{"id":1257,"date":"2016-03-01T02:18:56","date_gmt":"2016-02-29T17:18:56","guid":{"rendered":"http:\/\/matoken.org\/blog\/?p=1257"},"modified":"2016-03-01T02:18:56","modified_gmt":"2016-02-29T17:18:56","slug":"try-the-new-option-authorized_keys-the-sshd-of-openssh-7-2","status":"publish","type":"post","link":"https:\/\/matoken.org\/blog\/2016\/03\/01\/try-the-new-option-authorized_keys-the-sshd-of-openssh-7-2\/","title":{"rendered":"OpenSSH 7.2\u306esshd\u306b\u5165\u3063\u305fauthorized_keys\u306e\u65b0\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u8a66\u3059"},"content":{"rendered":"<p><!--\nOpenSSH 7.2\u306esshd\u306b\u5165\u3063\u305fauthorized_keys\u306e\u65b0\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u8a66\u3059\n--><\/p>\n<p>OpenSSH 7.2\u304c\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u307e\u3057\u305f :)<\/p>\n<ul>\n<li><a href=\"http:\/\/lists.mindrot.org\/pipermail\/openssh-unix-announce\/2016-February\/000125.html\" title=\"[openssh-unix-announce] Announce: OpenSSH 7.2 released\">[openssh-unix-announce] Announce: OpenSSH 7.2 released<\/a><\/li>\n<li><a href=\"http:\/\/haruyama.blog.jp\/archives\/52047049.html\" title=\"&#x6625;&#x5C71; &#x5F81;&#x543E;&#x306E;&#x304F;&#x3051;&#x30FC; : OpenSSH 7.2 &#x304C;&#x30EA;&#x30EA;&#x30FC;&#x30B9;&#x3055;&#x308C;&#x307E;&#x3057;&#x305F; - livedoor Blog&#xFF08;&#x30D6;&#x30ED;&#x30B0;&#xFF09;\">\u6625\u5c71 \u5f81\u543e\u306e\u304f\u3051\u30fc : OpenSSH 7.2 \u304c\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u307e\u3057\u305f &#8211; livedoor Blog\uff08\u30d6\u30ed\u30b0\uff09<\/a> \u30ea\u30ea\u30fc\u30b9\u30ce\u30fc\u30c8\u306e\u65e5\u672c\u8a9e\u8a33\u304c\u3042\u308a\u307e\u3059\uff0e\u4f55\u6642\u3082\u52a9\u304b\u308a\u307e\u3059_o_<\/li>\n<\/ul>\n<p>\u3068\u3044\u3046\u3053\u3068\u3067\u6c17\u306b\u306a\u3063\u305f\u4ee5\u4e0b\u306e\u65b0\u6a5f\u80fd\u3092\u8a66\u3057\u3066\u307f\u307e\u3059\uff0e<\/p>\n<blockquote>\n<p>* sshd(8): add a new authorized_keys option \u201crestrict\u201d that includes<br \/>\nall current and future key restrictions (no-*-forwarding, etc.).<br \/>\nAlso add permissive versions of the existing restrictions, e.g.<br \/>\n\u201cno-pty\u201d -&gt; \u201cpty\u201d. This simplifies the task of setting up<br \/>\nrestricted keys and ensures they are maximally-restricted,<br \/>\nregardless of any permissions we might implement in the future.<\/p>\n<\/blockquote>\n<blockquote>\n<p>sshd(8): authorized_keys \u306e\u30aa\u30d7\u30b7\u30e7\u30f3\u306b \u201crestrict\u201d \u3092\u8ffd\u52a0\u3059\u308b.<br \/>\n\u3053\u308c\u306f, (no-*-forwarding \u306a\u3069\u306e) \u73fe\u5728\u3068\u5c06\u6765\u306e\u3059\u3079\u3066\u306e\u5236\u9650\u3092\u542b\u3080.<br \/>\n\u3055\u3089\u306b, \u73fe\u5728\u306e\u5236\u9650\u306e\u8a31\u53ef\u30d0\u30fc\u30b8\u30e7\u30f3\u3082\u8ffd\u52a0\u3059\u308b. \u3064\u307e\u308a,<br \/>\n\u201cno-pty\u201d -&gt; \u201cpty\u201d. \u3053\u308c\u306b\u3088\u308a, \u5236\u9650\u4ed8\u304d\u306e\u9375\u306e\u8a2d\u5b9a\u306e\u30bf\u30b9\u30af\u304c<br \/>\n\u5358\u7d14\u5316\u3057, \u5c06\u6765\u5b9f\u88c5\u3059\u308b\u3059\u3079\u3066\u306e\u8a31\u53ef\u306b\u95a2\u4fc2\u306a\u304f<br \/>\n\u9375\u304c\u6700\u5927\u306b\u5236\u9650\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u5703\u5834\u3067\u304d\u308b.<\/p>\n<\/blockquote>\n<p>prefix\u4ee5\u5916\u306f\u898f\u5b9a\u5024\u306e\u307e\u307e\u3067buid<\/p>\n<pre class=\"editor-colors lang-text\"><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;sudo&nbsp;apt&nbsp;install&nbsp;build-essentialbuild-essential<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;sudo&nbsp;apt&nbsp;build-dep&nbsp;openssh<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;git&nbsp;pull<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;.