Tom qab plaub lub hlis ntawm kev loj hlob tso tawm , qhib cov neeg siv khoom thiab kev siv server rau kev ua haujlwm ntawm SSH 2.0 thiab SFTP raws tu qauv.
Ib qho kev txhim kho tseem ceeb hauv kev tso tawm ntawm OpenSSH 8.2 yog lub peev xwm los siv ob qhov kev lees paub tseeb uas siv cov khoom siv uas txhawb nqa cov txheej txheem. , tsim los ntawm kev sib koom tes . U2F tso cai rau kev tsim cov cuab yeej siv hluav taws xob qis los txheeb xyuas tus neeg siv lub cev, cuam tshuam nrog lawv ntawm USB, Bluetooth lossis NFC. Cov cuab yeej zoo li no tau nce qib raws li ib qho kev lees paub ntawm ob qhov kev lees paub ntawm cov vev xaib, twb tau txais kev txhawb nqa los ntawm cov browsers loj thiab tau tsim los ntawm ntau lub tuam txhab, suav nrog Yubico, Feitian, Thetis thiab Kensington.
Txhawm rau cuam tshuam nrog cov khoom siv uas paub tseeb tias tus neeg siv muaj, hom tshiab "ecdsa-sk" thiab "ed25519-sk" tau ntxiv rau OpenSSH, uas siv ECDSA thiab Ed25519 digital kos npe algorithms, ua ke nrog SHA-256 hash. Cov txheej txheem rau kev cuam tshuam nrog cov tokens tau muab tso rau hauv lub tsev qiv ntawv nruab nrab, uas tau thauj khoom zoo ib yam li lub tsev qiv ntawv rau PKCS # 11 kev txhawb nqa thiab yog qhwv rau saum lub tsev qiv ntawv , uas muab cov cuab yeej rau kev sib txuas lus nrog tokens dhau USB (FIDO U2F / CTAP 1 thiab FIDO 2.0 / CTAP 2 raws tu qauv tau txais kev txhawb nqa). Cov tsev qiv ntawv nruab nrab libsk-libfido2 npaj los ntawm OpenSSH cov neeg tsim khoom rau hauv cov tub ntxhais libfido2, thiab rau OpenBSD.
Txhawm rau txheeb xyuas thiab tsim kom muaj tus yuam sij, koj yuav tsum qhia qhov "SecurityKeyProvider" parameter hauv qhov chaw lossis teeb tsa SSH_SK_PROVIDER ib puag ncig hloov pauv, qhia txog txoj hauv kev mus rau lub tsev qiv ntawv sab nraud libsk-libfido2.so (export SSH_SK_PROVIDER = / path/to/libsk-libfido2. yog li). Nws yog ua tau los tsim openssh nrog built-in kev them nyiaj yug rau txheej tsev qiv ntawv (--nrog-kev ruaj ntseg-key-builtin), nyob rau hauv cov ntaub ntawv no koj yuav tsum tau teem lub "SecurityKeyProvider = sab hauv" parameter.
Tom ntej no koj yuav tsum khiav "ssh-keygen -t ecdsa-sk" lossis, yog tias cov yuam sij twb tau tsim thiab teeb tsa, txuas rau lub server siv "ssh". Thaum koj khiav ssh-keygen, tus khub tseem ceeb tsim tawm yuav raug cawm hauv β~/.ssh/id_ecdsa_skβ thiab tuaj yeem siv zoo ib yam li lwm tus yuam sij.
Tus yuam sij pej xeem (id_ecdsa_sk.pub) yuav tsum tau theej rau lub server hauv cov ntaub ntawv tso cai_keys. Nyob rau sab server, tsuas yog kos npe digital tau txheeb xyuas, thiab kev cuam tshuam nrog tokens yog ua rau ntawm tus neeg siv khoom (koj tsis tas yuav nruab libsk-libfido2 ntawm lub server, tab sis tus neeg rau zaub mov yuav tsum txhawb "ecdsa-sk" hom tseem ceeb) . Tus yuam sij ntiag tug generated (id_ecdsa_sk) yog qhov tseem ceeb ntawm qhov tseem ceeb, tsim tus yuam sij tiag tiag nkaus xwb hauv kev sib txuas nrog cov lus zais cia ntawm U2F token sab. Yog hais tias tus yuam sij id_ecdsa_sk poob rau hauv txhais tes ntawm tus neeg tawm tsam, kom dhau qhov kev lees paub nws kuj yuav tsum tau nkag mus rau cov khoom siv token, yam tsis muaj tus yuam sij ntiag tug khaws cia hauv id_ecdsa_sk cov ntaub ntawv tsis muaj txiaj ntsig.
