Tom qab tsib lub hlis ntawm kev loj hlob tso tawm , qhib cov neeg siv khoom thiab kev siv server rau kev ua haujlwm ntawm SSH 2.0 thiab SFTP raws tu qauv.
Cov kev hloov loj:
- Kev sim kev txhawb nqa rau txoj kev sib pauv tseem ceeb uas tiv taus brute-force tawm tsam ntawm quantum computer tau ntxiv rau ssh thiab sshd. Quantum computers yog radically sai dua nyob rau hauv kev daws teeb meem ntawm decomposing ib tug natural tooj mus rau hauv lub ntsiab yam tseem ceeb, uas underlies niaj hnub asymmetric encryption algorithms thiab tsis muaj peev xwm daws tau zoo ntawm classical processors. Txoj kev npaj yog raws li algorithm (function ntrup4591761), tsim rau post-quantum cryptosystems, thiab elliptic nkhaus key pauv txoj kev X25519;
- Hauv sshd, ListenAddress thiab PermitOpen cov lus qhia tsis txhawb cov keeb kwm "tus tswv / chaw nres nkoj" syntax, uas tau siv rau xyoo 2001 ua lwm txoj hauv kev "tus tswv: chaw nres nkoj" kom yooj yim ua haujlwm nrog IPv6. Hauv cov xwm txheej niaj hnub no, cov syntax "[:: 6]: 1" tau tsim los rau IPv22, thiab "tus tswv / chaw nres nkoj" feem ntau tsis meej pem nrog qhia cov subnet (CIDR);
- ssh, ssh-tus neeg saib xyuas thiab ssh-ntxiv tam sim no txhawb cov yuam sij hauv PKCS#11 tokens;
- Hauv ssh-keygen, lub neej ntawd RSA qhov tseem ceeb loj tau nce mus rau 3072 khoom, raws li cov lus pom zoo NIST tshiab;
- ssh tso cai rau kev siv "PKCS11Provider = tsis muaj" teeb tsa los hla PKCS11Provider cov lus qhia tau teev tseg hauv ssh_config;
- sshd muab lub cav tso saib ntawm cov xwm txheej thaum qhov kev sib txuas raug txiav thaum sim ua cov lus txib thaiv los ntawm "ForceCommand = internal-sftp" txwv hauv sshd_config;
- Hauv ssh, thaum tso tawm qhov kev thov kom lees paub qhov kev lees paub ntawm tus tswv tsev tshiab, tsis yog cov lus teb "yog", tam sim no lees txais tus ntiv tes kom raug (hauv kev teb rau kev caw kom paub meej tias qhov kev sib txuas, tus neeg siv tuaj yeem luam tawm. cais tau txais kev siv hash los ntawm cov ntawv teev cia, yog li tsis txhob sib piv nws tus kheej);
- ssh-keygen muab tsis siv neeg incrementing ntawm daim ntawv pov thawj ib ntus tus lej thaum tsim cov kos npe digital rau ntau daim ntawv pov thawj ntawm kab hais kom ua;
- Ib qho kev xaiv tshiab "-J" tau ntxiv rau scp thiab sftp, sib npaug rau qhov chaw ProxyJump;
- Hauv ssh-tus neeg saib xyuas, ssh-pkcs11-tus pab thiab ssh-ntxiv, kev ua tiav ntawm "-v" kev xaiv kab lus tau ntxiv los ua kom cov ntsiab lus ntawm cov zis (thaum teev tseg, qhov kev xaiv no tau dhau mus rau cov txheej txheem menyuam yaus, rau Piv txwv li, thaum ssh-pkcs11-tus pab hu los ntawm ssh-tus neeg saib xyuas );
- Qhov kev xaiv "-T" tau ntxiv rau ssh-ntxiv los sim qhov tsim nyog ntawm cov yuam sij hauv ssh-tus neeg sawv cev rau kev ua haujlwm kos npe digital kos npe thiab ua haujlwm pov thawj;
- sftp-server siv kev txhawb nqa rau "lsetstat ntawm openssh.com" raws tu qauv txuas ntxiv, uas ntxiv kev txhawb nqa rau SSH2_FXP_SETSTAT kev ua haujlwm rau SFTP, tab sis tsis ua raws li cov cim txuas;
- Ntxiv "-h" kev xaiv rau sftp khiav chown/chgrp/chmod cov lus txib nrog kev thov uas tsis siv cov cim txuas;
