Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kwa OpenSSH 8.0

Kutulutsidwa kwa OpenSSH 8.0

Pambuyo pa miyezi isanu ya chitukuko zoperekedwa kumasula Kutsegulidwa kwa OpenSSH 8.0, kasitomala wotseguka ndi kukhazikitsa seva kuti agwire ntchito kudzera pa SSH 2.0 ndi ma protocol a SFTP.

Zosintha zazikulu:

  • Thandizo loyesera la njira yayikulu yosinthira yomwe imalimbana ndi nkhanza zapakompyuta ya quantum yawonjezedwa ku ssh ndi sshd. Makompyuta a Quantum amathamanga kwambiri pothana ndi vuto lakuwonongeka kwa nambala yachilengedwe kukhala zinthu zazikulu, zomwe zimadalira ma asymmetric encryption algorithms amakono ndipo sangathetsedwe bwino pama processor akale. Njira yomwe ikufunsidwa imatengera algorithm NTRU Prime (ntchito ntrup4591761), yopangidwira ma cryptosystems a post-quantum, ndi njira yosinthira ma elliptic curve key X25519;
  • Mu sshd, malangizo a ListenAddress ndi PermitOpen sakugwirizananso ndi mawu a "host/port", omwe adakhazikitsidwa mu 2001 ngati njira ina ya "host: port" kuti muchepetse kugwira ntchito ndi IPv6. M'mikhalidwe yamakono, mawu akuti "[::6]:1" adakhazikitsidwa pa IPv22, ndipo "host/port" nthawi zambiri amasokonezedwa ndi kuwonetsa subnet (CIDR);
  • ssh, ssh-agent ndi ssh-add tsopano makiyi othandizira ECDSA mu PKCS#11 zizindikiro;
  • Mu ssh-keygen, kukula kwachinsinsi kwa RSA kwawonjezeka kufika ku 3072 bits, molingana ndi malingaliro atsopano a NIST;
  • ssh imalola kugwiritsa ntchito zochunira za "PKCS11Provider=none" kunyalanyaza malangizo a PKCS11Provider otchulidwa mu ssh_config;
  • sshd imapereka chiwonetsero chambiri cha zochitika pomwe kulumikizana kutha poyesa kuchita malamulo oletsedwa ndi "ForceCommand=internal-sftp" kuletsa mu sshd_config;
  • Mu ssh, powonetsa pempho lotsimikizira kuvomereza kwa kiyi yatsopano yolandira, m'malo mwa "inde" kuyankha, chala cholondola cha kiyiyo chikuvomerezedwa (poyankha pempho lotsimikizira kulumikizidwa, wogwiritsa ntchito akhoza kukopera padera analandira hashi yolozera kudzera pa clipboard, kuti musafanizire pamanja);
  • ssh-keygen imapereka chiwonjezeko chodziwikiratu cha nambala yotsatizana ya satifiketi popanga siginecha ya digito ya ziphaso zingapo pamzere wolamula;
  • Njira yatsopano "-J" yawonjezedwa ku scp ndi sftp, yofanana ndi makonzedwe a ProxyJump;
  • Mu ssh-agent, ssh-pkcs11-helper ndi ssh-add, kukonza kwa mzere wa lamulo la "-v" wawonjezedwa kuti awonjezere zambiri zomwe zatuluka (pamene zatchulidwa, njirayi imaperekedwa kwa ana, chifukwa Mwachitsanzo, pamene ssh-pkcs11-wothandizira akuitanidwa kuchokera ku ssh-agent );
  • Njira ya "-T" yawonjezedwa ku ssh-add kuyesa kuyenerera kwa makiyi mu ssh-agent popanga siginecha ya digito ndi ntchito zotsimikizira;
  • sftp-server imagwiritsa ntchito chithandizo cha "lsetstat pa openssh.com" protocol yowonjezera, yomwe imawonjezera chithandizo cha SSH2_FXP_SETSTAT ntchito ya SFTP, koma popanda kutsatira maulalo ophiphiritsa;
  • Chowonjezera cha "-h" ku sftp kuyendetsa chown/chgrp/chmod malamulo ndi zopempha zomwe sizigwiritsa ntchito maulalo ophiphiritsa;
  • sshd imapereka kusintha kwa $SSH_CONNECTION kwa PAM;
  • Kwa sshd, njira yofananira ya "Match final" yawonjezedwa ku ssh_config, yomwe ili yofanana ndi "Match canonical", koma safuna kuti dzina la omvera likhazikitsidwe;
  • Thandizo lowonjezera la '@' prefix ku sftp kuti mulepheretse kumasulira kwa malamulo omwe amachitidwa mu batch mode;
  • Mukawonetsa zomwe zili mu satifiketi pogwiritsa ntchito lamulo
    "ssh-keygen -Lf /path/certificate" tsopano ikuwonetsa algorithm yogwiritsidwa ntchito ndi CA kutsimikizira satifiketi;

