ProHoster > Блог > labaran intanet > Sakin OpenSSH 8.7

Sakin OpenSSH 8.7

Bayan watanni huɗu na haɓakawa, an gabatar da sakin OpenSSH 8.7, buɗe aikace-aikacen abokin ciniki da uwar garke don aiki akan ka'idojin SSH 2.0 da SFTP.

Babban canje-canje:

  • An ƙara yanayin canja wurin bayanai na gwaji zuwa scp ta amfani da ka'idar SFTP maimakon ka'idar SCP/RCP na al'ada. SFTP yana amfani da ƙarin hanyoyin sarrafa suna kuma baya amfani da sarrafa harsashi na ƙirar glob a ɗayan ɓangaren mai watsa shiri, wanda ke haifar da matsalolin tsaro. Don kunna SFTP a cikin scp, an gabatar da tutar "-s", amma a nan gaba ana shirin canzawa zuwa wannan yarjejeniya ta tsohuwa.
  • sftp-uwar garken yana aiwatar da kari zuwa ka'idar SFTP don faɗaɗa ~/ da ~ mai amfani/ hanyoyin, wanda ya zama dole don scp.
  • Mai amfani da scp ya canza halayen lokacin yin kwafin fayiloli tsakanin runduna biyu masu nisa (misali, "scp host-a:/path host-b:"), wanda yanzu ana yin shi ta tsohuwa ta hanyar tsaka-tsaki na gida, kamar lokacin da aka ƙayyade " -3" tuta. Wannan tsarin yana ba ku damar guje wa ƙaddamar da takaddun shaidar da ba dole ba ga mai watsa shiri na farko da fassarar sau uku na sunayen fayil a cikin harsashi (a kan tushen, makoma da tsarin gida), kuma lokacin amfani da SFTP, yana ba ku damar amfani da duk hanyoyin tabbatarwa lokacin samun dama ga nesa. runduna, kuma ba kawai hanyoyin da ba na hulɗa ba. An ƙara zaɓin "-R" don maido da tsohuwar ɗabi'a.
  • Ƙara ForkAfterAuthentication saitin zuwa ssh daidai da tutar "-f".
  • Ƙara saitin StdinNull zuwa ssh, daidai da tutar "-n".
  • An ƙara saitin SessionType zuwa ssh, ta inda zaku iya saita hanyoyin da suka dace da tutocin "-N" (babu zaman) da "-s" (subsystem).
  • ssh-keygen yana ba ku damar tantance tazarar ingancin maɓalli a cikin manyan fayiloli.
  • Ƙara "-Oprint-pubkey" tuta zuwa ssh-keygen don buga cikakken maɓalli na jama'a a zaman sa hannun sshsig.
  • A cikin ssh da sshd, duka abokin ciniki da uwar garken an matsar da su don amfani da ƙarin taƙaitacciyar taƙaitacciyar fassarar fayil ɗin da ke amfani da ƙa'idodi kamar harsashi don sarrafa ƙididdiga, sarari, da haruffan tserewa. Sabuwar parser ɗin kuma baya yin watsi da zato da aka yi a baya, kamar kawar da mahawara a cikin zaɓuɓɓuka (misali, umarnin DenyUsers ba za a iya barin komai ba), abubuwan da ba a rufe ba, da ƙayyadaddun mahara = haruffa.
  • Lokacin amfani da bayanan SSHFP DNS lokacin tabbatar da maɓalli, ssh yanzu yana bincika duk bayanan da suka dace, ba kawai waɗanda ke ɗauke da takamaiman nau'in sa hannu na dijital ba.
  • A cikin ssh-keygen, lokacin samar da maɓallin FIDO tare da zaɓi -Ochallenge, ginin da aka gina a yanzu ana amfani da shi don hashing, maimakon libfido2, wanda ke ba da damar amfani da jerin ƙalubalen babba ko ƙasa da 32 bytes.
  • A cikin sshd, lokacin aiki yanayi = "..." umarni a cikin fayilolin maɓalli masu izini, yanzu an karɓi wasan farko kuma akwai iyaka na sunaye masu mu'amala 1024.

Masu haɓakawa na OpenSSH sun kuma yi gargaɗi game da rugujewar algorithms ta amfani da hashes na SHA-1 saboda haɓakar haɓakar hare-hare tare da prefix ɗin da aka bayar (ana ƙididdige farashin zaɓin karo a kusan dala dubu 50). A cikin saki na gaba, muna shirin musaki ta tsohuwa ikon amfani da maɓallin jama'a na sa hannu na dijital algorithm "ssh-rsa", wanda aka ambata a cikin ainihin RFC don ka'idar SSH kuma ana amfani da ita sosai a aikace.

Don gwada amfani da ssh-rsa akan tsarin ku, zaku iya gwada haɗawa ta ssh tare da zaɓin "-oHostKeyAlgorithms = -ssh-rsa". A lokaci guda, kashe sa hannu na dijital "ssh-rsa" ta tsohuwa baya nufin watsi da amfani da maɓallan RSA gabaɗaya, tunda ban da SHA-1, ka'idar SSH tana ba da damar yin amfani da wasu algorithms na lissafin hash. Musamman, ban da "ssh-rsa", zai kasance mai yiwuwa a yi amfani da dam ɗin "rsa-sha2-256" (RSA/SHA256) da "rsa-sha2-512" (RSA/SHA512).

Don daidaita sauyi zuwa sababbin algorithms, OpenSSH a baya yana da saitin UpdateHostKeys wanda aka kunna ta tsohuwa, wanda ke ba abokan ciniki damar canzawa ta atomatik zuwa mafi amintattun algorithms. Amfani da wannan saitin, an kunna tsawaita yarjejeniya ta musamman "[email kariya]", kyale uwar garken, bayan tantancewa, don sanar da abokin ciniki game da duk maɓallan masaukin da ke akwai. Abokin ciniki zai iya nuna waɗannan maɓallan a cikin fayil ɗin ~/.ssh/known_hosts, wanda ke ba da damar sabunta maɓallan rundunar kuma ya sauƙaƙa canza maɓalli akan sabar.

Yin amfani da UpdateHostKeys yana iyakance ta wasu caveats da za a iya cirewa a nan gaba: dole ne a yi la'akari da maɓallin a cikin UserKnownHostsFile kuma ba a yi amfani da shi ba a cikin GlobalKnownHostsFile; dole ne maɓalli ya kasance ƙarƙashin suna ɗaya kawai; bai kamata a yi amfani da takardar shaidar maɓalli ba; a cikin sanannun_hosts masks ta sunan mai watsa shiri bai kamata a yi amfani da su ba; dole ne a kashe saitin VerifyHostKeyDNS; Dole ne ma'aunin UserKnownHostsFile ya kasance yana aiki.

Algorithms da aka ba da shawarar don ƙaura sun haɗa da rsa-sha2-256/512 bisa RFC8332 RSA SHA-2 (an goyan bayan OpenSSH 7.2 kuma ana amfani da shi ta tsohuwa), ssh-ed25519 (an goyan bayan OpenSSH 6.5) da ecdsa-sha2-nistp256/384/521 tushen akan RFC5656 ECDSA (ana goyan bayan OpenSSH 5.7).

source: budenet.ru

Add a comment