ProHoster > Блог > labaran intanet > Sakin OpenSSH 8.0

Sakin OpenSSH 8.0

Bayan watanni biyar na ci gaba gabatar saki OpenSSH 8.0, Buɗe abokin ciniki da aiwatar da uwar garke don aiki ta hanyar SSH 2.0 da ka'idojin SFTP.

Babban canje-canje:

  • Goyan bayan gwaji don hanyar musanya maɓalli wanda ke da juriya ga hare-haren ƙarfi a kan kwamfutar ƙididdiga an ƙara zuwa ssh da sshd. Kwamfutoci na jimla suna da sauri cikin sauri wajen magance matsalar lalata lamba ta halitta zuwa manyan dalilai, waɗanda ke ginshiƙan algorithms ɓoyayyun asymmetric na zamani kuma ba za a iya magance su yadda ya kamata akan na'urori na gargajiya ba. Hanyar da aka tsara ta dogara ne akan algorithm Farashin NTRU (aikin ntrup4591761), wanda aka haɓaka don tsarin ƙididdiga na ƙididdigewa, da kuma hanyar musayar maɓalli na elliptic X25519;
  • A cikin sshd, umarnin ListenAddress da PermitOpen ba sa goyan bayan haɗin gwiwar "host/port" na gado, wanda aka aiwatar a cikin 2001 a matsayin madadin "host: tashar jiragen ruwa" don sauƙaƙe aiki tare da IPv6. A cikin yanayi na zamani, an kafa ma'anar "[:: 6]: 1" don IPv22, kuma "mai watsa shiri / tashar jiragen ruwa" sau da yawa yana rikicewa tare da nuna subnet (CIDR);
  • ssh, ssh-agent da ssh-add yanzu suna goyan bayan maɓallan Farashin ECDSA a cikin PKCS # 11 alamu;
  • A cikin ssh-keygen, tsoho girman maɓalli na RSA an ƙara shi zuwa 3072 bits, daidai da sabbin shawarwarin NIST;
  • ssh yana ba da damar yin amfani da saitin "PKCS11Provider = babu" don ƙetare umarnin PKCS11 Mai ba da umarni da aka ƙayyade a ssh_config;
  • sshd yana ba da nunin log na yanayi lokacin da haɗin ke ƙare lokacin ƙoƙarin aiwatar da umarnin da aka katange ta hanyar ƙuntatawa "ForceCommand=internal-sftp" a cikin sshd_config;
  • A cikin ssh, lokacin da ake nuna buƙatun don tabbatar da karɓar sabon maɓalli mai masaukin baki, maimakon amsa “eh”, yanzu ana karɓar sawun yatsa daidai (a amsa gayyata don tabbatar da haɗin, mai amfani zai iya kwafi daban daban da aka karɓa ta hanyar allo, don kada a kwatanta shi da hannu);
  • ssh-keygen yana ba da haɓaka ta atomatik na lambar jerin takaddun shaida lokacin ƙirƙirar sa hannun dijital don takaddun shaida da yawa akan layin umarni;
  • An ƙara sabon zaɓi "-J" zuwa scp da sftp, daidai da saitin ProxyJump;
  • A cikin ssh-agent, ssh-pkcs11-helper da ssh-add, sarrafa zaɓin layin umarni na "-v" an ƙara don ƙara abun ciki na bayanin abin fitarwa (lokacin da aka ƙayyade, ana ƙaddamar da wannan zaɓi ga tsarin yara, don misali, lokacin da aka kira ssh-pkcs11-mataimaki daga ssh-agent);
  • An ƙara zaɓin "-T" zuwa ssh-add don gwada dacewa da maɓalli a cikin wakili na ssh don aiwatar da ƙirƙirar sa hannu na dijital da ayyukan tabbatarwa;
  • sftp-uwar garken yana aiwatar da tallafi ga “lsetstat at openssh.com” tsawaita yarjejeniya, wanda ke ƙara goyan bayan aikin SSH2_FXP_SETSTAT don SFTP, amma ba tare da bin hanyoyin haɗin gwiwa ba;
  • Ƙara zaɓi na "-h" don sftp don gudanar da umarni chown/chgrp/chmod tare da buƙatun da ba sa amfani da hanyoyin haɗin yanar gizo;
  • sshd yana ba da saitin canjin yanayi na $SSH_CONNECTION don PAM;
  • Don sshd, an ƙara yanayin daidaitawa na "Match final" zuwa ssh_config, wanda yayi kama da "Match canonical", amma baya buƙatar daidaita sunan mai masauki don kunna;
  • Ƙara goyon baya ga prefix '@' zuwa sftp don musaki fassarar fitar da umarni da aka aiwatar a yanayin tsari;
  • Lokacin da kuka nuna abun ciki na takaddun shaida ta amfani da umarnin
    "ssh-keygen -Lf /path/certificate" yanzu yana nuna algorithm da CA ke amfani da shi don inganta takaddun shaida;

  • Ingantattun tallafi don yanayin Cygwin, misali samar da kwatancen rukuni da sunayen masu amfani da rashin fahimta. An canza tsarin sshd a tashar jiragen ruwa na Cygwin zuwa cygsshd don kauce wa tsangwama tare da tashar OpenSSH da Microsoft ke bayarwa;
  • Ƙara ikon ginawa tare da reshen OpenSSL 3.x na gwaji;
  • An kawar rauni (CVE-2019-6111) a cikin aiwatar da kayan aikin scp, wanda ke ba da damar fayilolin sabani a cikin jagorar manufa don sake rubutawa a gefen abokin ciniki lokacin samun damar uwar garken da mai hari ke sarrafawa. Matsalar ita ce, lokacin amfani da scp, uwar garken yana yanke shawarar wane fayiloli da kundin adireshi don aikawa ga abokin ciniki, kuma abokin ciniki kawai yana duba daidaitattun sunayen abubuwan da aka dawo da su. Dubawa-gefen abokin ciniki yana iyakance ga toshe tafiye-tafiye fiye da kundin adireshi na yanzu (“../”), amma baya la’akari da canja wurin fayiloli tare da sunaye daban-daban da waɗanda aka nema a asali. A cikin yanayin kwafi (-r) mai maimaitawa, ban da sunayen fayiloli, kuna iya sarrafa sunayen ƙananan kunditoci ta hanya iri ɗaya. Misali, idan mai amfani ya kwafi fayiloli zuwa kundin adireshin gida, uwar garken da maharin ke sarrafa zai iya samar da fayiloli tare da sunayen .bash_aliases ko .ssh/authorized_keys maimakon fayilolin da aka nema, kuma za a adana su ta hanyar amfani da scp a cikin mai amfani. gida directory.

    A cikin sabon sakin, an sabunta kayan aikin scp don bincika daidaito tsakanin sunayen fayilolin da aka buƙata da waɗanda uwar garken ta aiko, wanda ake yi a gefen abokin ciniki. Wannan na iya haifar da matsaloli tare da sarrafa abin rufe fuska, tunda ana iya sarrafa haruffan faɗaɗa abin rufe fuska daban akan sabar da ɓangarorin abokin ciniki. Idan irin wannan bambance-bambance ya sa abokin ciniki ya daina karɓar fayiloli a cikin scp, an ƙara zaɓin "-T" don musaki dubawa-gefen abokin ciniki. Don cikakken gyara matsalar, ana buƙatar sake yin aiki na ra'ayi na ƙa'idar scp, wanda kansa ya riga ya tsufa, don haka ana ba da shawarar yin amfani da ƙarin ka'idoji na zamani kamar sftp da rsync maimakon.

source: budenet.ru

Add a comment