Pambuyo pa miyezi inayi ya chitukuko
Zosintha zazikulu:
- Kusintha kwachitetezo:
- Mu ssh-agent, mukamagwiritsa ntchito makiyi a FIDO omwe sanapangidwe kuti atsimikizire SSH (chidziwitso chachinsinsi sichiyamba ndi chingwe "ssh:"), tsopano chimayang'ana kuti uthengawo usayinidwa pogwiritsa ntchito njira zomwe zimagwiritsidwa ntchito mu SSH protocol. Kusinthaku sikungalole kuti ssh-agent atumizidwenso kwa omwe ali kutali omwe ali ndi makiyi a FIDO kuti aletse kugwiritsa ntchito makiyiwa kuti apange siginecha zopempha zovomerezeka za intaneti (nthawi yakumbuyo, pamene msakatuli amatha kusaina pempho la SSH, poyamba amachotsedwa. chifukwa chogwiritsa ntchito mawu akuti "ssh:" mu chozindikiritsa makiyi).
- ssh-keygen's Resident key generation imaphatikizapo kuthandizira credProtect add-on yomwe ikufotokozedwa mu ndondomeko ya FIDO 2.1, yomwe imapereka chitetezo chowonjezera cha makiyi pakufuna PIN musanagwire ntchito iliyonse yomwe ingapangitse kuti mutulutse kiyi yokhazikika pa chizindikirocho.
- Zosintha zomwe zitha kusokoneza kugwirizanitsa:
- Kuti muthandizire FIDO/U2F, tikulimbikitsidwa kugwiritsa ntchito laibulale ya libfido2 osachepera mtundu 1.5.0. Kutha kugwiritsa ntchito makope akale kwakhazikitsidwa pang'ono, koma pakadali pano, ntchito monga makiyi okhala, pempho la PIN, ndi kulumikiza ma tokeni angapo sizipezeka.
- Mu ssh-keygen, deta yotsimikizika yofunikira kuti mutsimikizire kutsimikizira siginecha ya digito yawonjezeredwa kumtundu wa chidziwitso chotsimikizira, chosungidwa mwachisawawa popanga kiyi ya FIDO.
- API yogwiritsidwa ntchito pamene OpenSSH imagwirizana ndi wosanjikiza kuti mupeze zizindikiro za FIDO zasinthidwa.
- Mukapanga mtundu wosunthika wa OpenSSH, automake tsopano ikufunika kuti mupange script yosinthira ndi mafayilo otsagana nawo (ngati kumanga kuchokera pa fayilo yosindikizidwa ya tar, kukonzanso sikofunikira).
- Thandizo lowonjezera la makiyi a FIDO omwe amafunikira kutsimikizira PIN mu ssh ndi ssh-keygen. Kuti mupange makiyi okhala ndi PIN, njira ya "kutsimikizira-zofunika" yawonjezedwa ku ssh-keygen. Ngati makiyi oterowo agwiritsidwa ntchito, asanayambe ntchito yolenga siginecha, wogwiritsa ntchitoyo amafunsidwa kuti atsimikizire zochita zawo polemba PIN code.
- Mu sshd, njira ya "Verify-Required" imayikidwa mu authorized_keys setting, yomwe imafuna kugwiritsa ntchito mphamvu kuti zitsimikizire kukhalapo kwa wogwiritsa ntchito panthawi yogwiritsira ntchito chizindikiro. Muyezo wa FIDO umapereka njira zingapo zotsimikizira zotere, koma pakadali pano OpenSSH imangothandizira kutsimikizira kochokera pa PIN.
- sshd ndi ssh-keygen awonjezera chithandizo chotsimikizira siginecha ya digito yomwe imagwirizana ndi muyezo wa FIDO Webauthn, womwe umalola makiyi a FIDO kuti agwiritsidwe ntchito pakusakatula intaneti.
- Mu ssh m'makonzedwe a CertificateFile,
ControlPath, IdentityAgent, IdentityFile, LocalForward ndi
RemoteForward imalola kusintha kwamitengo kuchokera kuzinthu zachilengedwe zomwe zafotokozedwa mumtundu wa "${ENV}". - ssh ndi ssh-agent awonjezera chithandizo cha $SSH_ASKPASS_REQUIRE kusintha kwa chilengedwe, komwe kungagwiritsidwe ntchito kuthandizira kapena kuletsa kuyimba kwa ssh-askpass.
- Mu ssh mu ssh_config mu malangizo a AddKeysToAgent, kuthekera kochepetsa nthawi yovomerezeka ya kiyi yawonjezedwa. Malirewo akatha, makiyi amachotsedwa pa ssh-agent.
- Mu scp ndi sftp, pogwiritsa ntchito mbendera ya "-A", tsopano mutha kulola kuwongolera ku scp ndi sftp pogwiritsa ntchito ssh-agent (kuwongoleranso kumayimitsidwa mwachisawawa).
- Thandizo lowonjezera la '%k' m'malo mwa ssh, lomwe limatchula dzina lachinsinsi. Izi zitha kugwiritsidwa ntchito kugawa makiyi m'mafayilo osiyana (mwachitsanzo, βUserKnownHostsFile ~/.ssh/known_hosts.d/%kβ).
- Lolani kugwiritsa ntchito "ssh-add -d -" kuti muwerenge makiyi ochokera ku stdin omwe ayenera kuchotsedwa.
- Mu sshd, chiyambi ndi kutha kwa ndondomeko yodulira kugwirizana kumawonetsedwa mu chipika, choyendetsedwa ndi MaxStartups parameter.
Madivelopa a OpenSSH adakumbukiranso kuchotsedwa kwa ma aligorivimu komwe kukubwera pogwiritsa ntchito SHA-1 hashes chifukwa cha
Kuti musinthe kusintha kwa ma aligorivimu atsopano mu OpenSSH, kumasulidwa kotsatira kudzathandizira kukhazikitsa kwa UpdateHostKeys mwachisawawa, komwe kumasamutsa makasitomala ku ma algorithms odalirika. Ma aligorivimu omwe akulimbikitsidwa kusamuka akuphatikiza rsa-sha2-256/512 kutengera RFC8332 RSA SHA-2 (yothandizidwa kuyambira OpenSSH 7.2 ndipo imagwiritsidwa ntchito mosakhazikika), ssh-ed25519 (yothandizidwa kuyambira OpenSSH 6.5) ndi ecdsa-sha2-nistp256/384 based pa RFC521 ECDSA (yothandizidwa kuyambira OpenSSH 5656).
Source: opennet.ru