Mune ino positi, isu tichagadzira maitiro ekukurumidza kuwana kune SSH mauto tichishandisa hardware kuchengetedza makiyi kunze kwenyika. Iyi ingori nzira imwe chete, uye unogona kuigadzirisa kuti ienderane nezvido zvako. Isu tichachengeta SSH chitupa chiremera kune vatinotambira pane hardware kiyi yekuchengetedza. Ichi chirongwa chichashanda pane chero OpenSSH chero ipi zvayo, kusanganisira SSH ine kusaina-kumwechete.
Zvese izvi ndezvei? Zvakanaka, iyi isarudzo yekupedzisira. Iyi ibackdoor iyo inokutendera iwe kuti uwane mukana kune yako server kana pane chimwe chikonzero hapana chimwe chinoshanda.
Sei uchishandisa zvitupa panzvimbo yeruzhinji/yakavanzika makiyi ekuwana emergency?
- Kusiyana nemakiyi eruzhinji, zvitupa zvinogona kuve nehupenyu hupfupi kwazvo. Iwe unogona kugadzira chitupa chinoshanda kweminiti 1 kana kunyange masekonzi mashanu. Mushure menguva iyi, chitupa chichava chisinga shandiswe kune zvitsva zvinongedzo. Izvi zvakanakira kuwana emergency.
- Iwe unogona kugadzira chitupa chechero account kune vako vanokugamuchira uye, kana zvichidikanwa, tumira akadaro "imwe-nguva" zvitupa kune vaunoshanda navo.
Zvaunoda
- Hardware kuchengetedza makiyi anotsigira makiyi ekugara.
Makiyi ekugara makiyi e cryptographic anochengetwa zvachose mukati mekiyi yekuchengetedza. Dzimwe nguva ivo vanodzivirirwa nealphanumeric PIN. Chikamu cheruzhinji chekiyi yekugara chinogona kutumirwa kunze kwenyika kubva kukiyi yekuchengetedza, sarudzo pamwe neakavanzika kiyi mubato. Semuenzaniso, Yubikey 5 akatevedzana makiyi e USB anotsigira makiyi evagari. Kune iyi positi ini ndichashandisa kiyi imwe chete, asi iwe unofanirwa kunge uine imwe yekuwedzera yekuchengetedza. - Nzvimbo yakachengetedzeka yekuchengetera makiyi iwayo.
- OpenSSH vhezheni 8.2 kana yepamusoro pakombuta yako yepanzvimbo uye pamaseva aunoda kuwana nekukurumidza. Ubuntu 20.04 ngarava ine OpenSSH 8.2.
- (sarudzo, asi yakakurudzirwa) Chishandiso cheCLI chekutarisa zvitupa.
Kugadzirira kwe
Kutanga, iwe unofanirwa kugadzira chiremera chetifiketi icho chichave chiri pane hardware kuchengetedza kiyi. Isa kiyi womhanya:
$ ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID]Sekutaura (-C) ndaratidza [email inodzivirirwa]kuti usakanganwe kuti chiremera chechitupa ichi ndechekiyi kiyi.
Pamusoro pekuwedzera kiyi kuYubikey, mafaera maviri anozogadzirwa munharaunda:
- sk-user-ca, kiyi mubato unoreva kiyi yakavanzika yakachengetwa mukiyi yekuchengetedza,
- sk-user-ca.pub, inova kiyi yeruzhinji yechiremera chako chechitupa.
Asi usazvinetse, iyo Yubikey inochengeta imwe yakavanzika kiyi isingakwanise kudzoserwa. Nokudaro, zvinhu zvose zvinovimbika pano.
Pane mauto, semudzi, wedzera (kana usati watove) zvinotevera kune yako SSHD kumisikidzwa (/etc/ssh/sshd_config):
TrustedUserCAKeys /etc/ssh/ca.pubWobva wawedzera kiyi yeruzhinji (sk-user-ca.pub) ku/etc/ssh/ca.pub
Tangazve daemon:
# /etc/init.d/ssh restartIye zvino tinogona kuedza kuwana iyo host. Asi kutanga tinoda chitupa. Gadzira makiyi maviri anozobatanidzwa nechitupa:
$ ssh-keygen -t ecdsa -f emergencyZvitupa uye SSH pairs
Dzimwe nguva zvinoyedza kushandisa chitupa sekutsiva yeruzhinji / yakavanzika kiyi vaviri. Asi chitupa chega hachina kukwana kuratidza mushandisi. Chitupa chega chega chine kiyi yakavanzika yakabatana nayo. Ndosaka tichifanira kugadzira iyi "emergency" kiyi mbiri tisati tazvipa isu chitupa. Chinhu chakakosha ndechekuti tiratidze chitupa chakasainwa kuseva, zvichiratidza makiyi maviri ayo isu tine kiyi yakavanzika.Saka public key exchange ichiri kurarama uye zvakanaka. Izvi zvinoshanda kunyangwe nezvitupa. Zvitupa zvinongobvisa kudiwa kwesevha kuchengetedza makiyi eruzhinji.
