ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kwa OpenSSH 10.0

Kutulutsidwa kwa OpenSSH 10.0

Kutulutsidwa kwa OpenSSH 10.0 kwasindikizidwa, kukhazikitsidwa kotseguka kwa kasitomala ndi seva yogwira ntchito pogwiritsa ntchito ma protocol a SSH 2.0 ndi SFTP. Zosintha zazikulu:

  • Kuchotsa thandizo la siginecha ya digito kutengera algorithm ya DSA, mulingo wachitetezo womwe sukumana ndi zofunikira zamakono. Mtengo wopitilira kusunga ma algorithm otetezedwa a DSA sizoyenera, ndipo kuchotsedwa kwake kudzalimbikitsa kukhazikitsa kwina kwa SSH ndi malaibulale achinsinsi kuti asiye kuthandizira DSA. Mwachikhazikitso, kugwiritsa ntchito makiyi a DSA kunathetsedwa mu 2015.
  • Pitirizani kugawa sshd muzochita zingapo zosiyana. Mu OpenSSH 9.8, sshd idagawidwa kukhala njira yatsopano, sshd-session, yomwe imagwira ntchito zokhudzana ndi gawo. Mu OpenSSH 10.0, code yomwe imatsimikizira idasunthidwa kuchoka ku sshd kupita ku njira ina sshd-auth. Njira ya sshd-auth imapereka kudzipatula kwina kwa deta yokhudzana ndi kutsimikizika mu malo osiyana a adiresi, kuteteza kupeza deta iyi m'makumbukiro pakachitika kuukira kwa code yomwe imagwiritsidwa ntchito poyendetsa magawo okhudzana ndi kutsimikiziridwa kusanathe. Kuonjezera apo, kusinthaku kudzachepetsa pang'ono kukumbukira kukumbukira, popeza code yokhudzana ndi kutsimikizika tsopano ikupezeka pamtima pamene kutsimikiziridwa kukuchitika, ndiyeno kumatsitsidwa pamene ndondomeko ya sshd-auth itatha.
  • Mwachikhazikitso, ssh imagwiritsa ntchito ma aligorivimu olimbana ndi ma hybrid key exchange algorithm "mlkem768x25519-sha256", omwe ndi ophatikiza X25519 ECDH ndi ML-KEM (CRYSTALS-Kyber) aligorivimu, onse ovomerezeka ndi US National Institute of Standards and Technology (NIST). ML-KEM imagwiritsa ntchito njira za cryptographic potengera kuthetsa mavuto a chiphunzitso cha lattice, nthawi yothetsera yomwe imakhala yofanana pamakompyuta ochiritsira komanso a quantum.
  • Mu ssh_config, kuthandizira kwa "% -token" m'malo ndi kukulitsa kusintha kwa chilengedwe kwawonjezeredwa ku SetEnv ndi Maupangiri a Ogwiritsa.
  • Thandizo lowonjezera la mawu a "Match version" ku ssh_config ndi sshd_config, kukulolani kuti mugwiritse ntchito zokonda kutengera mtundu wa OpenSSH womwe muli nawo, mwachitsanzo, kumanga ku OpenSSH 10 mutha kutchula "Match version OpenSSH_10.*".
  • Thandizo la mawu awonjezedwa ku ssh_config:
    • "Match sessiontype", yomwe imakupatsani mwayi wogwiritsa ntchito zokonda kutengera mtundu wa gawo lomwe mwafunsidwa: "chipolopolo" cha magawo ochezera, "exec" pakuyendetsa malamulo, "subsystem" ya sftp ndi "palibe" pamakina ndi kuwongolera magalimoto.
    • "Match command" kumangiriza zochita ku malamulo omwe atchulidwa pamzere wamalamulo kuti ayendetse kudzera pa ssh.
    • 'Match tagged ""' ndi 'Match command ""' kuti mufanane ndi ma tag opanda kanthu ndikuyendetsa ssh osatchula lamulo loti muyendetse.
  • sshd_config imalola kugwiritsa ntchito masks munjira zamafayilo zomwe zafotokozedwa mu AuthorizedKeysFile ndi AuthorizedPrincipalsFile malangizo.
  • Kasitomala wa ssh tsopano akuthandizira njira ya "VersionAddendum" yowonjezera malemba apadera ku chingwe cha nambala ya mtundu (kale njira iyi inalipo kokha kwa Seva sshd).
  • Zida za scp ndi sftp tsopano zimapereka "ControlMaster no" makonda kuti aletse kulumikizana komwe kulipo kuti zisagwiritsidwe ntchito polumikizananso ndi wolandila.
  • sshd yalepheretsa kuthandizira kwa Diffie-Hellman kukhazikitsa mu gawo lomaliza mwachisawawa, zomwe zachititsa kuti kuchotsedwa kwa "diffie-hellman-group*" ndi "diffie-hellman-group-exchange-*" njira pamndandanda wa KEXAlgorithms. Poyerekeza ndi elliptic curve Diffie-Hellman algorithm, kukhazikitsa kwakutali kumachedwa ndipo kumafuna zida zowonjezera zamakompyuta pomwe kumapereka chitetezo chofanana.
  • Mu ssh, posankha cipher yolumikizira, mawonekedwe a AES-GCM tsopano akondedwa kuposa AES-CTR. Mwachikhazikitso, mndandanda wa zinthu zofunika kwambiri umayikidwa posankha zilembo: Chacha20/Poly1305, AES-GCM (128/256) ndi AES-CTR (128/192/256).
  • ssh-agent tsopano amachotsa makiyi onse odzaza akalandira chizindikiro cha SIGUSR1.
  • ssh-keygen yawonjezera chithandizo cha zizindikiro za FIDO zomwe sizibwezera deta yotsimikizira, monga WinHello.
  • Onjezani "-Owebsafe-allow=..." njira ya ssh-agent kuti ichotse zoyera za pulogalamu ya FIDO.
  • Anawonjezera kuyesa kwa regress/misc/ssh-verify-attestation pofuna kutsimikizira chidziwitso cha FIDO chopangidwa ndi ssh-keygen polembetsa makiyi a FIDO.
  • ssh-keygen imalola kugwiritsa ntchito "-" m'malo mwa dzina lafayilo.
  • ssh-agent ndi mtundu wam'manja wa OpenSSH zasinthidwa kuti zithandizire kuyambitsa socket ya systemd, kukhazikitsidwa pogwiritsa ntchito makina a LISTEN_PID/LISTEN_FDS.
  • Mumtundu wonyamula:
    • Thandizo la laibulale ya AWS-LC cryptographic (AWS libcrypto) yakhazikitsidwa.
    • sshd tsopano imathandizira wtmpdb, mtundu wa 2038-umboni wa wtmp.
    • Onjezani "----linux-memlock-onfault" njira kuti sshd ikani sshd pamtima (iletseni kukankhidwa kuti musinthe).
    • Onjezani "----security-key-standalone" njira yopangira laibulale yoyimirira ya sk-libfido2.
    • Mafotokozedwe a phukusi la RPM adachotsa zosintha zake za RHEL 6.
  • Kusintha kokhudzana ndi chitetezo mu sshd: Dongosolo la DisableForwarding silinalepheretse kutumiza kwa X11 protocol ndikuyitanitsa ssh-agent. Kutumiza kwa X11 kumayimitsidwa mwachisawawa kumbali ya seva, ndipo kutumiza kwa ssh-agent kumayimitsidwa kumbali ya kasitomala.

Source: opennet.ru

Kuwonjezera ndemanga