ProHoster > Блог > Maamulka > Waxaan u qornaa habraaca gelitaanka degdegga ah ee martida loo yahay SSH ee leh furayaasha qalabka

Waxaan u qornaa habraaca gelitaanka degdegga ah ee martida loo yahay SSH ee leh furayaasha qalabka

Waxaan u qornaa habraaca gelitaanka degdegga ah ee martida loo yahay SSH ee leh furayaasha qalabka

Maqaalkan, waxaan ku horumarin doonaa habka gelitaanka degdega ah ee martida loo yahay SSH anagoo adeegsanayna furayaasha amniga qalabka khadka. Tani waa hal hab oo kaliya, oo waxaad la qabsan kartaa si ay ugu habboonaato baahiyahaaga. Waxaan ku kaydin doonaa maamulka shahaadada SSH ee martigeliyayaashayada furaha amniga qalabka. Nidaamkani wuxuu ka shaqayn doonaa ku dhawaad ​​OpenSSH kasta, oo ay ku jirto SSH oo leh hal calaamad.

Waa maxay waxan oo dhan? Hagaag, tani waa ikhtiyaarka ugu dambeeya. Kani waa albaab dambe oo kuu ogolaanaya inaad gasho server-kaaga marka sabab kale aysan shaqayn.

Maxay tahay sababta loo isticmaalo shahaadooyinka halkii laga isticmaali lahaa furayaasha dadweynaha/gaarka ah ee gelitaanka degdega ah?

  • Si ka duwan furayaasha dadweynaha, shahaadooyinku waxay yeelan karaan nolol aad u gaaban. Waxaad soo saari kartaa shahaado shaqaynaysa 1 daqiiqo ama xitaa 5 ilbiriqsi. Muddadan ka dib, shahaadu waxay noqon doontaa mid aan la isticmaali karin xidhiidhada cusub. Tani waxay ku habboon tahay gelitaanka degdegga ah.
  • Waxaad u abuuri kartaa shahaado koonto kasta martigeliyahaaga iyo, haddii loo baahdo, u soo diri shahaadooyin "hal mar" sida asxaabta.

Maxaad ubaahantahay

  • Furayaasha amniga qalabka ee taageera furayaasha deegaanka.
    Furayaasha degane waa furayaal qarsoodi ah oo ku kaydsan gabi ahaan furaha amniga. Mararka qaarkood waxaa ilaaliya PIN alfanumeric ah. Qaybta dadwaynaha ee furaha deegaanka waxaa laga dhoofin karaa furaha amniga, iyada oo ikhtiyaari ah oo ay la socoto gacanta furaha gaarka ah. Tusaale ahaan, Yubikey 5 taxane furayaasha USB waxay taageeraan furayaasha deegaanka. Boostada waxaan kaliya isticmaali doonaa hal fure, laakiin waa inaad haysataa mid dheeraad ah oo kayd ah.
  • Meel nabdoon oo lagu kaydiyo furayaashaas.
  • FurSSH nooca 8.2 ama ka sareeya kombayutarka deegaankaaga iyo server-yada aad rabto inaad gasho xaalad degdeg ah. Ubuntu 20.04 waxay wataan OpenSSH 8.2.
  • (ikhtiyaar, laakiin lagu taliyay) Qalabka CLI ee lagu hubinayo shahaadooyinka.

Tababarka

Marka hore waxaad u baahan tahay inaad abuurto hay'ad shahaado ah oo ku taal furaha amniga qalabka. Geli furaha oo orod:

$ ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID]

Faallo ahaan (-C) ayaan tilmaamay [emailka waa la ilaaliyay]markaa ha iloobin furaha amniga ee ay maamulka shahaadodu ka tirsan tahay.

Marka lagu daro furaha Yubikey, laba fayl ayaa laga soo saari doonaa gudaha:

  1. sk-user-ca, gacan furaha oo tilmaamaya furaha gaarka ah ee lagu kaydiyay furaha amniga,
  2. sk-user-ca.pub, kaas oo noqon doona furaha guud ee maamulkaaga shahaadada.

Laakin ha werwerin, Yubikey-gu waxa uu kaydiyaa fure kale oo gaar ah oo aan dib loo soo celin karin. Sidaa darteed, wax walba waa la isku halleyn karaa halkan.

Ciidanka martida loo yahay, xidid ahaan, ku dar (haddii aanad horeba u lahayn) kuwan soo socda qaabayntaada SSHD (/etc/ssh/sshd_config):

TrustedUserCAKeys /etc/ssh/ca.pub

Ka dib martigeliyaha, ku dar furaha dadweynaha (sk-user-ca.pub) /etc/ssh/ca.pub

Dib u bilaw daemon:

# /etc/init.d/ssh restart

Hadda waxaan isku dayi karnaa inaan galno martigeliyaha. Laakiin marka hore waxaan u baahanahay shahaado. Samee lamaane fure ah oo la xiriiri doona shahaadada:

$ ssh-keygen -t ecdsa -f emergency

Shahaadooyinka iyo lammaanaha SSH
Mararka qaarkood waa wax la jiidan karo in loo isticmaalo shahaado beddelka lamaanaha muhiimka ah ee dadweynaha/gaarka ah. Laakin shahaado kaliya kuma filna in la xaqiijiyo isticmaalaha. Shahaado waliba waxay leedahay fure gaar ah oo la xidhiidha. Tani waa sababta aan ugu baahanahay inaan soo saarno lamaanahan muhiimka ah ee "xaalad degdeg ah" ka hor inta aynaan bixin nafteena shahaado. Waxa muhiimka ah waa in aan tusno shahaadada saxeexan ee server-ka, taas oo muujinaysa lamaanaha muhiimka ah ee aan u haysanno fure gaar ah.

