Timothee Ravier wochokera ku Red Hat, wosamalira ma projekiti a Fedora Silverblue ndi Fedora Kinoite, adapereka njira yopewera kugwiritsa ntchito sudo utility, yomwe imagwiritsa ntchito suid bit kuti ichulukitse mwayi. M'malo mwa sudo, kuti wogwiritsa ntchito wamba azitsatira malamulo okhala ndi mizu, akufunsidwa kuti agwiritse ntchito ssh utility ndi kulumikizana kwanuko ndi dongosolo lomwelo kudzera pa socket ya UNIX ndikutsimikizira zilolezo kutengera makiyi a SSH.
Kugwiritsa ntchito ssh m'malo mwa sudo kumakupatsani mwayi wochotsa mapulogalamu a suid pamakina ndikupangitsa kuti muzitha kuchita bwino m'malo ogawa omwe amagwiritsa ntchito zida zodzipatula, monga Fedora Silverblue, Fedora Kinoite, Fedora Sericea ndi Fedora Onyx. Kuti muchepetse mwayi wopezeka, kutsimikizira ulamuliro pogwiritsa ntchito chizindikiro cha USB (mwachitsanzo, Yubikey) chitha kugwiritsidwanso ntchito.
Chitsanzo chokonzekera zigawo za seva ya OpenSSH kuti zitheke kudzera pa socket ya Unix (chitsanzo chosiyana cha sshd chidzakhazikitsidwa ndi fayilo yake yokonzekera):
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Landirani=inde [Ikani] WantedBy=sockets.target
/ etc / dongosolo / dongosolo /[imelo ndiotetezedwa]: [Unit] Description=OpenSSH polumikizira seva daemon (Unix socket) Documentation=man:sshd(8) man:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [Service] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Kusiya chitsimikiziro chachinsinsi chokha PermitRootLogin choletsa-passwordAuthentication palibe PermitEmptyPasswords palibe GSSAPIAuthentication palibe # imaletsa mwayi kwa ogwiritsa osankhidwa LolaniUsers mizu adminusername # Kusiya kokha kugwiritsa ntchito . izedKeysFile .ssh / makiyi_ ovomerezeka # yambitsani sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Yambitsani ndikuyambitsa gawo la systemd: sudo systemctl daemon-reload sudo systemctl yambitsani - tsopano sshd-unix.socket
Onjezani kiyi yanu ya SSH ku /root/.ssh/authorized_keys
Kukhazikitsa kasitomala wa SSH.
Ikani pulogalamu ya socat: sudo dnf install socat
Timawonjezera /.ssh/config potchula socat ngati projekiti yofikira kudzera pa socket ya UNIX: Host host.local User root # Gwiritsani ntchito /run/host/run m'malo mwa / kuthamanga kukagwira ntchito kuchokera muzotengera ProxyCommand socat - UNIX-CLIENT: / run/host/run/sshd.sock # Njira yopita ku kiyi ya SSH IdentityFile ~/.ssh/makiyi/localroot # Yambitsani chithandizo cha TTY pa chipolopolo cholumikizira RequestTTY inde # Chotsani zotuluka zosafunikira LogLevel QUIET
M'mawonekedwe ake apano, wogwiritsa ntchito adminusername azitha kuchita malamulo ngati mizu popanda kulowa mawu achinsinsi. Kuyang'ana ntchito: $ ssh host.local [root ~]#
Timapanga sudohost alias mu bash kuti tithamangitse "ssh host.local", zofanana ndi sudo: sudohost () {ngati [[ ${#} -eq 0]]; kenako ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" ina ssh host.local "cd \"${PWD}\"; ec \»${@}\»» fi }
Chongani: $ sudohost id uid=0(muzu) gid=0(muzu)magulu=0(muzu)
Timawonjezera zidziwitso ndikupangitsa kutsimikizika kwazinthu ziwiri, kulola kuti mizu ipezeke pokhapokha chizindikiro cha Yubikey USB chayikidwa.
Timayang'ana ma algorithms omwe amathandizidwa ndi Yubikey yomwe ilipo: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | chabwino '{sindikiza $2}'
Ngati zotulutsa zili 5.2.3 kapena kupitilira apo, gwiritsani ntchito ed25519-sk popanga makiyi, apo ayi gwiritsani ntchito ecdsa-sk: ssh-keygen -t ed25519-sk kapena ssh-keygen -t ecdsa-sk
Imawonjezera kiyi yagulu ku /root/.ssh/authorized_keys
Onjezani mtundu wofunikira womwe umamangiriza ku kasinthidwe ka sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [imelo ndiotetezedwa],[imelo ndiotetezedwa]
Timaletsa kulowa kwa socket ya Unix kwa wogwiritsa ntchito yemwe angakhale ndi mwayi wokwezedwa (mwachitsanzo, adminusername). Mu /etc/systemd/system/sshd-unix.socket onjezani: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru