Timothee Ravier oa Red Hat, mohlokomeli oa merero ea Fedora Silverblue le Fedora Kinoite, o hlahisitse mokhoa oa ho qoba ho sebelisa ts'ebeliso ea sudo, e sebelisang sekhahla sa suid ho nyolla litokelo. Sebakeng sa sudo, bakeng sa mosebelisi ea tloaelehileng hore a phethe litaelo tse nang le litokelo tsa motso, ho khothaletsoa ho sebelisa ts'ebeliso ea ssh ka khokahano ea lehae ho sistimi e ts'oanang ka sokete ea UNIX le netefatso ea tumello e thehiloeng ho linotlolo tsa SSH.
Ho sebelisa ssh ho e-na le sudo ho u lumella ho tlosa mananeo a ho ipolaea tsamaisong le ho nolofalletsa ho phethahatsoa ha litaelo tse khethehileng sebakeng se amohelehang sa liphallelo tse sebelisang likarolo tsa ho itšehla thajana, tse kang Fedora Silverblue, Fedora Kinoite, Fedora Sericea le Fedora Onyx. Ho thibela phihlello, netefatso ea matla a ho sebelisa lets'oao la USB (mohlala, Yubikey) e ka sebelisoa hape.
Mohlala oa ho hlophisa likarolo tsa seva sa OpenSSH bakeng sa phihlello ka sokete ea Unix ea lehae (mohlala o fapaneng oa sshd o tla hlahisoa ka faele ea eona ea tlhophiso):
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=monna:sshd(8) monna:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Amohela=e [Kenya] WantedBy=sockets.target
/ joalo-joalo / systemd / system /[imeile e sirelelitsoe]: [Uniti] Tlhaloso=OpenSSH daemon ea khokahanyo ka ngoe (Unix socket) Tokomane=monna:sshd(8) monna:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [Tšebeletso] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # E siea feela netefatso ea senotlolo PermitRootLogin prohibit-password PasswordAuthentication no PermitEmptyPasswords no GSSAPIAuthentication no # e thibelang phihlello ho basebelisi ba khethiloeng LumellaUsers motso oa adminusername # E siea feela ts'ebeliso ea . izedKeysFile .ssh / linotlolo_ tse lumelletsoeng # thusa sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Kenya ts'ebetsong 'me u qale yuniti ea systemd: sudo systemctl daemon-reload sudo systemctl thusa -joale sshd-unix.socket
Kenya senotlolo sa hau sa SSH ho /root/.ssh/authorized_keys
Ho theha moreki oa SSH.
Kenya sesebelisoa sa socat: sudo dnf kenya socat
Re tlatselletsa /.ssh/config ka ho hlakisa socat e le moemeli bakeng sa phihlello ka socket ea UNIX: Host host.local User motso # Sebelisa /run/host/ matha sebakeng sa / mathela ho sebetsa ho tsoa lijaneng ProxyCommand socat - UNIX-CLIENT: / run/ host/run/sshd.sock # Tsela e eang ho senotlolo sa SSH IdentityFile ~/.ssh/keys/localroot # Numella tšehetso ea TTY bakeng sa khetla e kopanetsoeng RequestTTY e # Tlosa tlhahiso e sa hlokahaleng LogLevel QUIET
Ka sebopeho sa eona sa hajoale, lebitso la adminusername joale le tla khona ho etsa litaelo joalo ka motso ntle le ho kenya phasewete. Ho hlahloba tšebetso: $ ssh host.local [root ~]#
Re theha sudohost alias ho bash ho tsamaisa "ssh host.local", e ts'oanang le sudo: sudohost() {haeba [[ ${#} -eq 0]]; ebe ssh host.local "cd \"${PWD}\"; etsa \"${SHELL}\" --login" ho seng joalo ssh host.local "cd \"${PWD}\"; etsa \»${@}\»» fi }
Sheba: $ sudohost id uid=0(motso) gid=0(motso) lihlopha=0(motso)
Re eketsa lintlha mme re nolofalletsa ho netefatsa lintlha tse peli, ho lumella ho fihlella ha metso feela ha ho kenngoa letšoao la Yubikey USB.
Re hlahloba hore na ke li-algorithms life tse tšehetsoeng ke Yubikey e teng: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Haeba tlhahiso e le 5.2.3 kapa ho feta, sebelisa ed25519-sk ha u hlahisa linotlolo, ho seng joalo sebelisa ecdsa-sk: ssh-keygen -t ed25519-sk kapa ssh-keygen -t ecdsa-sk
E eketsa senotlolo sa sechaba ho /root/.ssh/authorized_keys
Kenya mofuta oa bohlokoa o tlamang tlhophiso ea sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [imeile e sirelelitsoe],[imeile e sirelelitsoe]
Re thibela phihlello ea sokete ea Unix ho mosebelisi feela ea ka bang le litokelo tse phahamisitsoeng (mohlala oa rona, adminusername). Ho /etc/systemd/system/sshd-unix.socket eketsa: [Socket] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru