ProHoster > Блог > labaran intanet > Sakin OpenSSH 8.5

Sakin OpenSSH 8.5

Bayan watanni biyar na ci gaba, an gabatar da sakin OpenSSH 8.5, buɗe aikace-aikacen abokin ciniki da uwar garke don aiki akan ka'idojin SSH 2.0 da SFTP.

Masu haɓakawa na OpenSSH sun tunatar da mu game da ƙaddamar da algorithms mai zuwa ta amfani da hashes na SHA-1 saboda haɓakar haɓakar hare-hare tare da prefix ɗin da aka bayar (ana ƙididdige farashin zaɓin karo a kusan $50). A cikin ɗayan fitowar masu zuwa, suna shirin kashe ta tsohuwa ikon yin amfani da “ssh-rsa” maɓalli na jama'a na sa hannu na dijital, wanda aka ambata a cikin ainihin RFC don ka'idar SSH kuma ya kasance cikin tartsatsi a aikace.

Don gwada amfani da ssh-rsa akan tsarin ku, zaku iya gwada haɗawa ta ssh tare da zaɓin "-oHostKeyAlgorithms = -ssh-rsa". A lokaci guda, kashe sa hannu na dijital "ssh-rsa" ta tsohuwa baya nufin watsi da amfani da maɓallan RSA gabaɗaya, tunda ban da SHA-1, ka'idar SSH tana ba da damar yin amfani da wasu algorithms na lissafin hash. Musamman, ban da "ssh-rsa", zai kasance mai yiwuwa a yi amfani da dam ɗin "rsa-sha2-256" (RSA/SHA256) da "rsa-sha2-512" (RSA/SHA512).

Don daidaita sauyi zuwa sababbin algorithms, OpenSSH 8.5 yana da saitin UpdateHostKeys wanda aka kunna ta tsohuwa, wanda ke ba abokan ciniki damar canzawa ta atomatik zuwa mafi amintattun algorithms. Amfani da wannan saitin, an kunna tsawaita yarjejeniya ta musamman "[email kariya]", kyale uwar garken, bayan tantancewa, don sanar da abokin ciniki game da duk maɓallan masaukin da ke akwai. Abokin ciniki zai iya nuna waɗannan maɓallan a cikin fayil ɗin ~/.ssh/known_hosts, wanda ke ba da damar sabunta maɓallan rundunar kuma ya sauƙaƙa canza maɓalli akan sabar.

Yin amfani da UpdateHostKeys yana iyakance ta wasu caveats da za a iya cirewa a nan gaba: dole ne a yi la'akari da maɓallin a cikin UserKnownHostsFile kuma ba a yi amfani da shi ba a cikin GlobalKnownHostsFile; dole ne maɓalli ya kasance ƙarƙashin suna ɗaya kawai; bai kamata a yi amfani da takardar shaidar maɓalli ba; a cikin sanannun_hosts masks ta sunan mai watsa shiri bai kamata a yi amfani da su ba; dole ne a kashe saitin VerifyHostKeyDNS; Dole ne ma'aunin UserKnownHostsFile ya kasance yana aiki.

Algorithms da aka ba da shawarar don ƙaura sun haɗa da rsa-sha2-256/512 bisa RFC8332 RSA SHA-2 (an goyan bayan OpenSSH 7.2 kuma ana amfani da shi ta tsohuwa), ssh-ed25519 (an goyan bayan OpenSSH 6.5) da ecdsa-sha2-nistp256/384/521 tushen akan RFC5656 ECDSA (ana goyan bayan OpenSSH 5.7).

Sauran canje-canje:

