Timothee Ravier mai le Red Hat, o se tagata e tausia le Fedora Silverblue ma Fedora Kinoite poloketi, na tuʻuina atu se auala e aloese ai mai le faʻaaogaina o le sudo aoga, lea e faʻaaogaina ai le suid bit e faʻateleina ai avanoa. Nai lo le sudo, mo se tagata masani e faʻatino tulafono faʻatasi ai ma aia tatau, e faʻamoemoe e faʻaoga le aoga ssh ma se fesoʻotaʻiga faʻapitonuʻu i le faiga lava e tasi e ala i le UNIX socket ma faʻamaoniga o faʻatagaga e faʻavae i SSH ki.
O le faʻaaogaina o le ssh nai lo le sudo e mafai ai e oe ona faʻaumatia polokalame suid i luga o le polokalama ma faʻatagaina le faʻatinoina o faʻatonuga faʻapitoa i totonu o le siosiomaga talimalo o tufatufaga e faʻaogaina ai vaega tuʻuesea, e pei o Fedora Silverblue, Fedora Kinoite, Fedora Sericea ma Fedora Onyx. Ina ia faʻatapulaʻaina le avanoa, faʻamaonia le pule e faʻaaoga ai se USB token (mo se faʻataʻitaʻiga, Yubikey) e mafai ona faʻaaogaina.
O se faʻataʻitaʻiga o le faʻatulagaina o vaega o le OpenSSH server mo le avanoa e ala i se socket Unix i le lotoifale (o le a faʻalauiloa se isi sshd faʻatasi ma lana lava faila faila):
/etc/systemd/system/sshd-unix.socket: [Iunite] Fa'amatalaga=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Accept=yes [Install] WantedBy=sockets.target
/ etc / systemd / system /[imeli puipuia]: [Iunite] Faʻamatalaga = OpenSSH taʻavale fesoʻotaʻiga daemon (Socket Unix) Faʻamaumauga = tagata: sshd (8) tagata: sshd_config (5) Manaʻo = sshd-keygen.target Ina ua uma = sshd-keygen.target [Auaunaga] ExecStart = - /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Tu'u na'o le fa'amaoniga autu PermitRootLogin fa'asa-password PasswordAuthentication leai PemitaEmptyPasswords leai GSSAPIAuthentication leai # fa'agata le avanoa i tagata fa'aoga filifilia AllowUsers root adminusername # Tu'u na'o le fa'aoga o le .ssh/withoutised_keys_keys.ssh/authorized_keys. / fa'atagaina_ ki # fa'atagaina sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Fa'agaoioia ma fa'alauiloa le systemd unit: sudo systemctl daemon-reload sudo systemctl enable -now sshd-unix.socket
Fa'aopoopo lau ki SSH i /root/.ssh/authorized_keys
Fa'atulaga le SSH client.
Faʻapipiʻi le aoga socat: sudo dnf faʻapipiʻi socat
Matou te faaopoopo i le /.ssh/config e ala i le faʻamaonia o socat e fai ma sui mo le avanoa e ala ile UNIX socket: Host host.local User root # Faʻaaoga /run/host/run nai lo /run e galue mai container ProxyCommand socat - UNIX-CLIENT: / run/ host/run/sshd.sock # Ala i le SSH key IdentityFile ~/.ssh/keys/localroot # Fa'aaga le lagolago a le TTY mo le atigi feso'ota'i RequestTTY ioe # Ave'ese mea e le mana'omia LogLevel QUIET
I lona tulaga o loʻo iai nei, o le a mafai nei e le user adminusername ona faʻatinoina poloaiga e pei o aʻa e aunoa ma le ulufale i se upu faʻaulu. Siaki le gaioiga: $ ssh host.local [root ~]#
Matou te fatuina se igoa sudohost i le bash e taʻavale ai le "ssh host.local", e tutusa ma sudo: sudohost() { pe a [[ ${#} -eq 0 ]]; ona ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" else ssh host.local "cd \"${PWD}\"; fa'atonu \»${@}\»» fi }
Siaki: $ sudohost id uid=0(a'a) gid=0(a'a) vaega=0(a'a)
Matou te faʻaopoopo faʻamaoniga ma faʻatagaina le faʻamaonia o mea e lua, faʻatagaina le aʻa naʻo pe a faʻapipiʻi se Yubikey USB token.
Matou te siaki po o fea algorithms o loʻo lagolagoina e le Yubikey o loʻo i ai nei: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Afai o le gaioiga e 5.2.3 pe sili atu, faʻaaoga le ed25519-sk pe a faʻatupu ki, a leai, faʻaaoga ecdsa-sk: ssh-keygen -t ed25519-sk poʻo ssh-keygen -t ecdsa-sk
Fa'aopoopo le ki fa'alaua'itele i /root/.ssh/authorized_keys
Faʻaopoopo se ituaiga autu e fusifusia i le sshd configuration: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [imeli puipuia],[imeli puipuia]
Matou te faʻatapulaʻaina le avanoa i le Unix socket naʻo le tagata faʻaoga e mafai ona maua avanoa maualuga (i la matou faʻataʻitaʻiga, adminusername). I totonu /etc/systemd/system/sshd-unix.socket faaopoopo: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
puna: opennet.ru