Bayan watanni uku na ci gaba saki , Buɗe abokin ciniki da aiwatar da uwar garke don aiki ta hanyar SSH 2.0 da ka'idojin SFTP.
Sabuwar saki yana ƙara kariya daga hare-haren scp wanda ke ba da damar uwar garken damar wuce wasu sunayen fayil fiye da waɗanda aka nema (saɓanin , harin baya ba da damar canza kundin adireshin da aka zaɓa ko glob mask). Ka tuna cewa a cikin SCP, uwar garken yana yanke shawarar waɗanne fayiloli da kundayen adireshi don aikawa ga abokin ciniki, kuma abokin ciniki kawai yana bincika daidaitattun sunayen abubuwan da aka dawo dasu. Asalin matsalar da aka gano shine idan kiran tsarin utimes ya gaza, to ana fassara abubuwan da ke cikin fayil ɗin azaman metadata na fayil.
Wannan fasalin, lokacin haɗi zuwa uwar garken da mai hari ke sarrafawa, ana iya amfani da shi don adana wasu sunayen fayil da sauran abun ciki a cikin FS na mai amfani lokacin yin kwafa ta amfani da scp a cikin saitunan da ke haifar da gazawar lokacin kiran utimes (misali, lokacin da aka haramta utimes da SELinux manufofin ko tsarin kira tace). An kiyasta yuwuwar kai hare-hare na gaske ba ta da yawa, tunda a cikin tsari na yau da kullun kiran utimes baya gazawa. Bugu da ƙari, harin ba ya faruwa ba tare da annashuwa ba - lokacin da ake kira scp, an nuna kuskuren canja wurin bayanai.
Babban canje-canje:
- A cikin sftp, an dakatar da sarrafa gardamar "-1", kama da ssh da scp, waɗanda aka karɓa a baya amma an yi watsi da su;
- A cikin sshd, lokacin amfani da IgnoreRhosts, yanzu akwai zaɓuɓɓuka guda uku: "e" - watsi da rhosts/shosts, "a'a" - mutunta rhosts / shosts, da kuma "shosts-only" - ba da izinin ".shosts" amma hana ".rhosts";
- Ssh yanzu yana goyan bayan % TOKEN sauyawa a cikin LocalFoward da saitunan RemoteForward da ake amfani da su don tura kwas ɗin Unix;
- Bada damar loda maɓallan jama'a daga fayil ɗin da ba a ɓoye tare da maɓalli na sirri idan babu wani fayil daban tare da maɓallin jama'a;
- Idan libcrypto yana cikin tsarin, ssh da sshd yanzu suna amfani da aiwatar da chacha20 algorithm daga wannan ɗakin karatu, maimakon ginanniyar aiwatar da šaukuwa, wanda ke baya a cikin aiki;
- An aiwatar da ikon zubar da abubuwan da ke cikin jerin binary na takaddun shaida da aka soke yayin aiwatar da umarnin "ssh-keygen -lQf /path";
- Sigar šaukuwa tana aiwatar da ma'anar tsarin da sigina tare da zaɓin SA_RESTART ya katse aikin zaɓi;
- Matsalolin da aka warware tare da taro akan tsarin HP / UX da AIX;
- Kafaffen matsaloli tare da gina akwatin sandbox na seccomp akan wasu saitunan Linux;
- Ingantattun gano ɗakin karatu na libfido2 da warware matsalolin ginawa tare da zaɓin "-with-security-key-builtin".
Masu haɓakawa na OpenSSH kuma sun sake yin gargaɗi game da ɓarnawar algorithms masu zuwa ta amfani da hashes na SHA-1 saboda tasiri na hare-haren haɗari tare da prefix da aka ba (ana kiyasta farashin zabar karo a kusan dala dubu 45). A cikin ɗayan fitowar masu zuwa, suna shirin kashe ta tsohuwa ikon amfani da maɓallin jama'a na sa hannu na dijital algorithm "ssh-rsa", wanda aka ambata a cikin ainihin RFC don ka'idar SSH kuma ya kasance cikin tartsatsi a aikace (don gwada amfani na ssh-rsa a cikin tsarin ku, zaku iya gwada haɗawa ta hanyar ssh tare da zaɓi "-oHostKeyAlgorithms = -ssh-rsa").
Don daidaita sauyawa zuwa sababbin algorithms a cikin OpenSSH, a cikin sakin gaba na gaba za a kunna saitin UpdateHostKeys ta tsohuwa, wanda zai ƙaura ta atomatik abokan ciniki zuwa mafi amintattun algorithms. Algorithms da aka ba da shawarar don ƙaura sun haɗa da rsa-sha2-256/512 bisa RFC8332 RSA SHA-2 (an goyan bayan OpenSSH 7.2 kuma ana amfani da shi ta tsohuwa), ssh-ed25519 (an goyan bayan OpenSSH 6.5) da ecdsa-sha2-nistp256/384/521 tushen akan RFC5656 ECDSA (ana goyan bayan OpenSSH 5.7).
Har zuwa fitowar ta ƙarshe, "ssh-rsa" da "diffie-hellman-group14-sha1" an cire su daga lissafin CASigntureAlgorithms wanda ke bayyana algorithms da aka ba da izinin sanya hannu kan sabbin takaddun shaida a lambobi, tun da yin amfani da SHA-1 a cikin takaddun shaida yana haifar da ƙarin haɗari. saboda wannan maharin yana da lokaci marar iyaka don neman karo don takardar shedar data kasance, yayin da lokacin kai hari akan maɓallan runduna ya iyakance ta lokacin haɗawa (LoginGraceTime).
source: budenet.ru