ProHoster > Tukunga o OpenSSH 8.2 me te tautoko mo nga tohu whakamotuhēhēnga-rua FIDO/U2F

Tukunga o OpenSSH 8.2 me te tautoko mo nga tohu whakamotuhēhēnga-rua FIDO/U2F

I muri i nga marama e wha o te whakawhanaketanga i tukuna tuku Tuwhera 8.2.HXNUMX, he kiritaki tuwhera me te whakatinanatanga tūmau mo te mahi ma te SSH 2.0 me nga tikanga SFTP.

Ko tētahi whakapainga matua i roto i te tukunga OpenSSH 8.2 ko te kaha ki te whakamahi i te manatoko rua-wāhanga me ngā taputapu e tautoko ana i te kawa. U2F, i whakawhanakehia e te hononga FIDO. Ka taea e U2F te hanga tohu taputapu iti-utu ki te manatoko i te noho tinana o te kaiwhakamahi, te taunekeneke ki a raatau ma te USB, Nihokikorangi, NFC ranei. Ko enei taputapu e whakatairangahia ana hei huarahi mo te whakamotuhēhēnga-rua i runga i nga paetukutuku, kua tautokohia e nga kaitirotiro nui, ka hangaia e nga momo kaihanga, tae atu ki a Yubico, Feitian, Thetis me Kensington.

Hei taunekeneke ki ngā taputapu e whakaū ana i te aroaro o te kaiwhakamahi, kua tāpirihia e OpenSSH ngā momo kī hou, "ecdsa-sk" me "ed25519-sk," e whakamahi ana i ngā rauropi waitohu mamati ECDSA me Ed25519 me te hash SHA-256. Kua nekehia ngā tukanga mō te taunekeneke ki ngā tohu ki tētahi whare pukapuka takawaenga, e utaina ana i te rite ki te whare pukapuka tautoko PKCS#11, ā, e mahi ana hei takai huri noa i te whare pukapuka. libfido2, e whakarato ana i nga taputapu mo te whakawhitiwhiti me nga tohu i runga i te USB (FIDO U2F / CTAP 1 me FIDO 2.0 / CTAP 2 kawa e tautokohia ana). Ko te whare pukapuka takawaenga libsk-libfido2 i whakaritea e nga kaihanga OpenSSH whakauru ki te libfido2 matua, me taraiwa HID mo OpenBSD.

Hei whakamana me te whakaputa i tētahi kī, me tohu e koe te tawhā "SecurityKeyProvider" i roto i ngā tautuhinga, me whakatakoto rānei te taurangi taiao SSH_SK_PROVIDER, me te tohu i te ara ki te whare pukapuka o waho libsk-libfido2.so (kaweake SSH_SK_PROVIDER=/path/to/libsk-libfido2.so). Ka taea te hanga OpenSSH me te tautoko ā-roto mō te whare pukapuka takawaenga (--me-te-kī-haumarutanga-whakauru); i tēnei wā, me whakatakoto e koe te tawhā "SecurityKeyProvider=roto".
Muri iho, whakahaerehia te "ssh-keygen -t ecdsa-sk" mēnā kua oti kē te hanga me te whirihora i ngā kī, hono atu ki te tūmau mā te whakamahi i te "ssh." Ina whakahaerehia e koe te ssh-keygen, ka tiakina te takirua kī kua hangaia ki roto i te "~/.ssh/id_ecdsa_sk" ā, ka taea te whakamahi pērā i ētahi atu kī.

Me tārua te kī tūmatanui (id_ecdsa_sk.pub) ki te kōnae authorized_keys i runga i te tūmau. Ka manatoko noa te tūmau i te waitohu matihiko, engari ka puta te taunekeneke tohu i runga i te kiritaki (kāore e hiahiatia te tāuta i te libsk-libfido2 ki runga i te tūmau, engari me tautoko te tūmau i te momo kī "ecdsa-sk"). Ko te kī tūmataiti kua hangaia (id_ecdsa_sk) he whakaahuatanga kī e hanga ana i te kī tūturu ina honoa ki te raupapa ngaro kua rongoatia ki te tohu U2F. Mena ka whiwhi te kaiwhakaeke i te kī id_ecdsa_sk, me uru atu hoki rātou ki te tohu taputapu hei manatoko, me te kore he kī tūmataiti kua rongoatia ki te kōnae id_ecdsa_sk, kāore he hua o te kī tūmataiti kua rongoatia ki te kōnae id_ecdsa_sk.

Hei tāpiri atu, mā te taunoa, me whakaū ā-rohe te aroaro ā-tinana o te kaiwhakamahi i ngā mahi matua katoa (te whakaputa me te manatoko), pērā i te pā atu ki tētahi pūoko i runga i te tohu, ka uaua ai te whakahaere i ngā whakaeke mamao ki ngā pūnaha me tētahi tohu hono. Hei paparanga haumarutanga anō, ka taea hoki te whakatakoto i tētahi kupuhipa mō te uru atu ki te kōnae matua i te wā e tīmata ana te ssh-keygen.

I pānuitia hoki e te putanga hou o OpenSSH te whakamutua o ngā rauropi e whakamahi ana i ngā hash SHA-1 nā te mea whakatairanga te whai huatanga o nga whakaeke tukinga me te tohu tuatahi (ko te utu mo te kowhiri i te tukinga kei te tata ki te 45 mano taara). I roto i tetahi o nga putanga e haere ake nei, ka whakamahere ratou ki te whakakore i te taunoa te kaha ki te whakamahi i te tohu tohu tohu a te iwi whanui "ssh-rsa", e whakahuahia ana i roto i te RFC taketake mo te kawa SSH me te noho whanui i roto i nga mahi (ki te whakamatautau i te whakamahinga. o ssh-rsa i roto i o punaha, ka taea e koe te ngana ki te hono ma te ssh me te whiringa "-oHostKeyAlgorithms=-ssh-rsa").

Hei whakaene i te whakawhiti ki nga algorithms hou i OpenSSH, hei te tukunga e heke mai nei ka whakahohea te tautuhinga UpdateHostKeys ma te taunoa, ka heke aunoa i nga kaihoko ki nga algorithms pono ake. Ko nga algorithms e taunakihia ana mo te heke ko te rsa-sha2-256/512 i runga i te RFC8332 RSA SHA-2 (tautokohia mai i te OpenSSH 7.2 me te whakamahi taunoa), ssh-ed25519 (tautokohia mai i OpenSSH 6.5) me ecdsa-sha2-nistp256/384/521 i runga i te RFC5656 ECDSA (tautokohia mai i te OpenSSH 5.7).

Kei te tautoko tonu a OpenSSH 8.2 i te hononga mā te whakamahi i te "ssh-rsa," engari kua tangohia tēnei pūnaha i te rārangi CASignatureAlgorithms, e tautuhi ana i ngā pūnaha e whakaaetia ana mō te waitohu mamati i ngā tiwhikete hou. Waihoki, kua tangohia te pūnaha diffie-hellman-group14-sha1 mai i ngā pūnaha whakawhiti kī taunoa e tautokona ana. E mōhiotia ana ko te whakamahi i te SHA-1 i roto i ngā tiwhikete he mōrearea anō, nā te mea he mutunga kore te wā o te kaiwhakaeke ki te kimi i tētahi tukinga mō tētahi tiwhikete o nāianei, ko ngā whakaekenga ki ngā kī manaaki he mea whakawhāiti e te wā mutu hononga (LoginGraceTime).

Ina whakahaeretia te ssh-keygen, ko te pūnaha rsa-sha2-512, e tautokona ana mai i te OpenSSH 7.2, ka whakamahia ināianei mā te taunoa, ka puta pea he raruraru hototahi ina ngana ana ki te tukatuka i ngā tiwhikete OpenSSH 8.2-waitohu i runga i ngā pūnaha e whakahaere ana i ngā putanga OpenSSH tawhito (hei whakatau i tēnei take, ka taea e koe te tohu mārama "ssh-keygen -t ssh-rsa" ina whakaputahia te waitohu, whakamahia rānei ngā pūnaha ecdsa-sha2-nistp256/384/521 e tautokona ana mai i te OpenSSH 5.7).

Ētahi atu huringa:

  • Kua tāpirihia te tohutohu Whakauru ki te sshd_config, e āhei ai te whakauru i ngā ihirangi o ētahi atu kōnae ki te tūranga o nāianei o te kōnae whirihoranga (ka taea te whakamahi i ngā kopare glob ina tohua te ingoa kōnae);
  • Kua tāpirihia te kōwhiringa "kāore e hiahiatia he pā" ki te ssh-keygen, e whakakore ana i te hiahia mō te whakaū ā-tinana o te urunga ki te tohu i te wā e whakaputa ana i tētahi kī;
  • Kua tāpirihia te tohutohu PubkeyAuthOptions ki te sshd_config, e whakakotahi ana i ngā kōwhiringa maha e pā ana ki te manatoko kī tūmatanui. I tēnei wā, ko te haki "kāore-e-hiahiatia-te-pā" anake e tautokona ana, e āhei ai te peke i te tirotiro aroaro ā-tinana i te wā o te manatoko tohu. Waihoki, kua tāpirihia te kōwhiringa "kāore-e-hiahiatia-te-pā" ki te kōnae authorized_keys.
  • Kua tāpirihia te kōwhiringa "-O write-attestation=/path" ki te ssh-keygen, e āhei ai te tuhi i ētahi atu tiwhikete whakamana FIDO ina hangaia ngā kī. Kāore a OpenSSH e whakamahi i ēnei tiwhikete i tēnei wā, engari ka taea te whakamahi ā muri ake nei hei manatoko kei te rongoa te kī i roto i te rokiroki taputapu pono.
  • I roto i ngā tautuhinga ssh me te sshd, ka taea inaianei te whakatakoto i te aratau whakatauranga waka mā te aratohu IPQoS. LE DSCP (Whanaketanga Whakaiti-Mahi-Ia-Hop);
  • I roto i te ssh, ina whakatakotoria te uara "AddKeysToAgent=yes", ki te kore he āpure kōrero kei roto i te kī, ka tāpirihia ki te ssh-agent me te ara ki te kī kua tohua hei kōrero.
    Ka whakamahia anō hoki e ssh-keygen me ssh-agent ngā tapanga PKCS#11 me te ingoa kaupapa X.509 hei kōrero i roto i te kī hei utu mō te ara whare pukapuka;
  • Kua tāpirihia te kaha ki te kaweake i te PEM mō ngā kī DSA me ECDSA ki te ssh-keygen;
  • Kua tāpirihia he kōnae whakahaere hou ssh-sk-helper, e whakamahia ana hei wehe i te urunga whare pukapuka ki ngā tohu FIDO/U2F;
  • Kua tāpirihia te kōwhiringa hanga "--with-zlib" ki te ssh me te sshd hei whakahiato me te tautoko whare pukapuka zlib;
  • E ai ki te RFC 4253, kua whakaaturia inaianei he whakatūpato mō te aukati urunga nā te mea kua hipa i te rohenga MaxStartups i roto i te haki hononga. Hei whakahaere i ngā tātaritanga, ko te pane tukanga sshd, e kitea ana mā te whakamahi i te taputapu ps, e whakaatu ana i te maha o ngā hononga kua manatokohia i tēnei wā me te tūnga rohenga MaxStartups.
  • I roto i te ssh me te ssh-agent, ina karangahia he papatono hei whakaatu i tētahi pōwhiri ki te mata, kua tohua mā te $SSH_ASKPASS, ka tukuna atu he haki me te momo pōwhiri: “confirm” — pouaka kōrero whakaū (āe/kāo), “none” — karere mōhiohio, “blank” — tono kupuhipa;
  • Kua tāpirihia he mahi waitohu mamati hou "find-principals" ki te ssh-keygen hei rapu i te kōnae allowed-signers mō te kaiwhakamahi e hono ana ki te waitohu mamati kua tohua;
  • Улучшена поддержка изоляции процесса sshd в Linux при помощи механизма seccomp: запрещены системные вызовы IPC, разрешены clock_gettime64(), clock_nanosleep_time64 и clock_nanosleep().

Source: opennet.ru

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster