An buga sakin OpenSSH 9.2, buɗe aikace-aikacen abokin ciniki da sabar don aiki ta amfani da ka'idojin SSH 2.0 da SFTP. Sabuwar sigar tana kawar da lahani wanda ke haifar da sakin ƙwaƙwalwa sau biyu a matakin tantancewa. Sakin OpenSSH 9.1 kawai ya shafa; matsalar ba ta bayyana a sigar farko ba.
Don ƙirƙirar yanayi don bayyanar da rauni, ya isa ya canza banner abokin ciniki na SSH zuwa "SSH-2.0-FuTTYSH_9.1p1" don saita tutocin "SSH_BUG_CURVE25519PAD" da "SSH_OLD_DHGEX", wanda ya dogara da sigar SSH. abokin ciniki. Bayan saita waɗannan tutocin, ƙwaƙwalwar ajiyar "options.kex_algorithms" tana buɗe sau biyu - lokacin aiwatar da aikin do_ssh2_kex (), wanda ke kiran compat_kex_proposal (), da lokacin aiwatar da aikin do_authentication2 (), wanda ke kiran input_userauth_request (), mm(getpwn). ), copy_set_server_options() tare da sarkar, tara_algorithms () da kex_assemble_names().
Ƙirƙirar yin amfani da aiki don rauni ana ɗaukarsa ba zai yuwu ba, tunda tsarin cin gajiyar yana da rikitarwa sosai - ɗakunan karatu na rarraba ƙwaƙwalwar ajiya na zamani suna ba da kariya daga 'yantar da ƙwaƙwalwar ajiya sau biyu, kuma tsarin riga-kafi wanda kuskuren ya kasance yana gudana tare da rage gata a cikin keɓe. yanayin sandbox.
Baya ga raunin da aka lura, sabon sakin ya kuma gyara wasu batutuwan tsaro guda biyu:
- An sami kuskure lokacin sarrafa saitin "PermitRemoteOpen", wanda ya sa a yi watsi da hujjar farko idan ta bambanta da ƙimar "kowa" da "babu". Matsalar ta bayyana a cikin sabbin nau'ikan da suka fi OpenSSH 8.7 kuma yana haifar da tsallake cak ɗin lokacin da aka ƙayyade izini ɗaya kawai.
- Wani maharin da ke sarrafa uwar garken DNS da ake amfani da shi don warware sunaye zai iya cimma maye gurbin haruffa na musamman (misali, “*”) cikin fayilolin da aka sani_hosts idan an kunna zaɓuɓɓukan CanonicalizeHostname da CanonicalizePermittedCNAMEs a cikin tsarin, kuma mai warware tsarin baya duba daidaiton martani daga uwar garken DNS. Ana ganin harin ba zai yuwu ba saboda sunayen da aka dawo dole ne su dace da sharuɗɗan da aka kayyade ta CanonicalizePermittedCNAMEs.
Sauran canje-canje:
- An ƙara saitin EnableEscapeCommandline zuwa ssh_config don ssh don sarrafa ko sarrafa gefen abokin ciniki na jerin tserewa na "~ C" wanda ke ba da layin umarni yana kunna. Ta hanyar tsoho, yanzu an kashe mu'amalar "~ C" don amfani da keɓewar akwatin yashi, mai yuwuwar karya tsarin da ke amfani da "~ C" don tura tashar jiragen ruwa a lokacin aiki.
- An ƙara umarnin ChannelTimeout zuwa sshd_config don sshd don saita lokacin ƙarewar tashar tashar (tashoshin da ba a yi rikodin zirga-zirga na lokacin da aka ƙayyade a cikin umarnin ba za a rufe ta atomatik). Za'a iya saita lokuta daban-daban don zama, X11, wakili, da karkatar da zirga-zirga.
- An ƙara umarnin UnsedConnectionTimeout zuwa sshd_config don sshd, yana ba ku damar saita lokaci don ƙare haɗin gwiwar abokin ciniki waɗanda ba tare da tashoshi masu aiki ba na ɗan lokaci.
- An ƙara zaɓin "-V" zuwa sshd don nuna sigar, kama da irin wannan zaɓi a cikin abokin ciniki ssh.
- Ƙara layin "Mai watsa shiri" zuwa fitowar "ssh -G", yana nuna ƙimar gardamar sunan mai masauki.
- An ƙara zaɓin "-X" zuwa scp da sftp don sarrafa sigogin ƙa'idar SFTP kamar girman buffer na kwafi da adadin buƙatun da ake jira.
- ssh-keyscan yana ba da damar bincika cikakken jeri na adireshin CIDR, misali "ssh-keyscan 192.168.0.0/24".
source: budenet.ru