I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Sichaza inqubo yokufinyelela okuphuthumayo kubasingathi be-SSH ngokhiye behadiwe

Sichaza inqubo yokufinyelela okuphuthumayo kubasingathi be-SSH ngokhiye behadiwe

Sichaza inqubo yokufinyelela okuphuthumayo kubasingathi be-SSH ngokhiye behadiwe

Kulokhu okuthunyelwe, sizothuthukisa inqubo yokufinyelela okuphuthumayo kubasingathi be-SSH sisebenzisa okhiye bokuqinisekisa ubunikazi bezingxenyekazi zekhompuyutha ungaxhunyiwe ku-inthanethi. Lena indlela eyodwa nje, futhi ungakwazi ukuzivumelanisa nezidingo zakho. Sizogcina igunya lesitifiketi se-SSH kubasingathi bethu kukhiye wokuqinisekisa ubunikazi wezingxenyekazi zekhompyutha. Lolu hlelo luzosebenza cishe kunoma iyiphi i-OpenSSH, kuhlanganise ne-SSH ngokungena ngemvume okukodwa.

Kwenzelweni konke lokhu? Hhayi-ke, lena inketho yokugcina. Lena i-backdoor ezokuvumela ukuthi uthole ukufinyelela kuseva yakho uma ngesizathu esithile kungekho okunye okusebenza.

Kungani usebenzise izitifiketi esikhundleni sokhiye basesidlangalaleni/abayimfihlo ukuze uthole ukufinyelela okuphuthumayo?

  • Ngokungafani nokhiye basesidlangalaleni, izitifiketi zingaphila isikhathi esifushane kakhulu. Ungenza isitifiketi esisebenza iminithi elingu-1 noma imizuzwana emi-5. Ngemuva kwalesi sikhathi, isitifiketi ngeke sisebenziseke ekuxhumekeni okusha. Lokhu kulungele ukufinyelela okuphuthumayo.
  • Ungakha isitifiketi sanoma iyiphi i-akhawunti kubasingathi bakho futhi, uma kunesidingo, uthumele izitifiketi β€œzesikhathi esisodwa” kozakwenu.

Udinga ini

  • Okhiye bokuqinisekisa ubunikazi bezingxenyekazi zekhompuyutha abasekela okhiye bokuhlala.
    Okhiye besakhamuzi bangokhiye be-cryptographic abagcinwa ngokuphelele ngaphakathi kokhiye wokuqinisekisa ubunikazi. Kwesinye isikhathi avikelwa i-PIN ye-alphanumeric. Ingxenye esesidlangalaleni yokhiye wokuhlala ingathunyelwa kusukela kukhiye wokuqinisekisa ubunikazi, ngokuzikhethela kanye nesibambo sikakhiye oyimfihlo. Isibonelo, okhiye be-USB ochungechungeni lwe-Yubikey 5 basekela okhiye bomhlali. Kuyatuseka ukuthi bahloselwe kuphela ukufinyelela okuphuthumayo kumsingathi. Kulokhu okuthunyelwe ngizosebenzisa ukhiye owodwa kuphela, kodwa kufanele ube nomunye owengeziwe wokwenza isipele.
  • Indawo ephephile yokugcina labo khiye.
  • Inguqulo ye-OpenSSH engu-8.2 noma ngaphezulu kukhompuyutha yangakini naseziphakelini ofuna ukufinyelela kuzo eziphuthumayo. Ubuntu 20.04 buhamba nge-OpenSSH 8.2.
  • (ongakukhetha, kodwa kuyanconywa) Ithuluzi le-CLI lokuhlola izitifiketi.

Training

Okokuqala, udinga ukudala igunya lokunikeza isitifiketi elizotholakala kukhiye wokuqinisekisa ubunikazi wezingxenyekazi zekhompyutha. Faka ukhiye bese ugijima:

$ ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID]

Njengokuphawula (-C) engikubonisile [i-imeyili ivikelwe]ukuze ungakhohlwa ukuthi imuphi ukhiye wokuqinisekisa ubunikazi lesi siphathimandla sesitifiketi esiyingxenye yawo.

Ngaphezu kokwengeza ukhiye ku-Yubikey, amafayela amabili azokhiqizwa endaweni:

  1. sk-user-ca, isibambo sikakhiye esisho ukhiye oyimfihlo ogcinwe kukhiye wokuqinisekisa ubunikazi,
  2. sk-user-ca.pub, okuzoba ukhiye osesidlangalaleni weziphathimandla zesitifiketi sakho.

Kodwa ungakhathazeki, i-Yubikey igcina omunye ukhiye oyimfihlo ongakwazi ukubuyiswa. Ngakho-ke, konke kunokwethenjelwa lapha.

Kosokhaya, njengempande, engeza (uma ungakakwenzi) okulandelayo ekucushweni kwakho kwe-SSHD (/etc/ssh/sshd_config):

TrustedUserCAKeys /etc/ssh/ca.pub

Bese kumsingathi, engeza ukhiye osesidlangalaleni (sk-user-ca.pub) ku-/etc/ssh/ca.pub

Qala kabusha i-daemon:

# /etc/init.d/ssh restart

Manje singazama ukufinyelela umsingathi. Kodwa okokuqala sidinga isitifiketi. Dala ipheya yokhiye ezohlotshaniswa nesitifiketi:

$ ssh-keygen -t ecdsa -f emergency

Izitifiketi kanye namapheya e-SSH
Kwesinye isikhathi kuyalinga ukusebenzisa isitifiketi njengokungena esikhundleni samabhangqa okhiye basesidlangalaleni/abayimfihlo. Kodwa isitifiketi sisodwa asanele ukufakazela ubuqiniso bomsebenzisi. Isitifiketi ngasinye sinokhiye oyimfihlo ohlotshaniswa naso. Yingakho sidinga ukukhiqiza lezi zikhiye "zezimo eziphuthumayo" ngaphambi kokuthi sizikhiphele isitifiketi. Into ebalulekile ukuthi sibonise isitifiketi esisayiniwe kuseva, esibonisa ipheya yokhiye esinokhiye wayo oyimfihlo.