Tevere, gadzira chitupa pachacho. Ini ndinoda ubuntu mushandisi mvumo mukati memaminitsi gumi. Unogona kuzviita nenzira yako.
$ ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m:+5m emergencyUchakumbirwa kusaina chitupa uchishandisa chigunwe chako. Iwe unogona kuwedzera mamwe mazita ekushandisa akapatsanurwa nemakoma, semuenzaniso -n ubuntu, carl, ec2-mushandisi.
Ndizvozvo, ikozvino wava nechitupa! Tevere iwe unofanirwa kutsanangura mamvumo chaiwo:
$ chmod 600 emergency-cert.pubMushure meizvi, unogona kuona zviri mukati mechitupa chako:
$ step ssh inspect emergency-cert.pubIzvi ndizvo zvakaita wangu:
emergency-cert.pub
Type: [email protected] user certificate
Public key: ECDSA-CERT SHA256:EJSfzfQv1UK44/LOKhBbuh5oRMqxXGBSr+UAzA7cork
Signing CA: SK-ECDSA SHA256:kLJ7xfTTPQN0G/IF2cq5TB3EitaV4k3XczcBZcLPQ0E
Key ID: "test-key"
Serial: 0
Valid: from 2020-06-24T16:53:03 to 2020-06-24T17:03:03
Principals:
ubuntu
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rcPano kiyi yeruzhinji ndiyo kiyi yekukurumidzira yatakagadzira, uye sk-mushandisi-ca inobatanidzwa nechiremera chetifiketi.
Pakupedzisira isu takagadzirira kumhanya iyo SSH yekuraira:
$ ssh -i emergency ubuntu@my-hostname
ubuntu@my-hostname:~$- Iwe unogona ikozvino kugadzira zvitupa kune chero mushandisi pane anogamuchira anovimba nechiremera chako chechitupa.
- Unogona kubvisa emergency. Unogona kuchengetedza sk-user-ca, asi haufanire kudaro sezvo iri pakiyi yekuchengetedza. Ungadawo kubvisa kiyi yepakutanga yePEM yeruzhinji kubva kune vanokugamuchira (semuenzaniso mu ~/.ssh/authorized_keys yemushandisi we ubuntu) kana wakaishandisa pakukurumidza kuwana.
Emergency Access: Chirongwa Chekuita
Namira kiyi yekuchengetedza uye womhanya kuraira:
$ ssh-add -KIzvi zvichawedzera chiremera chechitupa kiyi yeruzhinji uye kiyi inotsanangura kune SSH mumiriri.
Ikozvino tumira kiyi yeruzhinji kugadzira chitupa:
$ ssh-add -L | tail -1 > sk-user-ca.pubGadzira chitupa chine zuva rekupera, semuenzaniso, isingapfuuri awa:
$ ssh-keygen -t ecdsa -f emergency
$ ssh-keygen -Us sk-user-ca.pub -I test-key -n [username] -V -5m:+60m emergency
$ chmod 600 emergency-cert.pubUye ikozvino SSH zvakare:
$ ssh -i emergency username@hostKana yako .ssh/config faira iri kukonzera mamwe matambudziko paunenge uchibatanidza, unogona kumhanya ssh ne -F none sarudzo yekunzvenga iyo. Kana iwe uchida kutumira chitupa kune waunoshanda naye, iri nyore uye yakachengeteka sarudzo ndeye . Kuti uite izvi, iwe unongoda mafaera maviri - mune yedu, emergency uye emergency-cert.pub.
Chandinoda nezve nzira iyi ndeyerutsigiro rwehardware. Unogona kuisa makiyi ako ekuchengetedza musefa uye hapana kwaanoenda.
Pamusoro pekodzero dzekutsvaga
Epic maseva - ichi chi ine ma processor ane simba kubva ku AMD, CPU core frequency kusvika ku3.4 GHz. Iyo yakanyanya kurongeka inobvumidza iwe kugadzirisa rinenge chero dambudziko - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Join us!
Source: www.habr.com