\/configure&nbsp;--prefix=$HOME\/usr\/local\/openssh-portable<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;make<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;make&nbsp;install<\/span><\/span><\/span><\/div><\/pre>\n<p>\u9069\u5f53\u306b7.2\u306e\u30c7\u30fc\u30e2\u30f3\u3092\u8d77\u52d5<\/p>\n<pre class=\"editor-colors lang-text\"><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;`pwd`\/sbin\/sshd&nbsp;-D&nbsp;-p&nbsp;22222<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;ps&nbsp;-ef|grep&nbsp;openssh-portable<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>mk&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;21788&nbsp;14885&nbsp;&nbsp;0&nbsp;00:46&nbsp;pts\/7&nbsp;&nbsp;&nbsp;&nbsp;00:00:00&nbsp;\/home\/mk\/usr\/local\/openssh-portable\/sbin\/sshd&nbsp;-D&nbsp;-p&nbsp;22222<\/span><\/span><\/span><\/div><\/pre>\n<p>\u9069\u5f53\u306a\u9375\u3092\u4f5c\u3063\u3066<code style=\"font-family: VL Gothic;\">~\/.ssh\/authorized_keys<\/code>\u306b\u767b\u9332\u3057\u3066\u30ed\u30b0\u30a4\u30f3\u30c6\u30b9\u30c8\uff0e<\/p>\n<pre class=\"editor-colors lang-text\"><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;ssh-keygen&nbsp;-t&nbsp;ed25519&nbsp;-N&nbsp;&#39;&#39;&nbsp;-f&nbsp;.\/testkey<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;cat&nbsp;testkey.pub&nbsp;&gt;&gt;&nbsp;~\/.ssh\/authorized_keys<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;ssh&nbsp;localhost&nbsp;-p&nbsp;22222&nbsp;-i&nbsp;.\/testkey<\/span><\/span><\/span><\/div><\/pre>\n<p>authorized_keys\u306e\u8a72\u5f53\u9375\u884c\u306e\u982d\u306b<\/p>\n<pre class=\"editor-colors lang-text\"><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>ssh-ed25519&nbsp;AAAAC3NzaC1lZDI1NTE5AAAAIFm5sR98q060FFlT1cpBVbwm0caShCYGl39D5k9PCenB&nbsp;mk@x220<\/span><\/span><\/span><\/div><\/pre>\n<p><code style=\"font-family: VL Gothic;\">restrict<\/code>\u3092\u8ffd\u8a18\u3057\u3066<\/p>\n<pre class=\"editor-colors lang-text\"><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>restrict&nbsp;ssh-ed25519&nbsp;AAAAC3NzaC1lZDI1NTE5AAAAIFm5sR98q060FFlT1cpBVbwm0caShCYGl39D5k9PCenB&nbsp;mk@x220<\/span><\/span><\/span><\/div><\/pre>\n<p>ssh 7.2\u3067\u63a5\u7d9a\u3092\u8a66\u3057\u307e\u3059\uff0e<\/p>\n<pre class=\"editor-colors lang-text\"><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;\/home\/mk\/usr\/local\/openssh-portable\/bin\/ssh&nbsp;localhost&nbsp;-p&nbsp;22222&nbsp;-i&nbsp;.\/testkey<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>PTY&nbsp;allocation&nbsp;request&nbsp;failed<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>printenv|grep&nbsp;-i&nbsp;ssh<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>SSH_CLIENT=::1&nbsp;56910&nbsp;22222<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>SSH_CONNECTION=::1&nbsp;56910&nbsp;::1&nbsp;22222<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>exit<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>Shared&nbsp;connection&nbsp;to&nbsp;localhost&nbsp;closed.<\/span><\/span><\/span><\/div><\/pre>\n<p>sshd\u5074\u306e\u6a5f\u80fd\u306a\u306e\u3067ssh 7.1\u3067\u7e4b\u3044\u3067\u3082\u5236\u9650\u3055\u308c\u307e\u3059\uff0e<\/p>\n<pre class=\"editor-colors lang-text\"><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;ssh&nbsp;localhost&nbsp;-p&nbsp;22222&nbsp;-i&nbsp;.