Timothee Ravier anobva kuRed Hat, muchengeti weFedora Silverblue uye Fedora Kinoite mapurojekiti, akakurudzira nzira yekudzivisa kushandisa sudo utility, iyo inoshandisa suid bit kuwedzera maropafadzo. Panzvimbo ye sudo, kuti mushandisi akajairwa aite mirairo ine midzi kodzero, zvinokurudzirwa kushandisa ssh utility ine yemuno yekubatanidza kune imwecheteyo system kuburikidza neUNIX socket uye kuoneswa kwemvumo kwakavakirwa paSSH makiyi.
Kushandisa ssh pachinzvimbo che sudo kunokutendera kuti ubvise zvirongwa zve suid pane sisitimu uye kugonesa kuitwa kwemirairo yakasarudzika munzvimbo inochengeterwa yekugovera inoshandisa midziyo yekuzviparadzanisa nevamwe, senge Fedora Silverblue, Fedora Kinoite, Fedora Sericea uye Fedora Onyx. Kurambidza kupinda, kusimbiswa kwechiremera uchishandisa USB tokeni (semuenzaniso, Yubikey) inogona kuwedzera kushandiswa.
Muenzaniso wekugadzirisa OpenSSH sevha zvikamu zvekusvika kuburikidza neyemuno Unix socket (yakasiyana sshd muenzaniso ichatangwa ine yayo yekumisikidza faira):
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Gamuchira=hongu [Isa] WantedBy=sockets.target
/ nezvimwe / systemd / system /[email inodzivirirwa]: [Uniti] Tsanangudzo=OpenSSH per-connection server daemon (Unix socket) Zvinyorwa=murume:sshd(8) murume:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [Service] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Inosiya chete kiyi yekusimbisa PermitRootLogin prohibit-password PasswordAuthentication hapana PermitEmptyPasswords hapana GSSAPIAuthentication hapana # inorambidza kupinda kune vakasarudzwa vashandisi BvumiraUsers mudzi adminusername # Inosiya chete kushandiswa kwe. izedKeysFile .ssh / mvumo_ makiyi # gonesa sftp Subsystem sftp /usr/libexec/opensh/sftp-server
Shandisa uye tanga iyo systemd unit: sudo systemctl daemon-reload sudo systemctl gonesa -ikozvino sshd-unix.socket
Wedzera kiyi yako yeSSH ku /root/.ssh/authorized_keys
Kugadzira SSH mutengi.
Isa iyo socat utility: sudo dnf isa socat
Isu tinowedzera /.ssh/config nekutsanangura socat semumiriri wekuwana kuburikidza neUNIX socket: Host host.local Mushandisi mudzi # Shandisa /run/host/run pane / mhanya kushanda kubva mumidziyo ProxyCommand socat - UNIX-CLIENT: / run/ host/run/sshd.sock # Nzira yekuSSH kiyi IdentityFile ~/.ssh/keys/localroot # Gonesa TTY tsigiro yegoko rinopindirana ChikumbiroTTY hongu # Bvisa zvisina kufanira kubuda LogLevel QUIET
Mune chimiro chayo chazvino, mushandisi adminusername anozokwanisa kuita mirairo semudzi pasina kuisa password. Kutarisa kushanda: $ ssh host.local [mudzi ~]#
Isu tinogadzira sudohost alias mubash kumhanya "ssh host.local", yakafanana ne sudo: sudohost() {kana [[ ${#} -eq 0]]; ipapo ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" zvimwe ssh host.local "cd \"${PWD}\"; exec \»${@}\»» fi }
Tarisa: $ sudohost id uid=0(mudzi) gid=0(mudzi) mapoka=0(mudzi)
Isu tinowedzera humbowo uye tinogonesa mbiri-chinhu chechokwadi, tichibvumira kupinda kwemidzi chete kana Yubikey USB tokeni yaiswa.
Isu tinotarisa kuti ndeapi maalgorithms anotsigirwa neYubikey iripo: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Kana iyo inobuda iri 5.2.3 kana kupfuura, shandisa ed25519-sk paunenge uchigadzira makiyi, kana zvisina kudaro shandisa ecdsa-sk: ssh-keygen -t ed25519-sk kana ssh-keygen -t ecdsa-sk
Inowedzera kiyi yeruzhinji ku /root/.ssh/authorized_keys
Wedzera kiyi mhando inosunga kune sshd kumisikidzwa: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [email inodzivirirwa],[email inodzivirirwa]
Isu tinorambidza kupinda kune Unix socket kumushandisi chete anogona kuve neropafadzo dzakasimudzwa (mumuenzaniso wedu, adminusername). Mu /etc/systemd/system/sshd-unix.socket wedzera: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru