndi njira yotumizira wothandizira. Kudzera mu njira iyi, soketi ya Unix yopangidwa ndi wothandizira wa SSH wakomweko imalumikizana ndi wolandila akutali. Iyi ndi njira yowopsa chifukwa wogwiritsa ntchito mizu pazida zakutali atha kupeza wothandizila wa SSH wakomweko ndipo amatha kukhala ngati inu pa intaneti. Pogwiritsa ntchito wothandizira wa SSH kuchokera pa Open SSH kit, simudzadziwa kuti izi zidachitika. Kukhala ndi kiyi ya U2F (kapena Sekey) kukuthandizani kuti mutseke zoyesayesa zilizonse zogwiritsa ntchito SSH yanu kuchokera kunja.

Ngakhale ndi kusamala uku, ndi bwino kugwiritsa ntchito kutumiza ma agent pang'ono momwe mungathere. Musagwiritse ntchito gawo lililonse - gwiritsani ntchito kutumiza kwa othandizira pokhapokha mutatsimikiza kuti ndiyofunikira pagawo lomwe lilipo.

Kutuluka gawo lopachikidwa

Kusokoneza kwa netiweki, mapulogalamu omwe sakuwongolera, kapena njira yopulumukira yomwe imatsekereza kulowetsa kiyibodi ndizomwe zimayambitsa kuti gawo la SSH lithe.

Pali njira zingapo zomaliza gawo lopachikidwa:

  1. Tulukani zokha pomwe netiweki yasokonezedwa. Muyenera kuwonjezera zotsatirazi ku .ssh/config:
    ServerAliveInterval 5
ServerAliveCountMax 1

    ssh idzatumiza echo kwa omwe ali kutali masekondi aliwonse a ServerAliveInterval kuti awone kulumikizana. Ngati ma echo opitilira ServerAliveCountMax sakulandira yankho, ssh ithetsa kulumikizana ndikutuluka.

  2. Tulukani mu gawoli. ssh mwachisawawa amagwiritsa ntchito ~ (tilde) mawonekedwe ngati mawonekedwe ake. Timu ~. imatseka kulumikizana kotseguka ndikukubwezerani ku terminal. (Zotsatira zothawa zitha kulowetsedwa pamzere watsopano.) The ~? iwonetsa mndandanda wathunthu wamalamulo omwe alipo mu gawoli. Chonde dziwani kuti kuti mulembe ~ zilembo pamakiyibodi apadziko lonse lapansi, mungafunike kukanikiza batani la ~ kawiri.

Chifukwa chiyani magawo owuma amachitika konse? Pamene intaneti idapangidwa, makompyuta sankasuntha kuchoka kumalo kupita kumalo. Mukamagwiritsa ntchito laputopu ndikusintha pakati pa maukonde angapo a IPv4 WiFi, adilesi yanu ya IP imasintha. Popeza SSH imadalira maulumikizidwe a TCP, omwe nawonso amadalira pomaliza ndi adilesi yokhazikika ya IP, nthawi iliyonse mukasintha pakati pa maukonde, maulumikizidwe anu a SSH amaphonya chogwirira cha socket ndipo amadzitayika okha. Adilesi yanu ya IP ikasintha, zimatenga nthawi kuti network yanu izindikire kutayika kwa chogwirira. Mavuto a pa netiweki akachitika, sitifuna kuti imodzi mwa mfundo za TCP ithetse msanga. Chifukwa chake, protocol idzayesa kutumizanso deta kangapo musanathe kusiya. Pakadali pano, mu terminal yanu gawolo liziwoneka lozizira. IPv6 imawonjezera zinthu zingapo zokhudzana ndi kuyenda zomwe zimalola chipangizo kuti chisasunge adilesi yakunyumba pomwe chikusintha maukonde. Mwina tsiku lina izi sizidzakhala vuto.

Momwe mungasungire terminal yokhazikika yotseguka pagulu lakutali

Pali njira ziwiri zosiyana za momwe mungasungire kulumikizana kwanu mukamayenda pakati pa maukonde osiyanasiyana kapena mukufuna kulumikiza kwakanthawi.

