Tom qab peb lub hlis ntawm kev loj hlob tso tawm , qhib cov neeg siv khoom thiab kev siv server rau kev ua haujlwm ntawm SSH 2.0 thiab SFTP raws tu qauv.
Qhov kev tso tawm tshiab ntxiv kev tiv thaiv scp tawm tsam uas tso cai rau tus neeg rau zaub mov kom dhau lwm cov npe cov ntaub ntawv tshaj li qhov tau thov (tsis yog , qhov kev tawm tsam tsis tuaj yeem hloov pauv tus neeg siv cov npe xaiv lossis lub ntsej muag glob). Nco qab tias hauv SCP, tus neeg rau zaub mov txiav txim siab seb cov ntaub ntawv twg thiab cov npe xa mus rau tus neeg siv khoom, thiab tus neeg siv khoom tsuas yog xyuas qhov tseeb ntawm cov npe khoom xa rov qab. Lub ntsiab lus ntawm qhov teeb meem uas tau txheeb xyuas yog tias yog tias uttimes system hu tsis tau, ces cov ntsiab lus ntawm cov ntaub ntawv raug txhais ua cov ntaub ntawv metadata.
Qhov no feature, thaum txuas mus rau ib tug neeg rau zaub mov tswj los ntawm ib tug attacker, yuav siv tau los cawm lwm cov ntaub ntawv npe thiab lwm yam ntsiab lus nyob rau hauv tus neeg siv lub FS thaum luam tawm siv scp nyob rau hauv configurations uas ua rau tsis ua hauj lwm thaum hu uttimes (piv txwv li, thaum uttimes raug txwv los ntawm txoj cai SELinux lossis lub kaw lus hu lim). Qhov tshwm sim ntawm kev tawm tsam tiag tiag yog kwv yees tsawg kawg nkaus, txij li hauv kev teeb tsa ib txwm hu ua uttimes tsis poob. Tsis tas li ntawd, qhov kev tawm tsam tsis mus tsis pom - thaum hu rau scp, qhov yuam kev hloov ntaub ntawv tau tshwm sim.
Kev hloov pauv dav dav:
- Hauv sftp, kev ua tiav ntawm "-1" kev sib cav tau raug tso tseg, zoo ib yam li ssh thiab scp, uas tau txais yav dhau los tab sis tsis quav ntsej;
- Hauv sshd, thaum siv IgnoreRhosts, tam sim no muaj peb txoj kev xaiv: "yog" - tsis quav ntsej rhosts/shosts, "tsis yog" - hwm rhosts/shosts, thiab "shosts-tsuas" - tso cai ".shosts" tab sis lov tes taw ".rhosts";
- Ssh tam sim no txhawb % TOKEN hloov pauv hauv LocalFoward thiab RemoteForward chaw siv los hloov pauv Unix sockets;
- Tso cai thauj cov yuam sij pej xeem los ntawm cov ntaub ntawv tsis tau sau nrog tus yuam sij ntiag tug yog tias tsis muaj cov ntaub ntawv cais nrog tus yuam sij pej xeem;
- Yog tias libcrypto muaj nyob rau hauv lub kaw lus, ssh thiab sshd tam sim no siv qhov kev siv ntawm chacha20 algorithm los ntawm lub tsev qiv ntawv no, es tsis txhob siv cov khoom siv portable, uas ua rau poob qis hauv kev ua haujlwm;
- Ua kom muaj peev xwm pov tseg cov ntsiab lus ntawm binary daim ntawv pov thawj tshem tawm thaum ua tiav cov lus txib "ssh-keygen -lQf /path";
- Lub portable version siv cov ntsiab lus ntawm cov kab ke uas teeb liab nrog SA_RESTART kev xaiv cuam tshuam kev ua haujlwm ntawm kev xaiv;
- Tsim cov teeb meem ntawm HP/UX thiab AIX systems tau raug daws;
- Tsau teeb meem nrog lub tsev seccomp sandbox ntawm qee qhov kev teeb tsa Linux;
- Txhim kho libfido2 lub tsev qiv ntawv tshawb pom thiab daws teeb meem tsim nrog "--nrog-kev ruaj ntseg-key-builtin" kev xaiv.
Cov neeg tsim tawm OpenSSH kuj tau ceeb toom ib zaug ntxiv txog qhov kev puas tsuaj ntawm algorithms siv SHA-1 hashes vim yog qhov ua tau zoo ntawm kev sib tsoo tawm tsam nrog cov lus qhia ua ntej (tus nqi ntawm kev xaiv kev sib tsoo yog kwv yees li ntawm 45 txhiab daus las). Nyob rau hauv ib qho ntawm cov kev tshaj tawm yav tom ntej, lawv npaj yuav lov tes taw los ntawm lub neej ntawd lub peev xwm los siv cov pej xeem tseem ceeb digital kos npe algorithm "ssh-rsa", uas tau hais hauv thawj RFC rau SSH raws tu qauv thiab tseem muaj dav hauv kev xyaum (los sim siv ntawm ssh-rsa hauv koj lub tshuab, koj tuaj yeem sim txuas ntawm ssh nrog kev xaiv "-oHostKeyAlgorithms =-ssh-rsa").
Txhawm rau ua kom txoj kev hloov pauv mus rau cov txheej txheem tshiab hauv OpenSSH, yav tom ntej tso tawm UpdateHostKeys teeb tsa yuav qhib los ntawm lub neej ntawd, uas yuav cia li hloov cov neeg siv khoom mus rau ntau qhov kev ntseeg siab algorithms. Pom zoo algorithms rau kev tsiv teb tsaws suav nrog rsa-sha2-256/512 raws li RFC8332 RSA SHA-2 (txhawb txij li OpenSSH 7.2 thiab siv los ntawm lub neej ntawd), ssh-ed25519 (txhawb txij li OpenSSH 6.5) thiab ecdsa-sha2-nistp256/384 ntawm RFC521 ECDSA (txhawb txij li OpenSSH 5656).
Raws li qhov kev tso tawm kawg, "ssh-rsa" thiab "diffie-hellman-group14-sha1" tau raug tshem tawm los ntawm CASignatureAlgorithms cov npe uas txhais cov algorithms tso cai rau digitally kos npe rau daim ntawv pov thawj tshiab, txij li thaum siv SHA-1 hauv daim ntawv pov thawj muaj kev pheej hmoo ntxiv. vim hais tias tus attacker muaj unlimited lub sij hawm mus nrhiav kev sib tsoo rau ib daim ntawv pov thawj uas twb muaj lawm, thaum lub sij hawm ntawm nres ntawm tus tswv yuam sij raug txwv los ntawm kev sib txuas timeout (LoginGraceTime).
Tau qhov twg los: opennet.ru