Bayan watanni shida na ci gaba, an gabatar da sakin OpenSSH 8.9, abokin ciniki mai budewa da aiwatar da uwar garke don aiki akan ka'idojin SSH 2.0 da SFTP. Sabuwar sigar sshd tana gyara lahani wanda zai iya yuwuwar ba da damar shiga mara inganci. Matsalolin yana faruwa ne ta hanyar ambaliya ta lamba a cikin lambar tantancewa, amma ana iya amfani da ita kawai tare da wasu kurakurai masu ma'ana a cikin lambar.
A cikin sigar sa na yanzu, ba za a iya yin amfani da raunin gata ba lokacin da aka kunna yanayin rabuwar gata, tunda an toshe bayyanuwar ta ta hanyar bincike daban-daban da aka yi a cikin gata lambar bin sawun gata. An kunna yanayin raba gata ta tsohuwa tun 2002 tun daga OpenSSH 3.2.2, kuma ya zama tilas tun fitowar OpenSSH 7.5 da aka buga a cikin 2017. Bugu da kari, a cikin nau'ikan OpenSSH masu ɗaukuwa waɗanda ke farawa da sakin 6.5 (2014), ana toshe raunin ta hanyar haɗawa tare da haɗa tutocin kariyar cikar lamba.
Sauran canje-canje:
- Sigar OpenSSH mai ɗaukuwa a cikin sshd ta cire tallafin ɗan ƙasa don hashing kalmomin shiga ta amfani da MD5 algorithm (ba da damar haɗi tare da ɗakunan karatu na waje kamar libxcrypt don dawowa).
- ssh, sshd, ssh-add, da wakilin ssh suna aiwatar da tsarin ƙasa don taƙaita aikawa da amfani da maɓallan da aka ƙara zuwa wakilin ssh. Tsarin tsarin yana ba ku damar saita dokoki waɗanda ke ƙayyade yadda kuma inda za'a iya amfani da maɓalli a cikin ssh-agent. Misali, don ƙara maɓalli wanda kawai za a iya amfani da shi don tabbatar da kowane mai amfani da ke haɗawa da mai masaukin baki scylla.example.org, mai amfani perseus zuwa mai masaukin cetus.example.org, da medea mai amfani ga mai masaukin charybdis.example.org tare da jujjuyawa ta hanyar mai masaukin baki scylla.example.org, zaku iya amfani da umarni mai zuwa: $ ssh-add -h"[email kariya]" \ -h "scylla.example.org" \ -h "scylla.example.org>[email kariya]\ ~/.ssh/id_ed25519
- A cikin ssh da sshd, an ƙara ƙayyadaddun algorithm ta tsohuwa zuwa jerin KexAlgorithms, wanda ke ƙayyadad da tsarin da aka zaɓi hanyoyin musayar maɓalli.[email kariya]"(ECDH/x25519 + NTRU Prime), mai jurewa ga zaɓi akan kwamfutoci masu yawa. A cikin OpenSSH 8.9, an ƙara wannan hanyar shawarwari tsakanin hanyoyin ECDH da DH, amma ana shirin kunna ta ta tsohuwa a cikin sakin gaba.
- ssh-keygen, ssh, da ssh-agent sun inganta sarrafa maɓallan alamar FIDO da aka yi amfani da su don tabbatar da na'urar, gami da maɓallai don tantancewar halittu.
- An ƙara "ssh-keygen -Y match-principals" umarni zuwa ssh-keygen don duba sunayen masu amfani a cikin fayil ɗin da aka ba da izini.
- ssh-add da ssh-agent suna ba da damar ƙara maɓallan FIDO masu kariya ta lambar PIN zuwa ssh-agent (an nuna buƙatun PIN a lokacin tantancewa).
- ssh-keygen yana ba da damar zaɓi na hashing algorithm (sha512 ko sha256) yayin tsara sa hannu.
- A cikin ssh da sshd, don haɓaka aiki, ana karanta bayanan cibiyar sadarwa kai tsaye cikin ma'ajiyar fakiti masu shigowa, ketare matsakaicin buffer akan tari. Aiwatar da bayanan da aka karɓa kai tsaye a cikin tashar tashar tashoshi ana aiwatar da su ta hanya iri ɗaya.
- A cikin ssh, umarnin PubkeyAuthentication ya faɗaɗa jerin sigogin da aka goyan baya (ee|a'a| unbound|mai ɗaure) don ba da damar zaɓar tsawaita yarjejeniya don amfani.
A cikin sakin gaba, muna shirin canza tsohowar mai amfani da scp don amfani da SFTP maimakon ka'idar SCP/RCP na gado. SFTP yana amfani da ƙarin hanyoyin sarrafa suna kuma baya amfani da sarrafa harsashi na ƙirar glob a cikin sunayen fayil a ɗayan ɓangaren runduna, wanda ke haifar da matsalolin tsaro. Musamman, lokacin amfani da SCP da RCP, uwar garken yana yanke shawarar waɗanne fayiloli da kundayen adireshi don aikawa ga abokin ciniki, kuma abokin ciniki kawai yana bincika daidaitattun sunayen abubuwan da aka dawo dasu, wanda, idan babu ingantaccen cak a gefen abokin ciniki, yana ba da damar uwar garken don canja wurin wasu sunayen fayil waɗanda suka bambanta da waɗanda aka nema. Ka'idar SFTP ba ta da waɗannan matsalolin, amma ba ta goyi bayan fadada hanyoyi na musamman kamar "~ /". Don magance wannan bambance-bambance, sakin baya na OpenSSH ya gabatar da sabon tsawaita ka'idar SFTP zuwa ~/ da ~ mai amfani/ hanyoyi a cikin aiwatar da sabar SFTP.
source: budenet.ru