Pulogalamu ya ProHoster > Blog > Ulamuliro > Timalemba njira yofikira mwadzidzidzi kwa makamu a SSH okhala ndi makiyi a hardware

Timalemba njira yofikira mwadzidzidzi kwa makamu a SSH okhala ndi makiyi a hardware

Timalemba njira yofikira mwadzidzidzi kwa makamu a SSH okhala ndi makiyi a hardware

Mu positi iyi, tipanga njira yofikira mwadzidzidzi kwa makamu a SSH pogwiritsa ntchito makiyi achitetezo a hardware pa intaneti. Iyi ndi njira imodzi yokha, ndipo mutha kuyisintha kuti igwirizane ndi zosowa zanu. Tidzasunga ulamuliro wa satifiketi ya SSH kwa omwe akutilandira pa kiyi yachitetezo cha hardware. Dongosololi ligwira ntchito pafupifupi OpenSSH iliyonse, kuphatikiza SSH ndi kulowa kamodzi.

Kodi zonsezi ndi za chiyani? Chabwino, iyi ndi njira yomaliza. Ichi ndi khomo lakumbuyo lomwe limakupatsani mwayi wopeza seva yanu pomwe pazifukwa zina palibe chomwe chimagwira ntchito.

Chifukwa chiyani mugwiritse ntchito ziphaso m'malo mogwiritsa ntchito makiyi agulu/achinsinsi kuti mupeze mwayi wadzidzidzi?

  • Mosiyana ndi makiyi apagulu, satifiketi imatha kukhala ndi moyo wawufupi kwambiri. Mutha kupanga satifiketi yomwe ili yoyenera kwa mphindi imodzi kapena masekondi asanu. Pambuyo pa nthawiyi, satifiketiyo idzakhala yosagwiritsidwa ntchito pamalumikizidwe atsopano. Izi ndi zabwino kwa mwayi mwadzidzidzi.
  • Mutha kupanga satifiketi ya akaunti iliyonse pa omwe akusungani ndipo, ngati kuli kofunikira, tumizani ziphaso za "nthawi imodzi" kwa anzanu.

Chimene mukusowa

  • Makiyi achitetezo a Hardware omwe amathandizira makiyi okhala.
    Makiyi okhalamo ndi makiyi a cryptographic omwe amasungidwa mkati mwa kiyi yachitetezo. Nthawi zina amatetezedwa ndi PIN ya alphanumeric. Gawo lagulu la makiyi okhalamo litha kutumizidwa kuchokera ku kiyi yachitetezo, mwakufuna kwake limodzi ndi chogwirira chachinsinsi. Mwachitsanzo, makiyi a USB a Yubikey 5 amathandizira makiyi okhalamo. Ndikoyenera kuti apangidwe kuti apeze wolandirayo mwadzidzidzi. Pa positi iyi ndingogwiritsa ntchito kiyi imodzi yokha, koma muyenera kukhala ndi ina yosunga zosunga zobwezeretsera.
  • Malo abwino osungira makiyi amenewo.
  • Mtundu wa OpenSSH 8.2 kapena wapamwamba pa kompyuta yanu komanso pa maseva omwe mukufuna kukhala nawo mwadzidzidzi. Ubuntu 20.04 zombo zokhala ndi OpenSSH 8.2.
  • (zosankha, koma zovomerezeka) Chida cha CLI chowunika ziphaso.

Kukonzekera

Choyamba, muyenera kupanga chiphaso cha certification chomwe chizikhala pa kiyi yachitetezo cha hardware. Lowetsani kiyi ndikuthamanga:

$ ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID]

Monga ndemanga (-C) ndidawonetsa [imelo ndiotetezedwa]kotero musaiwale kuti ndi kiyi yachitetezo iti yomwe maulamuliro a satifiketi awa ndi ake.

Kuphatikiza pa kuwonjezera kiyi ku Yubikey, mafayilo awiri adzapangidwa kwanuko:

  1. sk-user-ca, chogwirira cha kiyi chomwe chimatanthawuza kiyi yachinsinsi yosungidwa mu kiyi yachitetezo,
  2. sk-user-ca.pub, yomwe idzakhala kiyi yapagulu yaulamuliro wa satifiketi yanu.

Koma musadandaule, Yubikey imasunga kiyi ina yachinsinsi yomwe siyingatengedwenso. Choncho, zonse ndi zodalirika pano.

Pa makamu, monga muzu, onjezani (ngati simunatero) zotsatirazi pakusintha kwanu kwa SSHD (/etc/ssh/sshd_config):

TrustedUserCAKeys /etc/ssh/ca.pub

Kenako pa wolandira, onjezani kiyi ya anthu onse (sk-user-ca.pub) ku /etc/ssh/ca.pub

Yambitsaninso daemon:

# /etc/init.d/ssh restart

Tsopano titha kuyesa kupeza wolandila. Koma choyamba tiyenera satifiketi. Pangani makiyi awiri omwe agwirizane ndi satifiketi:

$ ssh-keygen -t ecdsa -f emergency

Zikalata ndi ma SSH awiriawiri
Nthawi zina zimakhala zokopa kugwiritsa ntchito satifiketi m'malo mwa makiyi apagulu / achinsinsi. Koma satifiketi yokha siyokwanira kutsimikizira wogwiritsa ntchito. Satifiketi iliyonse ilinso ndi kiyi yachinsinsi yolumikizidwa nayo. Ichi ndichifukwa chake tiyenera kupanga makiyi a "zadzidzi" tisanadzipatse tokha satifiketi. Chofunikira ndikuti tiwonetse setifiketi yosainidwa ku seva, kuwonetsa makiyi omwe tili ndi kiyi yachinsinsi.

