ProHoster > Блог > labaran intanet > Sakin OpenSSH 8.4

Sakin OpenSSH 8.4

Bayan watanni hudu na ci gaba gabatar saki na OpenSSH 8.4, abokin ciniki mai buɗewa da aiwatar da uwar garken don aiki ta amfani da ka'idojin SSH 2.0 da SFTP.

Babban canje-canje:

  • Canje-canjen tsaro:
    • A cikin ssh-agent, lokacin amfani da maɓallan FIDO waɗanda ba a ƙirƙira su don tantancewar SSH ba (ID ɗin maɓalli ba ya farawa da kirtani "ssh:"), yanzu yana bincika cewa za a sanya hannu kan saƙon ta amfani da hanyoyin da aka yi amfani da su a cikin ka'idar SSH. Canjin ba zai ƙyale a tura wakilin ssh-agent zuwa runduna masu nisa waɗanda ke da maɓallan FIDO don toshe ikon amfani da waɗannan maɓallan don samar da sa hannu don buƙatun tabbatar da yanar gizo (har ila yau, lokacin da mai bincike zai iya sanya hannu kan buƙatar SSH, an cire shi da farko. saboda amfani da "ssh:" prefix a cikin mai gano maɓalli).
    • Maɓallin mazaunin mazaunin ssh-keygen ya haɗa da goyan baya ga ƙarar credProtect da aka bayyana a cikin ƙayyadaddun FIDO 2.1, wanda ke ba da ƙarin kariya ga maɓallai ta hanyar buƙatar PIN kafin yin duk wani aiki da zai iya haifar da cire maɓallin mazaunin daga alamar.
  • Canje-canjen dacewa mai yuwuwar warwarewa:
    • Don tallafawa FIDO/U2F, ana ba da shawarar amfani da ɗakin karatu na libfido2 aƙalla sigar 1.5.0. An aiwatar da ikon yin amfani da tsofaffin bugu, amma a wannan yanayin, ayyuka kamar maɓallan mazaunin, buƙatar PIN, da haɗa alamu da yawa ba za su samu ba.
    • A cikin ssh-keygen, an ƙara bayanan mai tabbatarwa da ake buƙata don tabbatar da sa hannun dijital zuwa tsarin bayanan tabbatarwa, zaɓin ajiyewa lokacin samar da maɓallin FIDO.
    • API ɗin da aka yi amfani da shi lokacin da OpenSSH ke hulɗa tare da Layer don samun damar alamun FIDO an canza shi.
    • Lokacin gina sigar OpenSSH mai ɗaukuwa, ana buƙatar kera yanzu don samar da rubutun saiti da fayilolin ginawa masu rakiyar (idan ginawa daga fayil ɗin kwal ɗin da aka buga, ba a buƙatar saitin sake haɓakawa).
  • Ƙara tallafi don maɓallan FIDO waɗanda ke buƙatar tabbatar da PIN a cikin ssh da ssh-keygen. Don samar da maɓallai tare da PIN, an ƙara zaɓin "tabbatar-da ake buƙata" zuwa ssh-keygen. Idan ana amfani da irin waɗannan maɓallan, kafin yin aikin ƙirƙirar sa hannu, ana sa mai amfani don tabbatar da ayyukansu ta shigar da lambar PIN.
  • A cikin sshd, ana aiwatar da zaɓin "verify-required" a cikin saitin maɓalli mai izini, wanda ke buƙatar amfani da damar don tabbatar da kasancewar mai amfani yayin aiki tare da alamar. Ma'aunin FIDO yana ba da zaɓuɓɓuka da yawa don irin wannan tabbaci, amma a halin yanzu OpenSSH yana goyan bayan tabbatar da tushen PIN kawai.
  • sshd da ssh-keygen sun ƙara goyan baya don tabbatar da sa hannu na dijital waɗanda suka dace da daidaitattun FIDO Webauthn, wanda ke ba da damar amfani da maɓallan FIDO a cikin masu binciken gidan yanar gizo.
  • A cikin ssh a cikin saitunan CertificateFile,
    ControlPath, IdentityAgent, IdentityFile, LocalForward da
    RemoteForward yana ba da damar sauya dabi'u daga masu canjin yanayi da aka kayyade a cikin tsarin "${ENV}".

  • ssh da ssh-agent sun ƙara goyan baya don canjin yanayi na $SSH_ASKPASS_REQUIRE, wanda za'a iya amfani dashi don kunna ko kashe kiran ssh-askpass.
  • A cikin ssh a cikin ssh_config a cikin umarnin AddKeysToAgent, an ƙara ikon iyakance lokacin ingancin maɓalli. Bayan ƙayyadadden iyaka ya ƙare, ana share maɓallan ta atomatik daga wakilin ssh.
  • A cikin scp da sftp, ta amfani da tutar "-A", yanzu za ku iya ba da izinin sake jujjuyawa zuwa scp da sftp a fili ta amfani da ssh-agent (an hana juyawa ta tsohuwa).
  • Ƙara goyon baya don maye gurbin '% k' a cikin saitunan ssh, wanda ke ƙayyade sunan maɓallin mai watsa shiri. Ana iya amfani da wannan fasalin don rarraba maɓallai cikin fayiloli daban (misali, "UserKnownHostsFile ~/.ssh/known_hosts.d/%k").
  • Bada damar yin amfani da aikin "ssh-add -d" don karanta maɓallan stdin waɗanda za a goge.
  • A cikin sshd, farawa da ƙarshen tsarin datsa haɗin haɗin yana nunawa a cikin log ɗin, an tsara shi ta amfani da siginar MaxStartups.

Masu haɓakawa na OpenSSH kuma sun tuna da mai zuwa sokewar algorithms ta amfani da hashes SHA-1 saboda gabatarwa tasiri na hare-haren haɗari tare da prefix da aka ba (ana kiyasta farashin zabar karo a kusan dala dubu 45). A cikin ɗayan fitowar masu zuwa, suna shirin kashe ta tsohuwa ikon amfani da maɓallin jama'a na sa hannu na dijital algorithm "ssh-rsa", wanda aka ambata a cikin ainihin RFC don ka'idar SSH kuma ya kasance cikin tartsatsi a aikace (don gwada amfani na ssh-rsa a cikin tsarin ku, zaku iya gwada haɗawa ta hanyar ssh tare da zaɓi "-oHostKeyAlgorithms = -ssh-rsa").

Don daidaita sauyi zuwa sababbin algorithms a cikin OpenSSH, sakin na gaba zai ba da damar saitin UpdateHostKeys ta tsohuwa, wanda zai ƙaura ta atomatik abokan ciniki zuwa ƙarin amintattun algorithms. Algorithms da aka ba da shawarar don ƙaura sun haɗa da rsa-sha2-256/512 bisa RFC8332 RSA SHA-2 (an goyan bayan OpenSSH 7.2 kuma ana amfani da shi ta tsohuwa), ssh-ed25519 (an goyan bayan OpenSSH 6.5) da ecdsa-sha2-nistp256/384/521 tushen akan RFC5656 ECDSA (ana goyan bayan OpenSSH 5.7).

source: budenet.ru

Add a comment