Tsis tas li ntawd, los ntawm lub neej ntawd, thaum ua txhua yam haujlwm nrog cov yuam sij (ob qho tib si thaum lub sijhawm tsim thiab thaum muaj kev lees paub), kev lees paub hauv cheeb tsam ntawm tus neeg siv lub cev lub cev yog xav tau, piv txwv li, nws tau thov kom kov lub sensor ntawm lub token, uas ua rau nws nyuaj rau nqa tawm kev tawm tsam tej thaj chaw deb ntawm lub tshuab nrog lub token txuas. Raws li lwm txoj kab ntawm kev tiv thaiv, tus password kuj tuaj yeem teev tseg thaum lub sijhawm pib ntawm ssh-keygen kom nkag mus rau cov ntaub ntawv tseem ceeb.
Tus tshiab version ntawm OpenSSH kuj tau tshaj tawm qhov kev txiav txim siab tom ntej ntawm algorithms siv SHA-1 hashes vim qhov ua tau zoo ntawm kev sib tsoo tawm tsam nrog cov lus qhia ua ntej (tus nqi ntawm kev xaiv kev sib tsoo yog kwv yees li ntawm 45 txhiab daus las). Nyob rau hauv ib qho ntawm cov kev tshaj tawm yav tom ntej, lawv npaj yuav lov tes taw los ntawm lub neej ntawd lub peev xwm los siv cov pej xeem tseem ceeb digital kos npe algorithm "ssh-rsa", uas tau hais hauv thawj RFC rau SSH raws tu qauv thiab tseem muaj dav hauv kev xyaum (los sim siv ntawm ssh-rsa hauv koj lub tshuab, koj tuaj yeem sim txuas ntawm ssh nrog kev xaiv "-oHostKeyAlgorithms =-ssh-rsa").
Txhawm rau ua kom txoj kev hloov pauv mus rau cov txheej txheem tshiab hauv OpenSSH, yav tom ntej tso tawm UpdateHostKeys teeb tsa yuav qhib los ntawm lub neej ntawd, uas yuav cia li hloov cov neeg siv khoom mus rau ntau qhov kev ntseeg siab algorithms. Pom zoo algorithms rau kev tsiv teb tsaws suav nrog rsa-sha2-256/512 raws li RFC8332 RSA SHA-2 (txhawb txij li OpenSSH 7.2 thiab siv los ntawm lub neej ntawd), ssh-ed25519 (txhawb txij li OpenSSH 6.5) thiab ecdsa-sha2-nistp256/384 ntawm RFC521 ECDSA (txhawb txij li OpenSSH 5656).
Hauv OpenSSH 8.2, lub peev xwm los txuas siv "ssh-rsa" tseem muaj, tab sis cov txheej txheem no tau raug tshem tawm los ntawm CASignatureAlgorithms daim ntawv teev npe, uas txhais cov algorithms tso cai rau kos npe rau daim ntawv pov thawj tshiab. Ib yam li ntawd, diffie-hellman-group14-sha1 algorithm tau raug tshem tawm los ntawm qhov kev hloov pauv tseem ceeb ntawm kev txhawb nqa. Nws tau raug sau tseg tias kev siv SHA-1 hauv daim ntawv pov thawj cuam tshuam nrog kev pheej hmoo ntxiv, txij li tus neeg tawm tsam tsis muaj sijhawm los tshawb nrhiav kev sib tsoo rau daim ntawv pov thawj uas twb muaj lawm, thaum lub sijhawm tawm tsam ntawm tus yuam sij tuav yog txwv los ntawm lub sijhawm sib txuas (LoginGraceTime ).
Khiav ssh-keygen tam sim no ua rau lub rsa-sha2-512 algorithm, uas tau txais kev txhawb nqa txij li OpenSSH 7.2, uas tuaj yeem tsim teeb meem kev sib raug zoo thaum sim ua cov ntawv pov thawj kos npe hauv OpenSSH 8.2 ntawm cov tshuab ua haujlwm qub OpenSSH tso tawm (kom ua haujlwm nyob ib puag ncig qhov teeb meem thaum twg tsim ib qho kos npe, koj tuaj yeem hais meej meej "ssh-keygen -t ssh-rsa" lossis siv ecdsa-sha2-nistp256/384/521 algorithms, txhawb txij li OpenSSH 5.7).