  • Kuthandizira kwabwino kwa chilengedwe cha Cygwin, mwachitsanzo kupereka kufananitsa kosaganizira zamagulu ndi mayina a ogwiritsa ntchito. Njira ya sshd mu doko la Cygwin yasinthidwa kukhala cygsshd kuti asasokonezedwe ndi doko la OpenSSH loperekedwa ndi Microsoft;
  • Anawonjezera luso lomanga ndi nthambi yoyesera ya OpenSSL 3.x;
  • Zathetsedwa kusatetezeka (CVE-2019-6111) pakukhazikitsa ntchito ya scp, yomwe imalola mafayilo osasunthika muzowongolera zomwe mukufuna kuti alembetsedwe kumbali ya kasitomala mukapeza seva yoyendetsedwa ndi wowukira. Vuto ndiloti pogwiritsira ntchito scp, seva imasankha mafayilo ndi mauthenga omwe angatumize kwa kasitomala, ndipo kasitomala amangoyang'ana kulondola kwa mayina azinthu zomwe zabwezedwa. Kuyang'ana kumbali ya kasitomala kumangoletsa kuyenda mopitilira chikwatu chapano ("../"), koma sikuganizira za kusamutsa mafayilo okhala ndi mayina osiyana ndi omwe adafunsidwa poyambirira. Pankhani ya kukopera kobwerezabwereza (-r), kuwonjezera pa mayina a mafayilo, mutha kusinthanso mayina a subdirectories mofananamo. Mwachitsanzo, ngati wogwiritsa amakopera mafayilo ku chikwatu chakunyumba, seva yoyendetsedwa ndi wowukirayo imatha kupanga mafayilo okhala ndi mayina .bash_aliases kapena .ssh/authorized_keys m'malo mwa mafayilo omwe afunsidwa, ndipo adzapulumutsidwa ndi scp utility mu wosuta zolemba kunyumba.

    Pakumasulidwa kwatsopano, ntchito ya scp yasinthidwa kuti iyang'ane makalata pakati pa mafayilo omwe amafunsidwa ndi omwe amatumizidwa ndi seva, zomwe zimachitika kumbali ya kasitomala. Izi zitha kuyambitsa zovuta pakukonza chigoba, chifukwa zilembo zakukulitsa chigoba zitha kusinthidwa mosiyana pa seva ndi mbali za kasitomala. Ngati kusiyana kotereku kupangitsa kasitomala kusiya kuvomera mafayilo mu scp, njira ya "-T" yawonjezedwa kuti mulepheretse kuyang'ana kwa kasitomala. Kuti muthane ndi vutoli, kukonzanso kwamalingaliro kwa protocol ya scp kumafunika, komwe kwatha kale, kotero tikulimbikitsidwa kugwiritsa ntchito ma protocol amakono monga sftp ndi rsync m'malo mwake.

Source: opennet.ru

Kuwonjezera ndemanga