Markaa isweydaarsiga furaha dadweynaha ayaa weli nool oo wanaagsan. Tani waxay ku shaqeysaa xitaa shahaadooyinka. Shahaadooyinka ayaa si fudud meesha uga saaraya baahida server-ku u qabo inuu kaydiyo furayaasha dadweynaha.

Marka xigta, samee shahaadada lafteeda. Waxaan u baahanahay oggolaanshaha isticmaalaha ubuntu 10 daqiiqo gudahood. Waxaad samayn kartaa sidaada.

$ ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m:+5m emergency

Waxaa lagu weydiin doonaa inaad saxiixdo shahaadada adigoo isticmaalaya sawirka farahaaga. Waxaad ku dari kartaa isticmaaleyaal dheeraad ah oo ay kala soocaan joodar, tusaale ahaan -n ubuntu,carl,ec2-user

Taasi waa, hadda waxaad haysataa shahaado! Marka xigta waxaad u baahan tahay inaad qeexdo oggolaanshaha saxda ah:

$ chmod 600 emergency-cert.pub

Taas ka dib, waxaad arki kartaa waxa ku jira shahaadadaada:

$ step ssh inspect emergency-cert.pub

Tani waa sida taydu u egtahay:

emergency-cert.pub
        Type: [email protected] user certificate
        Public key: ECDSA-CERT SHA256:EJSfzfQv1UK44/LOKhBbuh5oRMqxXGBSr+UAzA7cork
        Signing CA: SK-ECDSA SHA256:kLJ7xfTTPQN0G/IF2cq5TB3EitaV4k3XczcBZcLPQ0E
        Key ID: "test-key"
        Serial: 0
        Valid: from 2020-06-24T16:53:03 to 2020-06-24T17:03:03
        Principals:
                ubuntu
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

Halkan furaha dadweynuhu waa furaha degdega ah ee aanu abuurnay, sk-user-cana waxa uu la xidhiidhaa maamulka shahaado bixinta.

Ugu dambeyntii waxaan diyaar u nahay inaan socodsiino amarka SSH:


$ ssh -i emergency ubuntu@my-hostname
ubuntu@my-hostname:~$

  1. Waxaad hadda u abuuri kartaa shahaadooyin isticmaale kasta oo ku jira martigeliyaha ku kalsoon maamulka shahaadadaada.
  2. Waxaad ka saari kartaa xaaladda degdegga ah. Waxaad kaydin kartaa sk-user-ca, laakiin uma baahnid maadaama ay sidoo kale ku jirto furaha amniga. Waxa kale oo laga yaabaa inaad rabto inaad ka saarto furaha dadweynaha ee asalka ahaa ee PEM martigeliyayaashaada (tusaale gudaha ~/.ssh/authorized_keys ee isticmaalaha ubuntu) haddii aad u isticmaashay gelitaanka degdega ah.

Helitaanka Degdegga ah: Qorshe Hawleed

Ku dheji furaha amniga oo socodsii amarka:

$ ssh-add -K

Tani waxay ku dari doontaa furaha guud ee maamulka shahaadada iyo sharaxaadaha muhiimka ah wakiilka SSH.

Hadda dhoofi furaha dadweynaha si aad shahaado u samayso:

$ ssh-add -L | tail -1 > sk-user-ca.pub

Samee shahaado leh taariikhda dhicitaanka, tusaale ahaan, wax aan ka badnayn saacad:

$ ssh-keygen -t ecdsa -f emergency
$ ssh-keygen -Us sk-user-ca.pub -I test-key -n [username] -V -5m:+60m emergency
$ chmod 600 emergency-cert.pub

Oo hadda SSH mar kale:

$ ssh -i emergency username@host

Haddii faylkaaga .ssh/config uu keeno dhibaatooyin marka la isku xirayo, waxaad ku wadi kartaa ssh-F ma jiro ikhtiyaar aad ku dhaafto. Haddii aad u baahan tahay inaad shahaado u dirto saaxiibkiis, doorashada ugu fudud uguna badbaado badan waa Wormhole Magic. Si aad tan u samayso, waxaad u baahan tahay laba fayl oo keliya - kiiskeenna, xaalad degdeg ah iyo degdeg-cert.pub.

Waxa aan ka helay habkan waa taageerada qalabka. Waxaad geli kartaa furahaaga ammaan meel ammaan ah meelna ma aadi doono.

Iidheh ahaan

Adeegayaasha Epic Waa VPS raqiis ah oo leh soo-saareyaal awood leh oo ka socda AMD, inta jeer ee xudunta u ah CPU ilaa 3.4 GHz. Qaabeynta ugu badan waxay kuu ogolaaneysaa inaad xalliso dhib kasta - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Nagu soo biir!

Waxaan u qornaa habraaca gelitaanka degdegga ah ee martida loo yahay SSH ee leh furayaasha qalabka

Source: www.habr.com

Add a comment