Bayan watanni hudu na ci gaba saki , Buɗe abokin ciniki da aiwatar da uwar garke don aiki ta hanyar SSH 2.0 da ka'idojin SFTP.
Babban ci gaba a cikin sakin OpenSSH 8.2 shine ikon yin amfani da ingantaccen abu biyu ta amfani da na'urori waɗanda ke goyan bayan ƙa'idar. , wanda kawancen ya bunkasa . U2F yana ba da damar ƙirƙirar alamun kayan masarufi masu rahusa don tabbatar da kasancewar mai amfani ta zahiri, yin mu'amala da su ta USB, Bluetooth ko NFC. Irin waɗannan na'urori ana haɓaka su azaman hanyar tabbatar da abubuwa biyu akan gidajen yanar gizo, manyan masu bincike sun riga sun sami goyan bayan kuma masana'antun daban-daban ke samarwa, gami da Yubico, Feitian, Thetis da Kensington.
Don yin hulɗa tare da na'urorin da ke tabbatar da kasancewar mai amfani, an ƙara sabbin nau'ikan maɓalli "ecdsa-sk" da "ed25519-sk" zuwa OpenSSH, waɗanda ke amfani da ECDSA da Ed25519 algorithms sa hannu na dijital, haɗe tare da SHA-256 hash. Ana sanya hanyoyin yin hulɗa tare da alamu a cikin ɗakin karatu na matsakaici, wanda aka ɗora a cikin irin wannan hanya zuwa ɗakin karatu don goyon bayan PKCS#11 kuma shi ne nannade a saman ɗakin karatu. , wanda ke ba da kayan aiki don sadarwa tare da alamu akan USB (FIDO U2F / CTAP 1 da FIDO 2.0 / CTAP 2 ladabi suna goyon bayan). Matsakaicin ɗakin karatu libsk-libfido2 wanda masu haɓakawa na OpenSSH suka shirya cikin ainihin libfido2, haka kuma don OpenBSD.
Don tantancewa da samar da maɓalli, dole ne ka saka madaidaicin "SecurityKeyProvider" a cikin saitunan ko saita madaidaicin yanayin SSH_SK_PROVIDER, yana nuna hanyar zuwa ɗakin karatu na waje libsk-libfido2.so (fitar da SSH_SK_PROVIDER=/hanya/to/libsk-libfido2). haka). Yana yiwuwa a gina openssh tare da ginanniyar goyon baya ga ɗakin karatu na Layer (-with-security-key-builtin), a wannan yanayin kuna buƙatar saita siginar "SecurityKeyProvider=internal".
Na gaba kuna buƙatar kunna "ssh-keygen -t ecdsa-sk" ko, idan an riga an ƙirƙiri maɓallan kuma an daidaita su, haɗa zuwa uwar garken ta amfani da "ssh". Lokacin da kake gudanar da ssh-keygen, za a adana nau'in maɓallin biyu da aka ƙirƙira a cikin "~/.ssh/id_ecdsa_sk" kuma ana iya amfani da su kamar sauran maɓallan.
Maɓallin jama'a (id_ecdsa_sk.pub) yakamata a kwafi zuwa uwar garken a cikin fayil_keys mai izini. A gefen uwar garken, sa hannu na dijital kawai aka tabbatar, kuma ana yin hulɗa tare da alamu a gefen abokin ciniki (ba kwa buƙatar shigar da libsk-libfido2 akan uwar garken, amma uwar garken dole ne ta goyi bayan nau'in maɓallin "ecdsa-sk") . Maɓallin keɓaɓɓen da aka ƙirƙira (id_ecdsa_sk) ainihin maɓalli ne, yana ƙirƙirar maɓalli na gaske kawai a hade tare da jerin sirrin da aka adana a gefen alamar U2F. Idan maɓallin id_ecdsa_sk ya fada hannun maharin, don ƙaddamar da tantancewa zai kuma buƙaci samun damar yin amfani da alamar kayan aikin, idan ba tare da wannan maɓallin keɓaɓɓen da aka adana a cikin fayil ɗin id_ecdsa_sk ba shi da amfani.
