Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > OpenSSH 8.3 kumasulidwa ndi scp vulnerability fix

OpenSSH 8.3 kumasulidwa ndi scp vulnerability fix

Pambuyo pa miyezi itatu ya chitukuko zoperekedwa kumasula Kutsegulidwa kwa OpenSSH 8.3, kasitomala wotseguka ndi kukhazikitsa seva kuti agwire ntchito kudzera pa SSH 2.0 ndi ma protocol a SFTP.

Kutulutsidwa kwatsopano kumawonjezera chitetezo ku ziwopsezo za scp zomwe zimalola seva kuti idutse mafayilo ena kuposa omwe adafunsidwa (kusiyana ndi kusatetezeka m'mbuyomu, kuwukira sikupangitsa kuti zitheke kusintha chikwatu chosankhidwa ndi ogwiritsa ntchito kapena chigoba cha glob). Kumbukirani kuti mu SCP, seva imasankha mafayilo ndi mauthenga omwe angatumize kwa kasitomala, ndipo kasitomala amangoyang'ana kulondola kwa mayina azinthu zomwe zabwezedwa. Chofunikira pavuto lomwe ladziwika ndikuti ngati kuyimba kwa utimes sikulephera, zomwe zili mufayilo zimatanthauziridwa ngati metadata ya fayilo.

Izi, polumikizana ndi seva yoyendetsedwa ndi wowukira, zitha kugwiritsidwa ntchito kusunga mayina ena afayilo ndi zina zomwe zili mu FS ya wogwiritsa ntchito pokopera pogwiritsa ntchito scp pamasinthidwe omwe amalepheretsa kuyimba foni (mwachitsanzo, nthawi ikaletsedwa ndi ndondomeko ya SELinux kapena fyuluta yoyimba foni) . Kuthekera kwa kuukiridwa kwenikweni kukuyerekezeredwa kukhala kochepa, chifukwa m'makonzedwe anthawi zonse kuyimba kwa utimes sikulephera. Kuphatikiza apo, kuwukirako sikudziwika - poyimba scp, cholakwika chosinthira deta chikuwonetsedwa.

Zosintha zonse:

  • Mu sftp, kukonza kwa mkangano wa "-1" kwayimitsidwa, mofanana ndi ssh ndi scp, zomwe zinavomerezedwa kale koma sizinanyalanyazidwe;
  • Mu sshd, pogwiritsira ntchito IgnoreRhosts, tsopano pali zosankha zitatu: "inde" - kunyalanyaza ma rhosts / shosts, "ayi" - kulemekeza ma rhosts / shosts, ndi "shosts-only" - kulola ".shosts" koma kulepheretsa ".rhosts";
  • Ssh tsopano imathandizira %TOKEN kulowetsa m'malo mwa LocalFoward ndi RemoteForward omwe amagwiritsidwa ntchito kuwongolera soketi za Unix;
  • Lolani kutsitsa makiyi apagulu kuchokera pafayilo yosalembetsedwa ndi kiyi yachinsinsi ngati palibe fayilo yosiyana ndi kiyi yapagulu;
  • Ngati libcrypto likupezeka mu dongosolo, ssh ndi sshd tsopano amagwiritsa ntchito kukhazikitsidwa kwa chacha20 aligorivimu kuchokera ku laibulale iyi, m'malo mwa kukhazikitsidwa kunyamula zomangidwa, zomwe zimatsalira kumbuyo;
  • Kutha kutaya zomwe zili pamndandanda wamabizinesi omwe adachotsedwa popereka lamulo la "ssh-keygen -lQf /path";
  • Mtundu wonyamulika umagwiritsa ntchito matanthauzidwe a makina omwe ma siginecha okhala ndi njira ya SA_RESTART amasokoneza magwiridwe antchito;
  • Mangani mavuto pa machitidwe a HP/UX ndi AIX athetsedwa;
  • Kuthetsa mavuto pomanga sandbox ya seccomp pamasinthidwe ena a Linux;
  • Kusintha kwa laibulale ya libfido2 ndikuthana ndi zovuta zomanga ndi "----security-key-builtin".

Madivelopa a OpenSSH adachenjezanso za kuwonongeka komwe kukubwera kwa ma algorithms pogwiritsa ntchito SHA-1 hashes chifukwa cha kukwezedwa mphamvu ya kugundana ndi prefix wopatsidwa (mtengo wosankha kugunda akuti pafupifupi 45 madola zikwi). M'modzi mwazomwe zikubwera, akukonzekera kuletsa mwachisawawa kuthekera kogwiritsa ntchito makina osindikizira a digito "ssh-rsa", omwe amatchulidwa mu RFC yoyambirira ya SSH protocol ndipo akadali ponseponse pochita (kuyesa kugwiritsa ntchito). ya ssh-rsa mumakina anu, mutha kuyesa kulumikiza kudzera pa ssh ndi kusankha "-oHostKeyAlgorithms=-ssh-rsa").

Kuti musinthe kusintha kwa ma aligorivimu atsopano mu OpenSSH, m'tsogolomu zosintha za UpdateHostKeys zidzayatsidwa mwachisawawa, zomwe zimasamutsa makasitomala ku ma algorithms odalirika. Ma aligorivimu omwe akulimbikitsidwa kusamuka akuphatikiza rsa-sha2-256/512 kutengera RFC8332 RSA SHA-2 (yothandizidwa kuyambira OpenSSH 7.2 ndipo imagwiritsidwa ntchito mosakhazikika), ssh-ed25519 (yothandizidwa kuyambira OpenSSH 6.5) ndi ecdsa-sha2-nistp256/384 based pa RFC521 ECDSA (yothandizidwa kuyambira OpenSSH 5656).

Potulutsidwa komaliza, "ssh-rsa" ndi "diffie-hellman-group14-sha1" achotsedwa pamndandanda wa CASignatureAlgorithms womwe umatanthawuza ma aligorivimu omwe amaloledwa kusaina ziphaso zatsopano, popeza kugwiritsa ntchito SHA-1 mu satifiketi kumabweretsa chiopsezo china. chifukwa chakuti wowukirayo ali ndi nthawi yopanda malire kuti afufuze kugunda kwa satifiketi yomwe ilipo, pomwe nthawi yowukira makiyi olandila imachepetsedwa ndi nthawi yolumikizira (LoginGraceTime).

Source: opennet.ru

Kuwonjezera ndemanga