U-Timothee Ravier ovela ku-Red Hat, umnakekeli wephrojekthi ye-Fedora Silverblue ne-Fedora Kinoite, uhlongoze indlela yokugwema ukusebenzisa insiza ye-sudo, esebenzisa i-suid bit ukukhulisa amalungelo. Esikhundleni se-sudo, ukuze umsebenzisi ojwayelekile akhiphe imiyalo enamalungelo ezimpande, kuhlongozwa ukuthi kusetshenziswe insiza ye-ssh ngoxhumano lwendawo ohlelweni olufanayo ngesokhethi ye-UNIX kanye nokuqinisekiswa kwezimvume ezisekelwe kokhiye be-SSH.
Ukusebenzisa i-ssh esikhundleni se-sudo kukuvumela ukuthi ulahle izinhlelo ze-suid ohlelweni futhi unike amandla ukukhishwa kwemiyalo eyinhlanhla endaweni yokusingatha yokusabalalisa okusebenzisa izingxenye zokuhlukanisa iziqukathi, njenge-Fedora Silverblue, Fedora Kinoite, Fedora Sericea kanye ne-Fedora Onyx. Ukuze ukhawulele ukufinyelela, ukuqinisekiswa kwegunya kusetshenziswa ithokheni ye-USB (isibonelo, i-Yubikey) kungasetshenziswa futhi.
Isibonelo sokumisa izingxenye zeseva ye-OpenSSH ukuze zifinyeleleke ngesokhethi yasendaweni ye-Unix (isibonelo esihlukile se-sshd sizokwethulwa ngefayela laso lokumisa):
/etc/systemd/system/sshd-unix.socket: [Unit] Description=OpenSSH Server Unix Socket Documentation=man:sshd(8) man:sshd_config(5) [Socket] ListenStream=/run/sshd.sock Yamukela=yebo [Faka] WantedBy=sockets.target
/ njll / uhlelo / uhlelo /[i-imeyili ivikelwe]: [Iyunithi] Incazelo=Vula i-daemon yeseva yokuxhumeka kwe-OpenSSH (isokhethi ye-Unix) Umbhalo=man:sshd(8) indoda:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [Service] ExecStart=- /usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix StandardInput=socket
/etc/ssh/sshd_config_unix: # Ishiya kuphela ukhiye wokuqinisekisa ubuqiniso PermitRootLogin prohibit-passwordAuthentication no PermitEmptyPasswords no GSSAPIUkuqinisekisa akukho # kuvimbela ukufinyelela kubasebenzisi abakhethiwe AllowUsers impande yegama lomsebenzisi # Ishiya kuphela ukusetshenziswa kwe-outkey/authorthorized_outkey. izedKeysFile .ssh /okhiye_ abagunyaziwe # vumela i-sftp Subsystem sftp /usr/libexec/openssh/sftp-server
Vula futhi uqalise iyunithi ye-systemd: sudo systemctl daemon-reload sudo systemctl vumela -manje sshd-unix.socket
Engeza ukhiye wakho we-SSH ku-/root/.ssh/authorized_keys
Isetha iklayenti le-SSH.
Faka insiza ye-socat: sudo dnf faka i-socat
Sengeza i-/.ssh/config ngokucacisa i-socat njengommeleli wokufinyelela ngesokhethi ye-UNIX: I-Host host.Impande yomsebenzisi wendawo # Sebenzisa /gijima/sokhaya/sebenzisa esikhundleni sokuthi /gijima ukuze usebenze usuka kuziqukathi I-ProxyCommand socat - UNIX-CLIENT: / run/ host/run/sshd.sock # Indlela eya kukhiye we-SSH IdentityFile ~/.ssh/keys/localroot # Nika amandla ukusekela kwe-TTY kwegobolondo elisebenzisanayo RequestTTY yebo # Khipha okukhiphayo okungadingekile I-LogLevel QUIET
Ngendlela yalo yamanje, igama lomsebenzisi lomsebenzisi selizokwazi ukwenza imiyalo njengempande ngaphandle kokufaka iphasiwedi. Ihlola ukusebenza: $ ssh host.local [impande ~]#
Sakha i-sudohost alias ku-bash ukuze siqalise i-“ssh host.local”, efana ne-sudo: sudohost() {uma [[ ${#} -eq 0]]; bese u-ssh host.local "cd \"${PWD}\"; sebenzisa \"${SHELL}\" --login" enye i-ssh host.local "cd \"${PWD}\"; sebenzisa \»${@}\»» fi }
Hlola: $ sudohost id uid=0(impande) gid=0(impande) groups=0(impande)
Sengeza imininingwane futhi sinikeze amandla ukuqinisekiswa kwezinto ezimbili, sivumela ukufinyelela kwezimpande kuphela uma ithokheni ye-Yubikey USB ifakiwe.
Sihlola ukuthi imaphi ama-algorithms asekelwa i-Yubikey ekhona: lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Uma okukhiphayo kungu-5.2.3 noma ngaphezulu, sebenzisa i-ed25519-sk lapho ukhiqiza okhiye, ngaphandle kwalokho sebenzisa i-ecdsa-sk: ssh-keygen -t ed25519-sk noma ssh-keygen -t ecdsa-sk
Yengeza ukhiye osesidlangalaleni kokuthi /root/.ssh/authorized_keys
Engeza uhlobo lokhiye olubophezela ekucushweni kwe-sshd: /etc/ssh/sshd_config_unix: PubkeyAcceptedKeyTypes [i-imeyili ivikelwe],[i-imeyili ivikelwe]
Sikhawulela ukufinyelela isokhethi ye-Unix kumsebenzisi kuphela ongaba namalungelo aphakeme (esibonelweni sethu, igama lomsebenzisi). Ku-/etc/systemd/system/sshd-unix.socket engeza: [Isokhethi] ... SocketUser=adminusername SocketGroup=adminusername SocketMode=0660
Source: opennet.ru