Bugu da ƙari, ta hanyar tsoho, lokacin yin kowane aiki tare da maɓalli (duka a lokacin tsarawa da lokacin tabbatarwa), ana buƙatar tabbatarwa na gida na kasancewar mai amfani, alal misali, ana ba da shawarar taɓa firikwensin akan alamar, wanda ya sa ya zama da wahala. kai hare-hare na nisa akan tsarin tare da haɗin haɗin gwiwa. A matsayin wani layin tsaro, ana iya ƙayyade kalmar sirri yayin lokacin farawa na ssh-keygen don samun damar fayil ɗin maɓallin.
Sabuwar sigar OpenSSH kuma ta ba da sanarwar sokewar algorithms mai zuwa ta amfani da hashes SHA-1 saboda tasiri na hare-haren haɗari tare da prefix da aka ba (ana kiyasta farashin zabar karo a kusan dala dubu 45). A cikin ɗayan fitowar masu zuwa, suna shirin kashe ta tsohuwa ikon amfani da maɓallin jama'a na sa hannu na dijital algorithm "ssh-rsa", wanda aka ambata a cikin ainihin RFC don ka'idar SSH kuma ya kasance cikin tartsatsi a aikace (don gwada amfani na ssh-rsa a cikin tsarin ku, zaku iya gwada haɗawa ta hanyar ssh tare da zaɓi "-oHostKeyAlgorithms = -ssh-rsa").
Don daidaita sauyawa zuwa sababbin algorithms a cikin OpenSSH, a cikin sakin gaba na gaba za a kunna saitin UpdateHostKeys ta tsohuwa, wanda zai ƙaura ta atomatik abokan ciniki zuwa mafi amintattun algorithms. Algorithms da aka ba da shawarar don ƙaura sun haɗa da rsa-sha2-256/512 bisa RFC8332 RSA SHA-2 (an goyan bayan OpenSSH 7.2 kuma ana amfani da shi ta tsohuwa), ssh-ed25519 (an goyan bayan OpenSSH 6.5) da ecdsa-sha2-nistp256/384/521 tushen akan RFC5656 ECDSA (ana goyan bayan OpenSSH 5.7).
A cikin OpenSSH 8.2, ikon haɗawa ta amfani da "ssh-rsa" yana nan har yanzu, amma an cire wannan algorithm daga jerin abubuwan Algorithms na CSignature, wanda ke bayyana algorithms da aka ba da izini don sanya hannu kan sabbin takaddun shaida. Hakazalika, diffie-hellman-group14-sha1 algorithm an cire shi daga tsoffin algorithms na musayar maɓalli masu goyan baya. An lura cewa yin amfani da SHA-1 a cikin takaddun shaida yana da alaƙa da ƙarin haɗari, tun da maharin yana da iyakacin lokaci don nemo karo don takardar shaidar da ta kasance, yayin da lokacin kai hari kan maɓallan masaukin yana iyakance ta hanyar haɗin kai (LoginGraceTime). ).
Gudun ssh-keygen yanzu ba daidai ba ne ga rsa-sha2-512 algorithm, wanda aka goyan bayan OpenSSH 7.2, wanda zai iya haifar da al'amurran da suka dace lokacin ƙoƙarin aiwatar da takaddun shaida da aka sanya hannu a cikin OpenSSH 8.2 akan tsarin da ke gudana tsofaffin sakin OpenSSH (don aiki a kusa da batun lokacin Lokacin Lokacin samar da sa hannu, za ku iya bayyana a sarari “ssh-keygen -t ssh-rsa” ko amfani da ecdsa-sha2-nistp256/384/521 algorithms, masu goyan bayan OpenSSH 5.7).
