A cikin abokan cinikin SSH OpenSSH da PuTTY ( a cikin PUTTY da a cikin OpenSSH), yana haifar da zubar da bayanai a cikin algorithm na shawarwarin haɗin gwiwa. Rashin lahani yana bawa maharin da ke da ikon katse zirga-zirgar abokin ciniki (misali, lokacin da mai amfani ya haɗa ta wurin hanyar shiga mara waya mai sarrafa maharin) don gano yunƙurin haɗa abokin ciniki da mai masaukin lokacin da abokin ciniki bai riga ya adana maɓallin runduna ba.
Sanin cewa abokin ciniki yana ƙoƙarin haɗawa a karon farko kuma har yanzu bai sami maɓallin mai watsa shiri a gefensa ba, maharin zai iya watsa hanyar haɗin kai ta hanyar kanta (MITM) kuma ya ba abokin ciniki maɓalli na rundunarsa, wanda abokin ciniki na SSH zai yi la'akari da shi. zama mabuɗin mai watsa shiri idan bai tabbatar da sawun yatsa ba . Don haka, mai kai hari zai iya tsara MITM ba tare da tada hankalin mai amfani ba kuma ya yi watsi da zaman da bangaren abokin ciniki ya riga ya adana makullin runduna, yunƙurin maye gurbin wanda zai haifar da gargaɗi game da canjin maɓalli. Harin ya dogara ne kan rashin kulawar masu amfani waɗanda ba sa bincika sawun yatsa na maɓalli da hannu lokacin da suka fara haɗawa. Wadanda ke duba sawun yatsa masu mahimmanci suna samun kariya daga irin wannan harin.
A matsayin alamar ƙayyadaddun yunƙurin haɗin gwiwa na farko, ana amfani da canji a cikin tsarin jeri masu goyan bayan algorithms na maɓalli. Idan haɗin farko ya faru, abokin ciniki yana aika jerin tsoffin algorithms, kuma idan maɓallin mai watsa shiri ya riga ya kasance a cikin cache, to, algorithm mai alaƙa an sanya shi a wuri na farko (algorithms ana jera su cikin tsari na zaɓi).
Matsalar ta bayyana a cikin OpenSSH tana fitar da 5.7 zuwa 8.3 da PuTTY 0.68 zuwa 0.73. Matsala cikin fitowar ta ƙara wani zaɓi don musaki ƙaƙƙarfan gini na jerin maɓallan sarrafa maɓalli na runduna a cikin ni'imar jera algorithms a cikin tsari na dindindin.
Aikin OpenSSH ba ya shirin canza halayen abokin ciniki na SSH, tun da idan ba ku bayyana algorithm na maɓallin da ke akwai ba a farkon wuri, za a yi ƙoƙari don amfani da algorithm wanda bai dace da maɓallin cache ba. gargadi game da maɓallin da ba a sani ba zai nuna. Wadancan. zabi ya taso - ko dai yayyo bayanai (OpenSSH da PuTTY), ko gargadi game da canza maɓalli (Dropbear SSH) idan maɓallin da aka ajiye bai dace da algorithm na farko a cikin tsoffin jeri ba.
Don samar da tsaro, OpenSSH yana ba da madadin hanyoyin tabbatar da maɓalli ta hanyar amfani da shigarwar SSHFP a cikin DNSSEC da takaddun shaida (PKI). Hakanan zaka iya musaki zaɓin daidaitawa na maɓallan maɓalli na rundunar ta hanyar zaɓi na HostKeyAlgorithms kuma amfani da zaɓin UpdateHostKeys don ba da damar abokin ciniki ya sami ƙarin maɓallan runduna bayan tantancewa.
source: budenet.ru