Timothee Ravier oo ka socda Koofiyada Cas, oo ah ilaaliye mashaariicda Fedora Silverblue iyo Fedora Kinoite, ayaa soo jeediyay hab looga fogaado isticmaalka sudo utility, kaas oo isticmaala xoogaa suid ah si kor loogu qaado mudnaanta. Halkii laga heli lahaa sudo, isticmaale caadi ah si uu u fuliyo amarrada leh xuquuqda xididka, waxaa la soo jeediyay in la isticmaalo utility ssh xiriir maxalli ah oo la mid ah nidaamka iyada oo loo marayo godka UNIX iyo xaqiijinta ogolaanshaha ku salaysan furayaasha SSH.
Isticmaalka ssh halkii sudo waxay kuu ogolaaneysaa inaad ka takhalusto barnaamijyada suid ee nidaamka oo aad awood u yeelatid fulinta amarada mudnaanta leh ee deegaanka martida loo yahay ee qaybinta isticmaala qaybaha go'doominta weelka, sida Fedora Silverblue, Fedora Kinoite, Fedora Sericea iyo Fedora Onyx. Si loo xaddido gelitaanka, xaqiijinta awoodda iyadoo la adeegsanayo calaamadda USB (tusaale, Yubikey) ayaa sidoo kale la isticmaali karaa.
Tusaalaha habaynta qaybaha server-ka OpenSSH si loogu galo godka Unix ee maxaliga ah (tusaale sshd gaar ah ayaa lagu bilaabi doonaa faylka qaabeynta):
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Oggolaan=haa [Install] WantedBy=sockets. target
/ iwm / systemd / system /[emailka waa la ilaaliyay]: [Unit] Description=OpenSSH per-connection server daemon (Unix socket) Documentation=man:sshd(8) man:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [Service] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Waxa uu ka tagayaa oo kaliya xaqiijinta furaha PermitRootLogin prohibit-password PasswordAuthentication no PermitEmptyPasswords maya GSSAPIAuthentication maya ssh /furaha_ idman # awood sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Daar oo bilow unugga systemd: sudo systemctl daemon-reload sudo systemctl karti β hadda sshd-unix.socket
Ku dar furahaaga SSH /root/.ssh/authorized_keys
Dejinta macmiilka SSH
Ku rakib socat utility: sudo dnf install socat
Waxaan ku kordhinaa /.ssh/config annagoo ku tilmaamayna socat inuu yahay wakiil loogu talagalay gelitaanka UNIX socket: Host host.Local User root # Isticmaal /orod/host/orod halkii aad ka shaqayn lahayd weelasha ProxyCommand socat - UNIX-CLIENT: / run/host/run/sshd.sock # Jidka loo maro furaha SSH Aqoonsiga File ~/.ssh/furayaasha/localroot
Qaabkeeda hadda, maamulaha isticmaaleha ayaa hadda awood u yeelan doona inuu fuliyo amarrada xididka isagoon gelin furaha sirta ah. Hubinta hawlgalka: $ ssh host.local [xidid ~]#
Waxaan abuurnaa sudohost alias in bash si aan u socodsiino "ssh host.local", oo la mid ah sudo: sudohost () {if [[${#} -eq 0]]; ka dib ssh host.local "cd \"${PWD}\"; exec \"${SHELL} \" --login" kale ssh host.local "cd \"${PWD}\"; exec \Β»${@}\Β» fi }
Hubi: $ sudohost id uid = 0 (xidid) gid = 0 (xidid) kooxaha = 0 (xidid)
Waxaan ku darnaa aqoonsiyo oo aan awoodno xaqiijinta laba-factor, taasoo u oggolaanaysa helitaanka xididka kaliya marka la geliyo calaamadda USB Yubikey.
Waxaan hubinaa algorithms-yada uu taageeray Yubikey jira: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Haddii wax soo saarku yahay 5.2.3 ama ka weyn, isticmaal ed25519-sk marka aad furaha soo saarayso, haddii kale isticmaal ecdsa-sk: ssh-keygen -t ed25519-sk ama ssh-keygen -t ecdsa-sk
Wuxuu ku daraa furaha dadweynaha /root/.ssh/authorized_keys
Kudar nooca muhiimka ah ee ku xidhan qaabka sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [emailka waa la ilaaliyay],[emailka waa la ilaaliyay]
Waxaan xaddidnaa gelitaanka godka Unix ee isticmaalaha kaliya ee yeelan kara mudnaanta sare (tusaale ahaan magaca maamulaha). Gudaha /etc/systemd/system/sshd-unix.socket ku dar: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru