ProHoster > Ntọhapụ nke OpenSSH 8.2 na nkwado maka FIDO/U2F akara njirimara abụọ.

Ntọhapụ nke OpenSSH 8.2 na nkwado maka FIDO/U2F akara njirimara abụọ.

Mgbe ọnwa anọ nke mmepe ọkọnọ hapụ OpenSSH 8.2, onye ahịa mepere emepe na mmejuputa ihe nkesa maka ịrụ ọrụ site na SSH 2.0 na SFTP protocols.

Otu ihe dị mkpa na ntọhapụ nke OpenSSH 8.2 bụ ike iji ngwaọrụ abụọ na-akwado protocol. U2F, nke njikọ aka ahụ mepụtara Fido. U2F na-enye ohere ịmepụta akara ngwaike dị ọnụ ala iji nyochaa ọnụnọ anụ ahụ nke onye ọrụ, soro ha na-emekọrịta ihe site na USB, Bluetooth ma ọ bụ NFC. A na-akwalite ngwaọrụ ndị dị otú ahụ dị ka ụzọ nyocha ihe abụọ na weebụsaịtị, ndị isi ihe nchọgharị na-akwadorịrị ma ndị nrụpụta dị iche iche na-emepụta, gụnyere Yubico, Feitian, Thetis na Kensington.

Iji soro ngwaọrụ ndị na-akwado ọnụnọ onye ọrụ na-emekọrịta ihe, agbakwunyere ụdị igodo ọhụrụ “ecdsa-sk” na “ed25519-sk” na OpenSSH, nke na-eji ECDSA na Ed25519 dijitalụ mbinye aka dijitalụ, yana SHA-256 hash. A na-etinye usoro maka ịmekọrịta ihe na token n'ọbá akwụkwọ etiti, nke a na-ebu n'otu ụzọ ahụ na ụlọ akwụkwọ maka nkwado PKCS#11 ma bụrụ ihe mkpuchi n'elu ụlọ akwụkwọ ahụ. libfido2, nke na-enye ngwaọrụ iji na-ekwurịta okwu na token n'elu USB (FIDO U2F/CTAP 1 na FIDO 2.0/CTAP 2 protocols na-akwado). Ọbá akwụkwọ etiti libsk-libfido2 nke ndị mmepe OpenSSH kwadoro gụnyere banye na isi libfido2, yana Onye ọkwọ ụgbọ ala HID maka OpenBSD.

Iji chọpụta ma wepụta igodo, ị ga-ezipụta oke "SecurityKeyProvider" na ntọala ma ọ bụ tọọ SSH_SK_PROVIDER gburugburu ebe obibi, na-egosi ụzọ gaa n'ọbá akwụkwọ mpụga libsk-libfido2.so (bupụ SSH_SK_PROVIDER=/path/to/libsk-libfido2. ya mere). Ọ ga-ekwe omume iji wuo openssh na nkwado arụnyere maka ọba akwụkwọ oyi akwa (-with-security-key-builtin), na nke a ịkwesịrị ịtọ paramita "SecurityKeyProvider=internal".
Ọzọ ị ga-agba ọsọ "ssh-keygen -t ecdsa-sk" ma ọ bụ, ọ bụrụ na emebelarị igodo ma hazie ya, jikọọ na ihe nkesa site na iji "ssh". Mgbe ị na-agba ssh-keygen, a ga-echekwa ụzọ igodo emepụtara na "~/.ssh/id_ecdsa_sk" ma enwere ike iji ya na igodo ndị ọzọ.

Ekwesịrị iṅomi igodo ọha (id_ecdsa_sk.pub) na sava dị na faịlụ ikike_keys. N'akụkụ ihe nkesa ahụ, a na-enyocha naanị mbinye aka dijitalụ, yana mmekọrịta ya na tokens na-arụ ọrụ n'akụkụ ndị ahịa (ịkwesighi ịwụnye libsk-libfido2 na sava ahụ, mana sava ahụ ga-akwado ụdị igodo "ecdsa-sk"). . Igodo nzuzo emepụtara (id_ecdsa_sk) bụ isi igodo, na-eme ezigbo igodo naanị yana usoro nzuzo echekwara n'akụkụ akara U2F. Ọ bụrụ na igodo id_ecdsa_sk dabara n'aka onye na-awakpo, ịgafe nyocha ọ ga-achọkwa ịnweta akara ngosi ngwaike, na-enweghị nke igodo nzuzo echekwara na faịlụ id_ecdsa_sk abaghị uru.

Na mgbakwunye, site na ndabara, mgbe ị na-arụ ọrụ ọ bụla na igodo (ma n'oge ọgbọ na n'oge nkwenye), a chọrọ nkwenye mpaghara nke ọnụnọ anụ ahụ nke onye ọrụ, dịka ọmụmaatụ, a na-atụ aro imetụ ihe mmetụta na akara ngosi, nke na-eme ka ọ sie ike. mee mwakpo dịpụrụ adịpụ na sistemụ nwere akara ejikọrọ. Dịka usoro nchekwa ọzọ, enwere ike ịkọwa paswọọdụ n'oge mmalite nke ssh-keygen iji nweta faịlụ igodo.

Ụdị OpenSSH ọhụrụ ahụ kwupụtakwara mmebi nke algọridim na-abịa site na iji SHA-1 hashes n'ihi mụbaa irè nke ọgụ ọgụ na prefix nyere (ọnụahịa nke ịhọrọ nkukota na-eme atụmatụ na ihe dị ka puku dollar 45). N'otu n'ime mwepụta ndị na-abịa, ha na-eme atụmatụ iji gbanyụọ site na ndabara ikike iji igodo ọha dijitalụ mbinye aka dijitalụ "ssh-rsa", nke akpọtụrụ na RFC mbụ maka usoro SSH ma nọgide na-agbasa na omume (iji nwalee iji ya. nke ssh-rsa na sistemụ gị, ị nwere ike ịnwale ijikọ site na ssh na nhọrọ “-oHostKeyAlgorithms = -ssh-rsa”).

Iji mee ka mgbanwe gaa na algọridim ọhụrụ na OpenSSH, na ntọhapụ n'ọdịnihu, a ga-eme ka ntọala UpdateHostKeys rụọ ọrụ site na ndabara, nke ga-ebuga ndị ahịa na-akpaghị aka gaa na algọridim ndị a pụrụ ịdabere na ya. Algọridim ndị akwadoro maka mbugharị gụnyere rsa-sha2-256/512 dabere na RFC8332 RSA SHA-2 (akwadoro kemgbe OpenSSH 7.2 wee jiri ya na ndabara), ssh-ed25519 (akwadoro kemgbe OpenSSH 6.5) na ecdsa-sha2-nistp256/384/521 dabere. na RFC5656 ECDSA (akwadoro kemgbe OpenSSH 5.7).

Na OpenSSH 8.2, ike ijikọ site na iji "ssh-rsa" ka dị, mana ewepụla algọridim a na CSignatureAlgorithms listi, nke na-akọwa algọridim ekwenyere maka ịbịanye aka na akara ọhụrụ dijitalụ. N'otu aka ahụ, ewepụla algọridim diffie-hellman-group14-sha1 na algọridim igodo mgbanwe ndabara akwadoro. Achọpụtara na iji SHA-1 na asambodo jikọtara ya na ihe egwu ọzọ, ebe ọ bụ na onye mwakpo ahụ nwere oge na-akparaghị ókè iji chọọ nkukota maka akwụkwọ dị adị, ebe oge ịwakpo igodo ndị ọbịa na-ejedebe site na njedebe njikọ (LoginGraceTime). ).

Na-agba ọsọ ssh-keygen ugbu a na-adaba na rsa-sha2-512 algọridim, nke a na-akwado kemgbe OpenSSH 7.2, nke nwere ike ịmepụta okwu ndakọrịta mgbe ị na-agbalị ịhazi asambodo abanyela na OpenSSH 8.2 na sistemụ na-agba ọsọ OpenSSH ntọhapụ (iji rụọ ọrụ gburugburu okwu ahụ mgbe Mgbe Mgbe na-emepụta mbinye aka, ị nwere ike ịkọwapụta nke ọma "ssh-keygen -t ssh-rsa" ma ọ bụ jiri ecdsa-sha2-nistp256/384/521 algọridim, kwadoro kemgbe OpenSSH 5.7).

