Tom qab tsib lub hlis ntawm kev txhim kho, kev tso tawm ntawm OpenSSH 8.5, qhib kev siv ntawm tus neeg siv khoom thiab cov neeg rau zaub mov rau kev ua haujlwm dhau SSH 2.0 thiab SFTP raws tu qauv, tau nthuav tawm.
Cov neeg tsim tawm OpenSSH tau ceeb toom peb txog qhov kev txiav txim siab tom ntej ntawm kev siv algorithms siv SHA-1 hashes vim qhov ua tau zoo ntawm kev sib tsoo nrog cov lus qhia ua ntej (tus nqi ntawm kev xaiv kev sib tsoo yog kwv yees li ntawm $ 50 txhiab). Nyob rau hauv ib qho ntawm cov kev tshaj tawm yav tom ntej, lawv npaj yuav lov tes taw los ntawm lub neej ntawd lub peev xwm siv "ssh-rsa" pej xeem qhov tseem ceeb digital kos npe algorithm, uas tau hais hauv thawj RFC rau SSH raws tu qauv thiab tseem muaj nyob hauv kev xyaum.
Txhawm rau kuaj kev siv ssh-rsa ntawm koj lub tshuab, koj tuaj yeem sim txuas ntawm ssh nrog "-oHostKeyAlgorithms =-ssh-rsa" kev xaiv. Nyob rau tib lub sijhawm, kev tsis ua haujlwm "ssh-rsa" digital kos npe los ntawm lub neej ntawd tsis txhais tau tias kev tso tseg tag nrho ntawm kev siv RSA yuam sij, txij li ntxiv rau SHA-1, SSH raws tu qauv tso cai rau kev siv lwm yam hash xam algorithms. Tshwj xeeb, ntxiv rau "ssh-rsa", nws tseem tuaj yeem siv tau "rsa-sha2-256" (RSA / SHA256) thiab "rsa-sha2-512" (RSA / SHA512) bundles.
Txhawm rau ua kom txoj kev hloov pauv mus rau cov txheej txheem tshiab, OpenSSH 8.5 muaj qhov UpdateHostKeys teeb tsa los ntawm lub neej ntawd, uas tso cai rau cov neeg siv hloov pauv mus rau ntau qhov kev ntseeg siab algorithms. Siv qhov teeb tsa no, qhov tshwj xeeb raws tu qauv txuas ntxiv tau qhib "[email tiv thaiv]", tso cai rau tus neeg rau zaub mov, tom qab kev lees paub, qhia rau tus neeg siv khoom txog txhua tus yuam sij muaj nyob hauv. Tus neeg siv khoom tuaj yeem cuam tshuam cov yuam sij no hauv nws cov ntaub ntawv ~/.ssh/known_hosts, uas tso cai rau tus tswv cov yuam sij hloov kho thiab ua kom yooj yim hloov cov yuam sij ntawm lub server.
Kev siv UpdateHostKeys raug txwv los ntawm ntau qhov kev ceeb toom uas yuav raug tshem tawm yav tom ntej: tus yuam sij yuav tsum tau hais txog hauv UserKnownHostsFile thiab tsis siv hauv GlobalKnownHostsFile; tus yuam sij yuav tsum muaj nyob rau hauv ib lub npe xwb; yuav tsum tsis txhob siv daim ntawv pov thawj tseem ceeb ntawm tus tswv tsev; hauv know_hosts qhov ncauj qhov ntswg los ntawm lub npe tswv yuav tsum tsis txhob siv; Qhov teeb tsa VerifyHostKeyDNS yuav tsum raug kaw; UserKnownHostsFile parameter yuav tsum ua haujlwm.
Pom zoo algorithms rau kev tsiv teb tsaws suav nrog rsa-sha2-256/512 raws li RFC8332 RSA SHA-2 (txhawb txij li OpenSSH 7.2 thiab siv los ntawm lub neej ntawd), ssh-ed25519 (txhawb txij li OpenSSH 6.5) thiab ecdsa-sha2-nistp256/384 ntawm RFC521 ECDSA (txhawb txij li OpenSSH 5656).