- sshd muab kev teeb tsa ntawm $SSH_CONNECTION ib puag ncig hloov pauv rau PAM;
- Rau sshd, "Match kawg" hom kev sib tw tau ntxiv rau ssh_config, uas zoo ib yam li "Match canonical", tab sis tsis tas yuav tsum muaj lub npe hostname normalization kom qhib;
- Ntxiv kev txhawb nqa rau '@' ua ntej rau sftp kom lov tes taw kev txhais lus ntawm cov zis ntawm cov lus txib ua tiav hauv hom batch;
- Thaum koj tso saib cov ntsiab lus ntawm daim ntawv pov thawj siv cov lus txib
"ssh-keygen -Lf /path/certificate" tam sim no qhia cov algorithm siv los ntawm CA kom siv tau daim ntawv pov thawj; - Txhim kho kev txhawb nqa rau Cygwin ib puag ncig, piv txwv li muab cov ntaub ntawv tsis txaus ntseeg sib piv ntawm pab pawg thiab cov npe siv. Cov txheej txheem sshd hauv Cygwin chaw nres nkoj tau hloov mus rau cygsshd kom tsis txhob cuam tshuam nrog Microsoft-chaw nres nkoj OpenSSH;
- Ntxiv lub peev xwm los tsim nrog kev sim OpenSSL 3.x ceg;
- Tshem tawm (CVE-2019-6111) nyob rau hauv kev siv ntawm scp utility, uas tso cai rau arbitrary cov ntaub ntawv nyob rau hauv lub hom phiaj directory yuav overwritten ntawm tus neeg sab nrauv thaum nkag mus rau lub server tswj los ntawm ib tug attacker. Qhov teeb meem yog tias thaum siv scp, tus neeg rau zaub mov txiav txim siab cov ntaub ntawv thiab cov npe xa mus rau tus neeg siv khoom, thiab tus neeg siv tsuas yog kuaj xyuas qhov tseeb ntawm cov npe khoom xa rov qab. Kev kuaj xyuas cov neeg siv khoom tsuas yog txwv tsis pub mus ncig dhau ntawm cov npe tam sim no (β../β), tab sis tsis suav nrog kev hloov cov ntaub ntawv nrog cov npe sib txawv ntawm cov ntawv thov thaum xub thawj. Nyob rau hauv cov ntaub ntawv ntawm recursive luam (-r), ntxiv rau cov ntaub ntawv npe, koj tuaj yeem tswj cov npe ntawm cov npe ntawm cov npe hauv ib txoj kev zoo sib xws. Piv txwv li, yog tias tus neeg siv luam tawm cov ntaub ntawv mus rau hauv cov npe hauv tsev, lub server tswj los ntawm tus neeg tawm tsam tuaj yeem tsim cov ntaub ntawv nrog cov npe .bash_aliases lossis .ssh/authorized_keys es tsis txhob siv cov ntaub ntawv thov, thiab lawv yuav tau txais kev cawmdim los ntawm scp utility hauv tus neeg siv. home directory.
Hauv qhov kev tso tawm tshiab, cov khoom siv hluav taws xob scp tau hloov kho los kuaj xyuas cov ntawv xov xwm ntawm cov npe cov ntaub ntawv thov thiab cov xa los ntawm cov neeg rau zaub mov, uas tau ua rau ntawm tus neeg siv khoom. Qhov no yuav ua rau muaj teeb meem nrog kev ua daim npog ntsej muag, vim tias daim npog ntsej muag nthuav dav tuaj yeem ua tiav txawv ntawm cov neeg rau zaub mov thiab cov neeg siv khoom. Nyob rau hauv rooj plaub no qhov sib txawv ua rau tus neeg siv yuav tsum tsis txhob lees txais cov ntaub ntawv hauv scp, qhov "-T" kev xaiv tau ntxiv rau lov tes taw cov neeg siv khoom-sab xyuas. Txhawm rau kho qhov teeb meem tag nrho, yuav tsum muaj kev xav rov ua haujlwm ntawm scp raws tu qauv, uas nws tus kheej twb dhau los lawm, yog li nws raug nquahu kom siv ntau cov txheej txheem niaj hnub xws li sftp thiab rsync hloov.
Tau qhov twg los: opennet.ru