  • Canje-canjen tsaro:
    • Lalacewar da ta haifar ta hanyar sake 'yantar da yankin ƙwaƙwalwar ajiya da aka riga aka 'yanta (babu biyu) an gyara shi a cikin wakili na ssh. Batun ya kasance tun lokacin da aka saki OpenSSH 8.2 kuma ana iya yin amfani da shi idan mai hari yana da damar yin amfani da soket na wakilin ssh akan tsarin gida. Abin da ke sa amfani ya fi wahala shine tushen kawai da mai amfani na asali ne kawai ke samun damar shiga soket. Mafi yuwuwar yanayin harin shine ana tura wakilin zuwa asusun da maharin ke sarrafa, ko kuma zuwa ga rundunar inda maharin ke da tushen shiga.
    • sshd ya kara kariya daga wuce manyan sigogi tare da sunan mai amfani zuwa tsarin tsarin PAM, wanda ke ba ku damar toshe lahani a cikin tsarin PAM (Pluggable Authentication Module). Misali, canjin ya hana sshd yin amfani da shi azaman vector don amfani da raunin tushen da aka gano kwanan nan a cikin Solaris (CVE-2020-14871).
  • Canje-canjen dacewa mai yuwuwar warwarewa:
    • В ssh и sshd переработан экспериментальный метод обмена ключами, стойкий к подбору на квантовом компьютере. Квантовые компьютеры кардинально быстрее решают задачу разложения натурального числа на простые множители, которая лежит в основе современных асимметричных алгоритмов шифрования и эффективно не решаема на классических процессорах. Используемый метод основан на алгоритме NTRU Prime, разработанном для постквантумных криптосистем, и методе обмена ключами на базе эллиптических кривых X25519. Вместо [email kariya] метод теперь идентифицируется как [email kariya] (An maye gurbin sntrup4591761 algorithm ta sntrup761).
    • A cikin ssh da sshd, an canza tsarin da aka ba da sanarwar sa hannu na dijital mai goyan bayan an canza shi. Yanzu ana ba da ED25519 a maimakon ECDSA.
    • A cikin ssh da sshd, saitin ingancin sigogin sabis na TOS/DSCP don zaman ma'amala yanzu ana yin su kafin kafa haɗin TCP.
    • An dakatar da tallafin Cipher a cikin ssh da sshd [email kariya], wanda yayi daidai da aes256-cbc kuma anyi amfani dashi kafin a amince da RFC-4253.
    • Ta hanyar tsoho, ma'aunin CheckHostIP yana da rauni, amfanin wanda ba shi da amfani, amma amfani da shi yana dagula maɓalli mai mahimmanci ga runduna a bayan masu daidaita nauyi.
  • PerSourceMaxStartups da PerSourceNetBlockSize saituna an ƙara su zuwa sshd don iyakance ƙarfin ƙaddamar da ma'aikata dangane da adireshin abokin ciniki. Waɗannan sigogi suna ba ku damar sarrafa iyaka da kyau kan ƙaddamar da tsari, idan aka kwatanta da saitin MaxStartups na gaba ɗaya.
  • An ƙara sabon saitin LogVerbose zuwa ssh da sshd, wanda ke ba ka damar da ƙarfi ta haɓaka matakin cire bayanan da aka zubar a cikin log ɗin, tare da ikon tacewa ta samfuri, ayyuka da fayiloli.
  • A ssh, lokacin karɓar sabon maɓalli, duk sunayen masu masaukin baki da adiresoshin IP masu alaƙa da maɓallin ana nuna su.
  • ssh yana ba da damar UserKnownHostsFile = babu wani zaɓi don musaki amfani da sanannen fayil ɗin_hosts lokacin gano maɓallan runduna.
  • An ƙara saitin KnownHostsCommand zuwa ssh_config don ssh, yana ba ku damar samun sanannun_hosts bayanai daga fitowar ƙayyadadden umarnin.
  • Ƙara wani zaɓi na PermitRemoteOpen don ssh_config don ssh don ba ku damar ƙuntata wurin da ake nufi lokacin amfani da zaɓin Nesa na nesa tare da SOCKS.
  • A cikin ssh don maɓallan FIDO, ana ba da maimaita buƙatun PIN a cikin yanayin rashin nasarar aikin sa hannu na dijital saboda PIN da ba daidai ba kuma ba a nemi mai amfani don PIN ba (misali, lokacin da ba a sami ainihin bayanan biometric ba kuma na'urar ta faɗi baya zuwa shigar da PIN na hannu).
  • sshd yana ƙara goyan baya don ƙarin kiran tsarin zuwa tsarin keɓancewar tsari na tushen seccomp-bpf akan Linux.
  • An sabunta kayan taimako/ssh-kwafin-id.

source: budenet.ru

Add a comment