1. Pezani mwayi mos kapena Terminal Yamuyaya

Ngati mukufunadi kulumikizana komwe sikutha ngakhale mutasintha pakati pa maukonde, gwiritsani ntchito chipolopolo cha Mosh. Ichi ndi chipolopolo chotetezedwa chomwe chimayamba kugwiritsa ntchito SSH kugwirana chanza ndikusinthira ku njira yake yobisidwa nthawi yonseyi. Umu ndi momwe Mosh amapangira njira yosiyana, yokhazikika komanso yotetezeka yomwe imatha kupirira kusokonezeka kwa intaneti, kusintha kwa adilesi ya IP ya laputopu yanu, kuzimitsa kwakukulu kwa netiweki, ndi zina zambiri, ndipo zonsezi chifukwa cha matsenga a kulumikizana kwa UDP, komanso. monga Mosh protocol synchronization.

Kuti mugwiritse ntchito Mosh muyenera kuyiyika pa kasitomala ndi seva, ndikutsegula madoko 60000-61000 pamagalimoto osagwirizana ndi UPD kwa omwe ali kutali. M'tsogolomu, kulumikiza kudzakhala kokwanira kugwiritsa ntchito mosh user@server.

Mosh imagwira ntchito pamlingo wa zowonetsera ndi makiyi, zomwe zimapatsa zabwino zingapo potumiza kaphatikizidwe kaphatikizidwe kazolowera ndi zotuluka pakati pa kasitomala ndi seva ya SSH. Ngati tingofunika kulunzanitsa zowonera ndi makiyi, ndiye kubwezeretsa kulumikizana kosweka pambuyo pake kumakhala kosavuta. Pomwe SSH idzabisa ndikutumiza zonse zomwe zidachitika, Mosh amangofunika kusungitsa makiyi achinsinsi ndikugwirizanitsa chimango chomaliza cha zenera la terminal ndi kasitomala.

2. Gwiritsani ntchito tmux

Ngati mukufuna "kubwera ndikupita momwe mukufunira" ndikusunga gawo lachidziwitso pamtundu wakutali, gwiritsani ntchito terminal multiplexer tmux. Ndimakonda tmux ndipo ndimagwiritsa ntchito nthawi zonse. Ngati kulumikizana kwanu kwa SSH kwasokonezedwa, ndiye kuti mubwerere ku gawo lanu la tmux muyenera kulumikizanso ndikulowa. tmux attach. Kuphatikiza apo, ili ndi mawonekedwe odabwitsa monga ma intra-terminal tabs ndi mapanelo, ofanana ndi ma tabo amtundu wa iOS, komanso kuthekera kogawana ma terminal ndi ena.

Некоторые любят приукрасить свой tmux с помощью Byobu, пакетом который значительно улучшает удобство использования tmux и добавляет в него много сочетаний клавиш. Byobu поставляется вместе с Ubuntu, и его легко установить на Mac через Homebrew.

Kugawana gawo lakutali ndi mnzanu

Nthawi zina, mukamathetsa mavuto ovuta pa maseva anu, mungafune kugawana gawo la SSH ndi munthu yemwe sali m'chipinda chimodzi ndi inu. tmux ndiyabwino pantchitoyi! Zimangotengera masitepe ochepa:

  1. Onetsetsani kuti tmux yayikidwa pa bastion node yanu, kapena pa seva iliyonse yomwe mungagwire nayo ntchito.
  2. Nonse mufunika SSH mu chipangizocho pogwiritsa ntchito akaunti yomweyo.
  3. Mmodzi wa inu ayenera kukhala akuthamanga tmux kuti ayambe gawo la tmux.
  4. Winayo ayenera kuthamanga tmux attach
  5. Voila! Muli ndi malo ogawana nawo.

Ngati mukufuna magawo apamwamba a tmux ogwiritsa ntchito ambiri, yesani tmate, foloko ya tmux yomwe imapangitsa magawo ogawana nawo kukhala osavuta.

Source: www.habr.com

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster