Timothee Ravier lati Red Hat, olutọju ti awọn iṣẹ akanṣe Fedora Silverblue ati Fedora Kinoite, dabaa ọna lati yago fun lilo ohun elo sudo, eyiti o nlo suid bit lati mu awọn anfani pọ si. Dipo sudo, fun olumulo deede lati ṣiṣẹ awọn aṣẹ pẹlu awọn ẹtọ gbongbo, o ni imọran lati lo ohun elo ssh pẹlu asopọ agbegbe si eto kanna nipasẹ iho UNIX ati ijẹrisi awọn igbanilaaye ti o da lori awọn bọtini SSH.
Lilo ssh dipo sudo ngbanilaaye lati yọkuro awọn eto suid lori eto naa ki o jẹ ki ipaniyan awọn aṣẹ ti o ni anfani ni agbegbe ogun ti awọn ipinpinpin ti o lo awọn paati ipinya eiyan, gẹgẹbi Fedora Silverblue, Fedora Kinoite, Fedora Sericea ati Fedora Onyx. Lati ni ihamọ wiwọle, ìmúdájú aṣẹ nipa lilo àmi USB (fun apẹẹrẹ, Yubikey) le ṣee lo ni afikun.
Apeere ti atunto awọn paati olupin OpenSSH fun iraye si nipasẹ iho Unix agbegbe kan (apẹẹrẹ sshd lọtọ yoo ṣe ifilọlẹ pẹlu faili iṣeto tirẹ):
/etc/systemd/system/sshd-unix.socket: [Unit] Apejuwe=OpenSSH Server Unix Socket Documentation=eniyan:sshd(8) eniyan:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Gba=bẹẹni [Fi sori ẹrọ] WantedBy=sockets.target
/ ati be be lo / systemd / system /[imeeli ni idaabobo]: [Unit] Apejuwe=OpenSSH fun-asopọ daemon olupin (Unix socket) Documentation=man:sshd(8) eniyan:sshd_config(5) Fe=sshd-keygen.target Lẹhin=sshd-keygen.target Lẹhin=sshd-keygen.target [Iṣẹ] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=itẹ
/etc/ssh/sshd_config_unix: # Fi ijẹrisi bọtini nikan silẹ PermitRootLogin prohibit-password PasswordAuthentication no PermitEmptyPasswords no GSSAPIAuthentication ko si # restricts wiwọle si awọn olumulo ti a ti yan AllowUsers root adminusername # Fi silẹ nikan ni lilo .ssh/authorized keys. ssh /authorized_ bọtini # jeki sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Mu ṣiṣẹ ki o ṣe ifilọlẹ ẹyọ ti eto: sudo systemctl daemon-reload sudo systemctl mu ṣiṣẹ - ni bayi sshd-unix.socket
Ṣafikun bọtini SSH rẹ si /root/.ssh/authorized_keys
Ṣiṣeto alabara SSH.
Fi sori ẹrọ ohun elo socat: sudo dnf fi sori ẹrọ socat
A ṣe afikun / .ssh / atunto nipa sisọ socat gẹgẹbi aṣoju fun iwọle nipasẹ iho UNIX: Host host.local User root # Lo / run/host/run dipo / run lati ṣiṣẹ lati awọn apoti ProxyCommand socat - UNIX-CLIENT: / run/host/run/sshd.sock # Ona si bọtini SSH IdentityFile ~/.ssh/keys/localroot # Mu atilẹyin TTY ṣiṣẹ fun ikarahun ibaraenisepo IbeereTTY bẹẹni # Yọọjade ti ko wulo LogLevel QUIET
Ni fọọmu lọwọlọwọ rẹ, orukọ olumulo olumulo yoo ni anfani lati ṣiṣẹ awọn aṣẹ bi gbongbo laisi titẹ ọrọ igbaniwọle kan. Ṣiṣayẹwo iṣẹ ṣiṣe: $ ssh host.local [root ~]#
A ṣẹda sudohost inagijẹ ni bash lati ṣiṣẹ "ssh host.local", iru si sudo: sudohost () {ti o ba jẹ [[${#} -eq 0]]; lẹhinna ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login" else ssh host.local "cd \"${PWD}\"; exec \»${@}\» fi }
Ṣayẹwo: $ sudohost id uid = 0 (root) gid = 0 (root) awọn ẹgbẹ = 0 (root)
A ṣafikun awọn iwe-ẹri ati mu ijẹrisi ifosiwewe meji ṣiṣẹ, gbigba iwọle root nikan nigbati ami USB Yubikey ti fi sii.
A ṣayẹwo iru awọn algoridimu ti o ni atilẹyin nipasẹ Yubikey ti o wa tẹlẹ: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | aarọ '{tẹ $2}'
Ti abajade ba jẹ 5.2.3 tabi ju bẹẹ lọ, lo ed25519-sk nigbati o ba ṣẹda awọn bọtini, bibẹẹkọ lo ecdsa-sk: ssh-keygen -t ed25519-sk tabi ssh-keygen -t ecdsa-sk
Ṣe afikun bọtini ita gbangba si /root/.ssh/authorized_keys
Ṣafikun iru bọtini abuda kan si iṣeto sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [imeeli ni idaabobo],[imeeli ni idaabobo]
A ni ihamọ iraye si iho Unix si olumulo nikan ti o le ni awọn anfani ti o ga (ninu apẹẹrẹ wa, orukọ olumulo). Ni /etc/systemd/system/sshd-unix.socket fi: [Socket] ... SocketUser=orukọ olumulo SocketGroup=orukọ olumulo SocketMode=0660
orisun: opennet.ru