Lwm yam kev hloov pauv:
- Kev hloov kev ruaj ntseg:
- Ib qho tsis zoo uas tshwm sim los ntawm kev rov tso dua qhov chaw nco tau tso tseg (ob npaug-dawb) tau kho hauv ssh-tus neeg saib xyuas. Qhov teeb meem tau tshwm sim txij li thaum tso tawm ntawm OpenSSH 8.2 thiab tuaj yeem siv tau yog tias tus neeg tawm tsam tau nkag mus rau ssh-tus neeg sawv cev qhov (socket) ntawm lub hauv paus system. Dab tsi ua rau kev siv dag zog ntau dua yog tias tsuas yog hauv paus thiab tus neeg siv thawj zaug tau nkag mus rau lub qhov (socket). Qhov feem ntau yuav tawm tsam qhov xwm txheej yog tias tus neeg sawv cev raug xa mus rau tus account uas tswj hwm los ntawm tus neeg tawm tsam, lossis rau tus tswv tsev uas tus neeg tawm tsam muaj cov hauv paus nkag.
- sshd tau ntxiv kev tiv thaiv kev hla dhau qhov loj heev nrog tus neeg siv lub npe rau PAM subsystem, uas tso cai rau koj los thaiv qhov tsis zoo hauv PAM (Pluggable Authentication Module) system modules. Piv txwv li, qhov kev hloov pauv tiv thaiv sshd los ntawm kev siv los ua tus vector los siv qhov tsis ntev los no pom cov hauv paus tsis zoo hauv Solaris (CVE-2020-14871).
- Tej zaum yuav tawg compatibility hloov:
- Π ssh ΠΈ sshd ΠΏΠ΅ΡΠ΅ΡΠ°Π±ΠΎΡΠ°Π½ ΡΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠ°Π»ΡΠ½ΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡΡΠ°ΠΌΠΈ, ΡΡΠΎΠΉΠΊΠΈΠΉ ΠΊ ΠΏΠΎΠ΄Π±ΠΎΡΡ Π½Π° ΠΊΠ²Π°Π½ΡΠΎΠ²ΠΎΠΌ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ΅. ΠΠ²Π°Π½ΡΠΎΠ²ΡΠ΅ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΡ ΠΊΠ°ΡΠ΄ΠΈΠ½Π°Π»ΡΠ½ΠΎ Π±ΡΡΡΡΠ΅Π΅ ΡΠ΅ΡΠ°ΡΡ Π·Π°Π΄Π°ΡΡ ΡΠ°Π·Π»ΠΎΠΆΠ΅Π½ΠΈΡ Π½Π°ΡΡΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΡΠΈΡΠ»Π° Π½Π° ΠΏΡΠΎΡΡΡΠ΅ ΠΌΠ½ΠΎΠΆΠΈΡΠ΅Π»ΠΈ, ΠΊΠΎΡΠΎΡΠ°Ρ Π»Π΅ΠΆΠΈΡ Π² ΠΎΡΠ½ΠΎΠ²Π΅ ΡΠΎΠ²ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ Π°ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΠΈ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎ Π½Π΅ ΡΠ΅ΡΠ°Π΅ΠΌΠ° Π½Π° ΠΊΠ»Π°ΡΡΠΈΡΠ΅ΡΠΊΠΈΡ ΠΏΡΠΎΡΠ΅ΡΡΠΎΡΠ°Ρ . ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΡΠ½ΠΎΠ²Π°Π½ Π½Π° Π°Π»Π³ΠΎΡΠΈΡΠΌΠ΅ NTRU Prime, ΡΠ°Π·ΡΠ°Π±ΠΎΡΠ°Π½Π½ΠΎΠΌ Π΄Π»Ρ ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΡΠΌΠ½ΡΡ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ, ΠΈ ΠΌΠ΅ΡΠΎΠ΄Π΅ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡΡΠ°ΠΌΠΈ Π½Π° Π±Π°Π·Π΅ ΡΠ»Π»ΠΈΠΏΡΠΈΡΠ΅ΡΠΊΠΈΡ ΠΊΡΠΈΠ²ΡΡ X25519. ΠΠΌΠ΅ΡΡΠΎ [email tiv thaiv] ΠΌΠ΅ΡΠΎΠ΄ ΡΠ΅ΠΏΠ΅ΡΡ ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΡΡΡ ΠΊΠ°ΠΊ [email tiv thaiv] (lub sntrup4591761 algorithm tau hloov los ntawm sntrup761).
