UTimothee Ravier ovela kwiRed Hat, umgcini weeprojekthi zeFedora Silverblue kunye neFedora Kinoite, ucebise indlela yokuphepha ukusebenzisa i-sudo utility, esebenzisa i-suid bit ukunyusa amalungelo. Endaweni ye-sudo, kumsebenzisi oqhelekileyo ukwenza imiyalelo enamalungelo engcambu, kucetywa ukuba kusetyenziswe into eluncedo ye-ssh ngodibaniso lobulali kwindlela efanayo ngokusebenzisa isokethi ye-UNIX kunye noqinisekiso lweemvume ezisekelwe kwizitshixo ze-SSH.
Ukusebenzisa i-ssh endaweni ye-sudo ikuvumela ukuba ulahle iinkqubo ze-suid kwisixokelelwano kwaye wenze ukuphunyezwa kwemiyalelo enelungelo kwindawo yokusingatha unikezelo olusebenzisa amacandelo okuhlala wedwa, njengeFedora Silverblue, Fedora Kinoite, Fedora Sericea kunye neFedora Onyx. Ukukhawulela ukufikelela, ukuqinisekiswa kwegunya usebenzisa ithokheni ye-USB (umzekelo, i-Yubikey) ingasetyenziswa ukongezwa.
Umzekelo wokuqwalasela amalungu eseva ye-OpenSSH yofikelelo ngokusebenzisa i-Unix socket (umzekelo we-sshd owahlukileyo uya kusungulwa ngefayile yoqwalaselo lwayo):
/etc/systemd/system/sshd-unix.socket: [Iyunithi] Inkcazo=UXwebhu lweSokethi yeServer ye-OpenSSH ye-Unix=man:sshd(8) indoda:sshd_config(5) [Isokethi] ListenStream=/run/sshd.sock Yamkela=ewe [Faka] WantedBy=sockets.target
/ njl / inkqubo / inkqubo /[imeyile ikhuselwe]: [Iyunithi] Inkcazelo=Vula i-daemon yeseva yoqhagamshelo lweSSH nganye (isiseko se-Unix) Uxwebhu=man:sshd(8) indoda:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [INkonzo] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Ishiya kuphela isitshixo sobungqinisiso PermitRootLogin prohibit-passwordAuthentication no PermitEmptyPasswords no GSSAPIAuthentication hayi # inqanda ukufikelela kubasebenzisi abakhethiweyo VumelaUsers ingcambu igama lomsebenzisi # Ishiya kuphela ukusetyenziswa kwe-Author-outkey/author-outkey. izedKeysFile .ssh / izitshixo_ ezigunyazisiweyo # yenza i-sftp iSubsystem sftp /usr/libexec/openssh/sftp-server
Vula kwaye uqalise iyunithi yenkqubo: sudo systemctl daemon-reload sudo systemctl yenza-ngoku sshd-unix.socket
Yongeza isitshixo sakho se-SSH kwi/root/.ssh/authorized_keys
Ukumisela umxhasi we-SSH.
Faka i-socat eluncedo: sudo dnf faka i-socat
Siyongeza /.ssh/config ngokucacisa i-socat njengommeli wofikelelo nge-socket ye-UNIX: I-host host.ingcambu yomsebenzisi wendawo # Sebenzisa /qhuba/inginginya/lenza endaweni ye/leqe ukusebenza kwizikhongozeli ze-ProxyCommand socat - UNIX-CLIENT: / run/ host/run/sshd.sock # Indlela eya kwisitshixo se-SSH ye-IdentityFile ~/.ssh/izitshixo/i-localroot # Yenza inkxaso ye-TTY yeqokobhe elisebenzisanayo RequestTTY ewe # Susa isiphumo esingeyomfuneko LogLevel QUIET
Kwimo yayo yangoku, igama lomsebenzisi lomsebenzisi liza kukwazi ngoku ukwenza imiyalelo njengengcambu ngaphandle kokungenisa igama eligqithisiweyo. Ijonga umsebenzi: $ ssh host.local [ingcambu ~]#
Senza i-sudohost alias kwi-bash ukusebenzisa "ssh host.local", efana ne-sudo: sudohost () {ukuba [[ ${#} -eq 0]]; emva koko ssh host.local "cd \"${PWD}\"; yenza \"${SHELL}\" --ngena" kwenye i-ssh host.local "cd \"${PWD}\"; exec \»${@}\»» fi }
Khangela: $ sudohost id uid=0(ingcambu) gid=0(ingcambu) amaqela=0(ingcambu)
Songeza iziqinisekiso kwaye sivumele ukuqinisekiswa kwezinto ezimbini, ukuvumela ukufikelela kweengcambu kuphela xa ithokheni ye-Yubikey USB ifakiwe.
Sijonga ukuba yeyiphi i-algorithms exhaswa yiYubikey ekhoyo: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Ukuba imveliso yi-5.2.3 okanye ngaphezulu, sebenzisa i-ed25519-sk xa usenza izitshixo, kungenjalo sebenzisa i-ecdsa-sk: ssh-keygen -t ed25519-sk okanye ssh-keygen -t ecdsa-sk
Yongeza isitshixo sikawonke-wonke kwi-/root/.ssh/authorized_keys
Yongeza uhlobo olungundoqo olubophelelayo kuqwalaselo lwe-sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [imeyile ikhuselwe],[imeyile ikhuselwe]
Sinqanda ukufikelela kwi-socket ye-Unix kuphela kumsebenzisi onokuba namalungelo aphakanyisiweyo (kumzekelo wethu, igama lomsebenzisi). Kwi /etc/systemd/system/sshd-unix.socket yongeza: [Isokethi] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
umthombo: opennet.ru