Ngakho ukushintshanisa kokhiye womphakathi kusaphila futhi kuhle. Lokhu kusebenza ngisho nezitifiketi. Izitifiketi zivele zisuse isidingo sokuthi iseva igcine okhiye basesidlangalaleni.

Okulandelayo, dala isitifiketi ngokwaso. Ngidinga ukugunyazwa komsebenzisi wobuntu esikhathini esiyimizuzu eyi-10. Ungakwenza ngendlela yakho.

$ ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m:+5m emergency

Uzocelwa ukuthi usayine isitifiketi usebenzisa izigxivizo zakho zeminwe. Ungangeza amanye amagama abasebenzisi ahlukaniswe ngokhefana, isibonelo -n ubuntu,carl,ec2-user

Yilokho, manje unesitifiketi! Okulandelayo udinga ukucacisa izimvume ezifanele:

$ chmod 600 emergency-cert.pub

Ngemva kwalokhu, ungakwazi ukubuka okuqukethwe isitifiketi sakho:

$ step ssh inspect emergency-cert.pub

Nansi indlela eyami ebukeka ngayo:

emergency-cert.pub
        Type: [email protected] user certificate
        Public key: ECDSA-CERT SHA256:EJSfzfQv1UK44/LOKhBbuh5oRMqxXGBSr+UAzA7cork
        Signing CA: SK-ECDSA SHA256:kLJ7xfTTPQN0G/IF2cq5TB3EitaV4k3XczcBZcLPQ0E
        Key ID: "test-key"
        Serial: 0
        Valid: from 2020-06-24T16:53:03 to 2020-06-24T17:03:03
        Principals:
                ubuntu
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

Lapha ukhiye osesidlangalaleni ukhiye wesimo esiphuthumayo esiwudalile, futhi i-sk-user-ca ihlotshaniswa nesiphathimandla sokunikeza izitifiketi.

Ekugcineni silungele ukusebenzisa umyalo we-SSH:


$ ssh -i emergency ubuntu@my-hostname
ubuntu@my-hostname:~$

  1. Manje usungadala izitifiketi zanoma yimuphi umsebenzisi kumsingathi owethemba igunya lesitifiketi sakho.
  2. Ungasusa isimo esiphuthumayo. Ungalondoloza i-sk-user-ca, kodwa awudingi ukulondoloza njengoba futhi ikukhiye wokuqinisekisa ubunikazi. Ungase futhi ufune ukususa ukhiye wasesidlangalaleni wokuqala we-PEM kubasingathi bakho (ngokwesibonelo kokuthi ~/.ssh/authorized_keys kumsebenzisi wobuntu) uma uwusebenzisele ukufinyelela esimweni esiphuthumayo.

Ukufinyelela Okuphuthumayo: Uhlelo Lwesenzo

Namathisela ukhiye wokuqinisekisa ubunikazi bese ugijima umyalo:

$ ssh-add -K

Lokhu kuzokwengeza ukhiye wasesidlangalaleni wesiphathimandla sesitifiketi nesichazi sokhiye kumenzeli we-SSH.

Manje thekelisa ukhiye osesidlangalaleni ukuze wenze isitifiketi:

$ ssh-add -L | tail -1 > sk-user-ca.pub

Dala isitifiketi esinedethi yokuphelelwa yisikhathi, isibonelo, esingekho ngaphezu kwehora:

$ ssh-keygen -t ecdsa -f emergency
$ ssh-keygen -Us sk-user-ca.pub -I test-key -n [username] -V -5m:+60m emergency
$ chmod 600 emergency-cert.pub

Futhi manje i-SSH futhi:

$ ssh -i emergency username@host

Uma ifayela lakho le-.ssh/config lidala izinkinga lapho uxhuma, ungasebenzisa okuthi ssh nge -F none inketho yokuyidlula. Uma udinga ukuthumela isitifiketi kozakwenu, inketho elula nevikeleke kakhulu I-Magic Wormhole. Ukuze wenze lokhu, udinga kuphela amafayela amabili - kithi, izimo eziphuthumayo kanye nezimo eziphuthumayo-cert.pub.

Engikuthandayo ngale ndlela ukwesekwa kwehardware. Ungabeka okhiye bakho bokuqinisekisa ubunikazi endaweni ephephile futhi ngeke baye ndawo.

Emalungelo Wokukhangisa

Amaseva ama-Epic Ingabe VPS eshibhile enamaphrosesa anamandla asuka ku-AMD, i-CPU core frequency kufika ku-3.4 GHz. Ukucushwa okuphezulu kukuvumela ukuthi uxazulule cishe noma iyiphi inkinga - ama-CPU angu-128, i-RAM engu-512 GB, i-4000 GB NVMe. Sijoyine!

Sichaza inqubo yokufinyelela okuphuthumayo kubasingathi be-SSH ngokhiye behadiwe

Source: www.habr.com

Engeza amazwana