- Hauv ssh thiab sshd, qhov kev txiav txim uas txhawb nqa digital kos npe algorithms tau tshaj tawm tau hloov pauv. ED25519 yog tam sim no muaj thawj zaug hloov ECDSA.
- Hauv ssh thiab sshd, teeb tsa TOS / DSCP qhov kev pabcuam tsis zoo rau kev sib tham sib tham tam sim no ua tiav ua ntej tsim kev sib txuas TCP.
- Kev them nyiaj yug Cipher tau raug txiav tawm hauv ssh thiab sshd [email tiv thaiv], uas zoo ib yam rau aes256-cbc thiab tau siv ua ntej RFC-4253 tau pom zoo.
- Los ntawm lub neej ntawd, CheckHostIP parameter yog neeg xiam oob qhab, qhov txiaj ntsig ntawm qhov tsis txaus ntseeg, tab sis nws txoj kev siv cuam tshuam kev sib hloov tseem ceeb rau cov tswv tom qab cov khoom sib npaug.
- PerSourceMaxStartups thiab PerSourceNetBlockSize nqis tau ntxiv rau sshd txhawm rau txwv qhov kev siv ntawm kev pib ua haujlwm raws li tus neeg siv khoom chaw nyob. Cov kev txwv no tso cai rau koj kom tswj tau qhov kev txwv ntau dua ntawm cov txheej txheem pib, piv rau qhov kev teeb tsa MaxStartups.
- Kev teeb tsa LogVerbose tshiab tau ntxiv rau ssh thiab sshd, uas tso cai rau koj kom nce qib ntawm kev debugging cov ntaub ntawv pov tseg rau hauv lub cav, nrog lub peev xwm lim los ntawm cov qauv, kev ua haujlwm thiab cov ntaub ntawv.
- Hauv ssh, thaum lees txais tus tswv tsev tshiab, txhua lub npe hostname thiab IP chaw nyob cuam tshuam nrog tus yuam sij tau pom.
- ssh tso cai rau UserKnownHostsFile = tsis muaj kev xaiv los lov tes taw kev siv cov ntaub ntawv paub_hosts thaum txheeb xyuas tus tswv yuam sij.
- Kev teeb tsa KnownHostsCommand tau ntxiv rau ssh_config rau ssh, tso cai rau koj kom tau txais cov ntaub ntawv paub_hosts los ntawm cov zis ntawm cov lus txib.
- Ntxiv qhov kev xaiv PermitRemoteOpen rau ssh_config rau ssh kom tso cai rau koj txwv qhov chaw thaum siv qhov kev xaiv RemoteForward nrog SOCKS.
- Hauv ssh rau FIDO cov yuam sij, kev thov PIN rov qab yog muab thaum muaj kev ua haujlwm kos npe digital tsis ua haujlwm vim tus PIN tsis raug thiab tus neeg siv tsis raug ceeb toom rau tus PIN (piv txwv li, thaum tsis tuaj yeem tau txais cov ntaub ntawv biometric raug thiab ntaus ntawv poob rov qab mus rau phau ntawv PIN nkag).
- sshd ntxiv kev txhawb nqa rau kev hu xov tooj ntxiv rau seccomp-bpf-raws li txheej txheem cais tawm ntawm Linux.
- Cov khoom siv sib koom / ssh-copy-id tau hloov kho.
Tau qhov twg los: opennet.ru