Lwm yam kev hloov pauv:
- Cov lus qhia suav nrog tau ntxiv rau sshd_config, uas tso cai rau koj suav nrog cov ntsiab lus ntawm lwm cov ntaub ntawv ntawm txoj haujlwm tam sim no ntawm cov ntaub ntawv teeb tsa (glob qhov ncauj qhov ntswg tuaj yeem siv thaum qhia lub npe cov ntaub ntawv);
- Qhov kev xaiv "tsis-kov-yuav tsum tau" tau ntxiv rau ssh-keygen, uas cuam tshuam qhov kev xav tau ntawm lub cev kom paub meej tias nkag mus rau lub token thaum tsim tus yuam sij;
- PubkeyAuthOptions cov lus qhia tau muab ntxiv rau sshd_config, uas sib txuas ntau yam kev xaiv cuam tshuam nrog kev lees paub qhov tseem ceeb rau pej xeem. Tam sim no, tsuas yog tus chij "tsis-kov-yuav tsum tau" tau txais kev txhawb nqa kom hla kev kuaj pom lub cev rau kev lees paub qhov token. Los ntawm kev sib piv, qhov kev xaiv "tsis-kov-yuav tsum tau" tau ntxiv rau cov ntawv tso cai_keys;
- Ntxiv "-O write-attestation =/path" kev xaiv rau ssh-keygen kom tso cai ntxiv FIDO daim ntawv pov thawj los sau thaum tsim cov yuam sij. OpenSSH tseem tsis tau siv cov ntawv pov thawj no, tab sis tom qab ntawd lawv tuaj yeem siv los txheeb xyuas tias tus yuam sij tau muab tso rau hauv lub khw muag khoom kho vajtse uas ntseeg siab;
- Hauv kev teeb tsa ssh thiab sshd, tam sim no muaj peev xwm teeb tsa txoj kev tsav tsheb ua ntej ntawm IPQoS cov lus qhia (Lower-Effort Per-Hop Behavior);
- Hauv ssh, thaum teeb tsa tus nqi "AddKeysToAgent = yog", yog tias tus yuam sij tsis muaj cov lus teb, nws yuav raug ntxiv rau ssh-tus neeg saib xyuas qhia txog txoj hauv kev rau tus yuam sij raws li kev tawm tswv yim. IN
ssh-keygen thiab ssh-tus neeg saib xyuas tam sim no tseem siv PKCS # 11 cov ntawv sau thiab X.509 lub npe tsis siv lub tsev qiv ntawv raws li cov lus hauv tus yuam sij; - Ntxiv lub peev xwm export PEM rau DSA thiab ECDSA yuam sij rau ssh-keygen;
- Ntxiv ib qho kev ua tau zoo tshiab, ssh-sk-helper, siv los cais cov FIDO/U2F token nkag tsev qiv ntawv;
- Ntxiv "--with-zlib" tsim kev xaiv rau ssh thiab sshd rau muab tso ua ke nrog zlib tsev qiv ntawv txhawb nqa;
- Raws li qhov yuav tsum tau muaj ntawm RFC4253, ceeb toom txog kev nkag mus thaiv vim muaj ntau tshaj li MaxStartups txwv tau muab rau hauv daim ntawv teev npe thaum sib txuas. Txhawm rau txhim kho kev kuaj mob yooj yim, cov txheej txheem sshd header, pom thaum siv cov khoom siv ps, tam sim no qhia cov naj npawb ntawm cov kev sib raug zoo tam sim no thiab cov xwm txheej ntawm MaxStartups txwv;
- Hauv ssh thiab ssh-tus neeg saib xyuas, thaum hu rau qhov kev pab cuam los tso saib cov lus caw ntawm lub vijtsam, teev ntawm $ SSH_ASKPASS, tus chij nrog hom kev caw tam sim no ntxiv: "paub tseeb" - kev sib tham (yog / tsis), "tsis muaj. β - cov ntaub ntawv xov xwm, βblankβ β thov tus password;
- Ntxiv qhov tshiab digital kos npe ua haujlwm "nrhiav-tus thawj tswj hwm" rau ssh-keygen los tshawb nrhiav cov ntaub ntawv tso cai kos npe rau tus neeg siv cuam tshuam nrog cov cim kos npe digital;
- Txhim kho kev txhawb nqa rau sshd txheej txheem kev cais tawm ntawm Linux siv cov txheej txheem seccomp: disabling IPC system hu, tso cai rau clock_gettime64(), clock_nanosleep_time64 thiab clock_nanosleep().
Tau qhov twg los: opennet.ru