\/testkey<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>PTY&nbsp;allocation&nbsp;request&nbsp;failed<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>printenv|grep&nbsp;-i&nbsp;ssh<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>SSH_CLIENT=::1&nbsp;56910&nbsp;22222<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>SSH_CONNECTION=::1&nbsp;56910&nbsp;::1&nbsp;22222<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>Shared&nbsp;connection&nbsp;to&nbsp;localhost&nbsp;closed.<\/span><\/span><\/span><\/div><\/pre>\n<p><code style=\"font-family: VL Gothic;\">restrict,pty<\/code> \u306e\u3088\u3046\u306bpty\u3092\u8ffd\u8a18\u3057\u3066<code style=\"font-family: VL Gothic;\">-X\/-Y<\/code>\u3092\u8a66\u3059\u3068pty\u304c\u4f7f\u3048\u3066X\u306f\u5236\u9650\u3055\u308c\u3066\u3044\u308b\u306e\u304c\u78ba\u8a8d\u3067\u304d\u307e\u3057\u305f\uff0e<\/p>\n<pre class=\"editor-colors lang-text\"><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;grep&nbsp;restrict&nbsp;authorized_keys<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>restrict,pty&nbsp;ssh-ed25519&nbsp;AAAAC3NzaC1lZDI1NTE5AAAAIFm5sR98q060FFlT1cpBVbwm0caShCYGl39D5k9PCenB&nbsp;mk@x220<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>$&nbsp;ssh&nbsp;localhost&nbsp;-p&nbsp;22222&nbsp;-i&nbsp;.\/testkey&nbsp;-X<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>X11&nbsp;forwarding&nbsp;request&nbsp;failed<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>mk@x220:~$&nbsp;xeyes<\/span><\/span><\/span><\/div><div class=\"line\"><span class=\"text plain\"><span class=\"meta paragraph text\"><span>Error:&nbsp;Can&#39;t&nbsp;open&nbsp;display:<\/span><\/span><\/span><\/div><\/pre>\n<p>\u3053\u308c\u307e\u3067\u306f\u305a\u3089\u305a\u3089\u3068\u5236\u9650\u3092\u66f8\u304f\u5fc5\u8981\u304c\u3063\u305f\u306e\u304c\u30b7\u30f3\u30d7\u30eb\u306b\u66f8\u3051\u308b\u3088\u3046\u306b\u306a\u308a\u305d\u3046\u3067\u3059 :)<\/p>\n<p>\u4ee5\u4e0b\u306e\u4ef6\u306f\u5225\u30a8\u30f3\u30c8\u30ea\u306b\u3066<\/p>\n<p><!-- Place this tag in your head or just before your close body tag. --><br \/>\n<script type=\"text\/javascript\" src=\"https:\/\/apis.google.com\/js\/plusone.js\"><\/script><\/p>\n<p><!-- Place this tag where you want the widget to render. --><\/p>\n<div class=\"g-post\" data-href=\"https:\/\/plus.google.com\/+KenichiroMATOHARA\/posts\/3wUMXyjf2gU\"><\/div>\n<p><iframe src=\"http:\/\/rcm-fe.amazon-adsystem.com\/e\/cm?lt1=_blank&amp;bc1=000000&amp;IS2=1&amp;bg1=FFFFFF&amp;fc1=000000&amp;lc1=0000FF&amp;t=matokensmeme-22&amp;o=9&amp;p=8&amp;l=as4&amp;m=amazon&amp;f=ifr&amp;ref=ss_til&amp;asins=4873112877\" style=\"width:120px;height:240px;\" scrolling=\"no\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSH 7.2\u304c\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u307e\u3057\u305f :) [openssh-unix-announce] Announce: OpenSSH 7.2 released \u6625\u5c71 \u5f81\u543e\u306e\u304f\u3051\u30fc : OpenSSH 7.2 \u304c\u30ea\u30ea\u30fc\u30b9\u3055 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"webmentions_disabled_pings":false,"webmentions_disabled":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[6],"tags":[275,72],"class_list":["post-1257","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux","tag-openssh"],"_links":{"self":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts\/1257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/comments?post=1257"}],"version-history":[{"count":0,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts\/1257\/revisions"}],"wp:attachment":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/media?parent=1257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/categories?post=1257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/tags?post=1257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}