Sauran canje-canje:
- An ƙara umarnin haɗawa zuwa sshd_config, wanda ke ba ka damar haɗa abubuwan da ke cikin wasu fayiloli a matsayi na yanzu na fayil ɗin sanyi (ana iya amfani da masks na glob lokacin ƙayyade sunan fayil);
- An ƙara zaɓin "babu-touch-buƙata" zuwa ssh-keygen, wanda ke hana buƙatar tabbatar da samun dama ga alamar yayin samar da maɓallin;
- An ƙara umarnin PubkeyAuthOptions zuwa sshd_config, wanda ya haɗa zaɓuɓɓuka daban-daban masu alaƙa da amincin maɓalli na jama'a. A halin yanzu, tutar "babu-taba-buƙata" kawai ake tallafawa don tsallake gwajin kasancewar jiki don tabbatar da alamar. Ta hanyar kwatankwacin, an ƙara zaɓin "babu taɓa-buƙata" zuwa fayil ɗin maɓalli mai izini;
- Ƙara "-O write-attestation=/path" zaɓi zuwa ssh-keygen don ba da damar ƙarin takaddun shaidar FIDO da za a rubuta lokacin samar da maɓalli. Har yanzu OpenSSH bai yi amfani da waɗannan takaddun shaida ba, amma ana iya amfani da su daga baya don tabbatar da cewa an sanya maɓalli a cikin amintaccen kantin kayan masarufi;
- A cikin saitunan ssh da sshd, yanzu yana yiwuwa a saita yanayin fifikon zirga-zirga ta hanyar umarnin IPQoS. (Halayyar Ƙoƙarin Ƙoƙarin Ƙaƙƙarfan Ƙoƙari);
- A cikin ssh, lokacin saita ƙimar "AddKeysToAgent = Ee", idan maɓallin bai ƙunshi filin sharhi ba, za a ƙara shi zuwa wakili na ssh yana nuna hanyar zuwa maɓallin azaman sharhi. IN
ssh-keygen da ssh-agent suma yanzu suna amfani da alamun PKCS#11 da sunan jigo na X.509 maimakon hanyar laburare azaman sharhi a cikin maɓalli; - Ƙara ikon fitarwa PEM don DSA da maɓallan ECDSA zuwa ssh-keygen;
- An ƙara sabon aiwatarwa, ssh-sk-helper, wanda aka yi amfani da shi don ware ɗakin karatu na samun damar alamar FIDO/U2F;
- Ƙara zaɓin gina "-with-zlib" don ssh da sshd don haɗawa tare da tallafin laburare na zlib;
- Dangane da abin da ake buƙata na RFC4253, an ba da gargaɗi game da toshe hanyar shiga saboda wuce iyaka MaxStartups a cikin banner ɗin da aka nuna yayin haɗi. Don sauƙaƙe bincike, maɓallin tsari na sshd, wanda ake gani lokacin amfani da ps utility, yanzu yana nuna adadin haɗin haɗin da aka inganta a halin yanzu da matsayi na iyakar MaxStartups;
- A cikin ssh da ssh-agent, lokacin kiran shirin don nuna gayyata akan allon, ƙayyadaddun ta hanyar $ SSH_ASKPASS, ana watsa tuta mai nau'in gayyata yanzu: “tabbatar” - maganganun tabbatarwa (e/a’a), “babu kowa. "- saƙon bayanai, "blank" - buƙatar kalmar sirri;
- An ƙara sabon aikin sa hannu na dijital "nemo-shugabannin makaranta" zuwa ssh-keygen don bincika fayil ɗin masu sa hannu don mai amfani da ke da alaƙa da takamaiman sa hannu na dijital;
- Ingantattun tallafi don keɓantawar tsarin sshd akan Linux ta amfani da tsarin seccomp: kashe kiran tsarin IPC, bada izinin clock_gettime64(), clock_nanosleep_time64 da clock_nanosleep().
source: budenet.ru