Sudo without setuid binary or SSH on a Unix socket
Sudo without setuid binary or SSH on a Unix socket
In
This
job,
I
will
detail
how
has
replace
sudo
(A
setuid
binary)
by
using
SSH
on
A
local
UNIX
taken.
I
am
of
THE
notice
that
setuid/setgid
binary
are
A
UNIX
legacy
that
should
be
obsolete.
I
will
explain
THE
security
the reasons
behind
that
statement
In
A
future
post.
This
East
related
has
THE
work
of
THE
Confined
Users
GIS
In
Fedora.
For what
to disturb?
THE
main
advantage
of
This
approach
East
that
he
allow
root
to access
has
THE
host
Since
any of them
disadvantaged
toolbox
/
distribution box
container.
This
East
particularly
useful
on
Felt
Atomic
desktop computers
(silver blue,
Kinoite,
Sericea,
Onyx)
Or
Universal
Blue
(Red tuna,
Bazzite)
For
example.
As
A
side
effect
of
This
facility,
We
Also
get
THE
following
security
advantages:
No
longer
rely on
on
sudo
as
A
setuid
binary
For
privileged
operations.
To access
control
via
A
physical
material
token
(here
A
Yubikey)
For
each
privileged
operation.
Setting
up
THE
server
[Unit]
Description=OpenSSH server daemon per connection (Unix socket)
Documentation=man:sshd(8) man:sshd_config(5)
Wants = sshd-keygen.target
After = sshd-keygen.target
[Service]
ExecStart=-/usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix
StandardInput=socket
Create
A
dedicated
configuration
deposit
/etc/ssh/sshd_config_unix:
# Deny all non-key based authentication methods
PermitRootLogin ban-password
PasswordAuthentication no
PermitEmptyPasswords no
GSSAPIN authentication number
# Only allow access to specific users
Allow users at root time
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden, so installations will only check .ssh/authorized_keys
AuthorizedKeysFile.ssh/authorized_keys
# override the default of no subsystem
sftp subsystem /usr/libexec/openssh/sftp-server
Install
socat
And
to use
THE
following
fragment
In
/.ssh/config:
Host host.local
User root
# We use `run/host/run` instead of `/run` to work seamlessly in and out of containers
ProxyCommand socat - UNIX-CLIENT:/run/host/run/sshd.sock
# Path to your SSH key. See: https://tim.siosm.fr/blog/2023/01/13/openssh-key-management/
Identity file ~/.ssh/keys/localroot
# Force TTY allocation to always get an interactive shell
RequestTTY yes
# Reduce log output
LogLevel SILENT
Test
your
configuration:
$ ssh host.local
[root@phoenix ~]#
Shell
a.k.a
Let's go
create
A
sudohost
shell
"a.k.a"
(function)
that
You
can
add
has
your
Hit
Or
ZSH
configuration
has
TO DO
using
This
order
easier:
# Get an interactive root shell or run a command as root on the host
sudohost() {
if [[ ${#} -eq 0 ]]; SO
ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login"
other
ssh host.local "cd \"${PWD}\"; exec \"${@}\""
Fi
In
This
job,
I
will
detail
how
has
replace
sudo
(A
setuid
binary)
by
using
SSH
on
A
local
UNIX
taken.
I
am
of
THE
notice
that
setuid/setgid
binary
are
A
UNIX
legacy
that
should
be
obsolete.
I
will
explain
THE
security
the reasons
behind
that
statement
In
A
future
post.
This
East
related
has
THE
work
of
THE
Confined
Users
GIS
In
Fedora.
For what
to disturb?
THE
main
advantage
of
This
approach
East
that
he
allow
root
to access
has
THE
host
Since
any of them
disadvantaged
toolbox
/
distribution box
container.
This
East
particularly
useful
on
Felt
Atomic
desktop computers
(silver blue,
Kinoite,
Sericea,
Onyx)
Or
Universal
Blue
(Red tuna,
Bazzite)
For
example.
As
A
side
effect
of
This
facility,
We
Also
get
THE
following
security
advantages:
No
longer
rely on
on
sudo
as
A
setuid
binary
For
privileged
operations.
To access
control
via
A
physical
material
token
(here
A
Yubikey)
For
each
privileged
operation.
Setting
up
THE
server
[Unit]
Description=OpenSSH server daemon per connection (Unix socket)
Documentation=man:sshd(8) man:sshd_config(5)
Wants = sshd-keygen.target
After = sshd-keygen.target
[Service]
ExecStart=-/usr/sbin/sshd -i -f /etc/ssh/sshd_config_unix
StandardInput=socket
Create
A
dedicated
configuration
deposit
/etc/ssh/sshd_config_unix:
# Deny all non-key based authentication methods
PermitRootLogin ban-password
PasswordAuthentication no
PermitEmptyPasswords no
GSSAPIN authentication number
# Only allow access to specific users
Allow users at root time
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden, so installations will only check .ssh/authorized_keys
AuthorizedKeysFile.ssh/authorized_keys
# override the default of no subsystem
sftp subsystem /usr/libexec/openssh/sftp-server
Install
socat
And
to use
THE
following
fragment
In
/.ssh/config:
Host host.local
User root
# We use `run/host/run` instead of `/run` to work seamlessly in and out of containers
ProxyCommand socat - UNIX-CLIENT:/run/host/run/sshd.sock
# Path to your SSH key. See: https://tim.siosm.fr/blog/2023/01/13/openssh-key-management/
Identity file ~/.ssh/keys/localroot
# Force TTY allocation to always get an interactive shell
RequestTTY yes
# Reduce log output
LogLevel SILENT
Test
your
configuration:
$ ssh host.local
[root@phoenix ~]#
Shell
a.k.a
Let's go
create
A
sudohost
shell
"a.k.a"
(function)
that
You
can
add
has
your
Hit
Or
ZSH
configuration
has
TO DO
using
This
order
easier:
# Get an interactive root shell or run a command as root on the host
sudohost() {
if [[ ${#} -eq 0 ]]; SO
ssh host.local "cd \"${PWD}\"; exec \"${SHELL}\" --login"
other
ssh host.local "cd \"${PWD}\"; exec \"${@}\""
Fi