Mgbanwe ndị ọzọ:

  • Agbakwunyela ntuziaka gụnyere na sshd_config, nke na-enye gị ohere itinye ọdịnaya nke faịlụ ndị ọzọ n'ọnọdụ dị ugbu a nke faịlụ nhazi (nwere ike iji masks glob mgbe ị na-akọwa aha faịlụ);
  • Agbakwunyela nhọrọ "enweghị mmetụ-achọrọ" na ssh-keygen, nke na-egbochi mkpa ọ dị iji hụ na ịnweta akara ngosi mgbe ị na-emepụta igodo;
  • Etinyela ntuziaka PubkeyAuthOptions na sshd_config, nke jikọtara nhọrọ dị iche iche metụtara nyocha igodo ọha. Ugbu a, ọ bụ naanị ọkọlọtọ "enweghị mmetụ-achọrọ" ka akwadoro ka ịwụba nlele ọnụnọ anụ ahụ maka nyocha akara. Site na ntụnyere, agbakwunyela nhọrọ "enweghị mmetụ-achọrọ" na faịlụ_key nwere ikike;
  • Agbakwunyere nhọrọ "-O write-attestation=/path" ka ssh-keygen iji kwe ka e dee akwụkwọ ikike FIDO ọzọ mgbe ị na-emepụta igodo. OpenSSH ejibeghị asambodo ndị a, mana enwere ike iji ha emechaa chọpụta na etinyere igodo ahụ na ụlọ ahịa ngwaike ntụkwasị obi;
  • Na ntọala ssh na sshd, ọ ga-ekwe omume ugbu a ịtọ ọnọdụ ụzọ ụzọ okporo ụzọ site na ntuziaka IPQoS. LE DSCP (Ọdịmma-Mgbalị Per-Hop omume);
  • Na ssh, mgbe ị na-edobe uru “AddKeysToAgent=ee”, ọ bụrụ na igodo enweghị mpaghara nkọwa, a ga-agbakwunye ya na ssh-agent na-egosi ụzọ igodo dị ka nkọwa. N'ime
    ssh-keygen na ssh-agent na-ejikwa akara PKCS#11 na aha isiokwu X.509 kama ụzọ ọba akwụkwọ dị ka nkọwa dị na igodo;

  • Agbakwunyere ikike mbupụ PEM maka igodo DSA na ECDSA na ssh-keygen;
  • Agbakwunyere arụ ọrụ ọhụrụ, ssh-sk-helper, nke a na-eji wepụta ọba akwụkwọ ohere akara FIDO/U2F;
  • agbakwunyere “-with-zlib” nhọrọ wuo ssh na sshd maka mkpokọta na nkwado ọba akwụkwọ zlib;
  • Dị ka ihe achọrọ nke RFC4253, ịdọ aka ná ntị gbasara igbochi ohere n'ihi oke oke MaxStartups ka enyere na ọkọlọtọ egosiri n'oge njikọ. Iji mee ka nchọpụta dị mfe, isi usoro sshd, nke a na-ahụ anya mgbe ị na-eji ps utility, na-egosiputa ọnụ ọgụgụ nke njikọ ugbu a na ọnọdụ nke oke MaxStartups;
  • Na ssh na ssh-agent, mgbe ị na-akpọ mmemme iji gosipụta akwụkwọ ịkpọ òkù na ihuenyo, nke akọwapụtara site na $ SSH_ASKPASS, a na-ebunye ọkọlọtọ nwere ụdị ọkpụkpọ òkù ugbu a: "kwenye" ​​- mkparịta ụka nkwenye (ee / mba), "ọ dịghị onye. "- ozi ozi, "oghere" - arịrịọ paswọọdụ;
  • Agbakwunyere ọrụ mbinye aka dijitalụ ọhụrụ "chọta-ndị isi" na ssh-keygen iji chọọ faịlụ ndị anabatara ikike maka onye ọrụ jikọtara ya na mbinye aka dijitalụ akọwapụtara;
  • Nkwado emelitere maka ikewapụ usoro sshd na Linux site na iji usoro seccomp: gbanyụọ oku sistemụ IPC, na-enye ohere clock_gettime64 (), clock_nanosleep_time64 na clock_nanosleep().

isi: opennet.ru

Tinye a comment