Chifukwa chake kusinthana kwa makiyi pagulu kukadali ndi moyo. Izi zimagwira ntchito ngakhale ndi satifiketi. Zikalata zimangochotsa kufunikira kwa seva kusungira makiyi apagulu.

Kenako, pangani satifiketi yokha. Ndikufuna chilolezo chogwiritsa ntchito ubuntu pakadutsa mphindi 10. Mutha kuchita mwanjira yanu.

$ ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m:+5m emergency

Mudzafunsidwa kusaina satifiketi pogwiritsa ntchito zala zanu. Mutha kuwonjezera mayina owonjezera olekanitsidwa ndi koma, mwachitsanzo -n ubuntu,carl,ec2-user

Ndi zimenezo, tsopano muli ndi satifiketi! Kenako muyenera kufotokoza zilolezo zolondola:

$ chmod 600 emergency-cert.pub

Pambuyo pake, mutha kuwona zomwe zili mu satifiketi yanu:

$ step ssh inspect emergency-cert.pub

Izi ndi momwe zanga zimawonekera:

emergency-cert.pub
        Type: [email protected] user certificate
        Public key: ECDSA-CERT SHA256:EJSfzfQv1UK44/LOKhBbuh5oRMqxXGBSr+UAzA7cork
        Signing CA: SK-ECDSA SHA256:kLJ7xfTTPQN0G/IF2cq5TB3EitaV4k3XczcBZcLPQ0E
        Key ID: "test-key"
        Serial: 0
        Valid: from 2020-06-24T16:53:03 to 2020-06-24T17:03:03
        Principals:
                ubuntu
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

Apa kiyi yapagulu ndi kiyi yadzidzidzi yomwe tidapanga, ndipo sk-user-ca imalumikizidwa ndi oyang'anira certification.

Pomaliza takonzeka kuyendetsa lamulo la SSH:


$ ssh -i emergency ubuntu@my-hostname
ubuntu@my-hostname:~$

  1. Tsopano mutha kupanga ziphaso kwa aliyense wogwiritsa ntchito yemwe amadalira satifiketi yanu.
  2. Mutha kuchotsa mwadzidzidzi. Mutha kusunga sk-user-ca, koma simuyenera kutero popeza ilinso pa kiyi yachitetezo. Mwinanso mungafune kuchotsa kiyi yapagulu ya PEM kuchokera kwa omwe akusungirako (mwachitsanzo mu ~/.ssh/authorized_keys kwa wosuta ubuntu) ngati mudaigwiritsa ntchito pofikira mwadzidzidzi.

Kupeza Mwadzidzidzi: Ndondomeko Yochitapo kanthu

Matani kiyi yachitetezo ndikuyendetsa lamulo:

$ ssh-add -K

Izi ziwonjezera kiyi yapagulu ya akuluakulu a satifiketi ndi ofotokozera makiyi kwa wothandizira wa SSH.

Tsopano tumizani kiyi ya anthu onse kuti mupange satifiketi:

$ ssh-add -L | tail -1 > sk-user-ca.pub

Pangani satifiketi yokhala ndi tsiku lotha ntchito, mwachitsanzo, osapitilira ola limodzi:

$ ssh-keygen -t ecdsa -f emergency
$ ssh-keygen -Us sk-user-ca.pub -I test-key -n [username] -V -5m:+60m emergency
$ chmod 600 emergency-cert.pub

Ndipo tsopano SSH kachiwiri:

$ ssh -i emergency username@host

Ngati fayilo yanu ya .ssh/config ikuyambitsa mavuto polumikiza, mutha kuthamanga ssh ndi -F palibe njira yoti mulambalale. Ngati mukufuna kutumiza satifiketi kwa mnzanu, njira yosavuta komanso yotetezeka kwambiri ndi Magic Wormhole. Kuti muchite izi, mumangofunika mafayilo awiri - mwa ife, mwadzidzidzi komanso mwadzidzidzi-cert.pub.

Chomwe ndimakonda panjira iyi ndi chithandizo cha hardware. Mutha kuyika makiyi anu achitetezo pamalo otetezedwa ndipo sapita kulikonse.

Pa Ufulu Wotsatsa

Ma seva a Epic Ndi VPS yotsika mtengo ndi mapurosesa amphamvu ochokera ku AMD, CPU core frequency mpaka 3.4 GHz. Kusintha kwakukulu kumakuthandizani kuthetsa vuto lililonse - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Titsatireni!

Timalemba njira yofikira mwadzidzidzi kwa makamu a SSH okhala ndi makiyi a hardware

Source: www.habr.com

Kuwonjezera ndemanga