Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kwa OpenSSH 8.4

Kutulutsidwa kwa OpenSSH 8.4

Pambuyo pa miyezi inayi ya chitukuko zoperekedwa kutulutsidwa kwa OpenSSH 8.4, kasitomala wotseguka komanso kukhazikitsa seva pogwira ntchito pogwiritsa ntchito ma protocol a SSH 2.0 ndi SFTP.

Zosintha zazikulu:

  • Kusintha kwachitetezo:
    • Mu ssh-agent, mukamagwiritsa ntchito makiyi a FIDO omwe sanapangidwe kuti atsimikizire SSH (chidziwitso chachinsinsi sichiyamba ndi chingwe "ssh:"), tsopano chimayang'ana kuti uthengawo usayinidwa pogwiritsa ntchito njira zomwe zimagwiritsidwa ntchito mu SSH protocol. Kusinthaku sikungalole kuti ssh-agent atumizidwenso kwa omwe ali kutali omwe ali ndi makiyi a FIDO kuti aletse kugwiritsa ntchito makiyiwa kuti apange siginecha zopempha zovomerezeka za intaneti (nthawi yakumbuyo, pamene msakatuli amatha kusaina pempho la SSH, poyamba amachotsedwa. chifukwa chogwiritsa ntchito mawu akuti "ssh:" mu chozindikiritsa makiyi).
    • ssh-keygen's Resident key generation imaphatikizapo kuthandizira credProtect add-on yomwe ikufotokozedwa mu ndondomeko ya FIDO 2.1, yomwe imapereka chitetezo chowonjezera cha makiyi pakufuna PIN musanagwire ntchito iliyonse yomwe ingapangitse kuti mutulutse kiyi yokhazikika pa chizindikirocho.
  • Zosintha zomwe zitha kusokoneza kugwirizanitsa:
    • Kuti muthandizire FIDO/U2F, tikulimbikitsidwa kugwiritsa ntchito laibulale ya libfido2 osachepera mtundu 1.5.0. Kutha kugwiritsa ntchito makope akale kwakhazikitsidwa pang'ono, koma pakadali pano, ntchito monga makiyi okhala, pempho la PIN, ndi kulumikiza ma tokeni angapo sizipezeka.
    • Mu ssh-keygen, deta yotsimikizika yofunikira kuti mutsimikizire kutsimikizira siginecha ya digito yawonjezeredwa kumtundu wa chidziwitso chotsimikizira, chosungidwa mwachisawawa popanga kiyi ya FIDO.
    • API yogwiritsidwa ntchito pamene OpenSSH imagwirizana ndi wosanjikiza kuti mupeze zizindikiro za FIDO zasinthidwa.
    • Mukapanga mtundu wosunthika wa OpenSSH, automake tsopano ikufunika kuti mupange script yosinthira ndi mafayilo otsagana nawo (ngati kumanga kuchokera pa fayilo yosindikizidwa ya tar, kukonzanso sikofunikira).
  • Thandizo lowonjezera la makiyi a FIDO omwe amafunikira kutsimikizira PIN mu ssh ndi ssh-keygen. Kuti mupange makiyi okhala ndi PIN, njira ya "kutsimikizira-zofunika" yawonjezedwa ku ssh-keygen. Ngati makiyi oterowo agwiritsidwa ntchito, asanayambe ntchito yolenga siginecha, wogwiritsa ntchitoyo amafunsidwa kuti atsimikizire zochita zawo polemba PIN code.
  • Mu sshd, njira ya "Verify-Required" imayikidwa mu authorized_keys setting, yomwe imafuna kugwiritsa ntchito mphamvu kuti zitsimikizire kukhalapo kwa wogwiritsa ntchito panthawi yogwiritsira ntchito chizindikiro. Muyezo wa FIDO umapereka njira zingapo zotsimikizira zotere, koma pakadali pano OpenSSH imangothandizira kutsimikizira kochokera pa PIN.
  • sshd ndi ssh-keygen awonjezera chithandizo chotsimikizira siginecha ya digito yomwe imagwirizana ndi muyezo wa FIDO Webauthn, womwe umalola makiyi a FIDO kuti agwiritsidwe ntchito pakusakatula intaneti.
  • Mu ssh m'makonzedwe a CertificateFile,
    ControlPath, IdentityAgent, IdentityFile, LocalForward ndi
    RemoteForward imalola kusintha kwamitengo kuchokera kuzinthu zachilengedwe zomwe zafotokozedwa mumtundu wa "${ENV}".

  • ssh ndi ssh-agent awonjezera chithandizo cha $SSH_ASKPASS_REQUIRE kusintha kwa chilengedwe, komwe kungagwiritsidwe ntchito kuthandizira kapena kuletsa kuyimba kwa ssh-askpass.
  • Mu ssh mu ssh_config mu malangizo a AddKeysToAgent, kuthekera kochepetsa nthawi yovomerezeka ya kiyi yawonjezedwa. Malirewo akatha, makiyi amachotsedwa pa ssh-agent.
  • Mu scp ndi sftp, pogwiritsa ntchito mbendera ya "-A", tsopano mutha kulola kuwongolera ku scp ndi sftp pogwiritsa ntchito ssh-agent (kuwongoleranso kumayimitsidwa mwachisawawa).
  • Thandizo lowonjezera la '%k' m'malo mwa ssh, lomwe limatchula dzina lachinsinsi. Izi zitha kugwiritsidwa ntchito kugawa makiyi m'mafayilo osiyana (mwachitsanzo, β€œUserKnownHostsFile ~/.ssh/known_hosts.d/%k”).
  • Lolani kugwiritsa ntchito "ssh-add -d -" kuti muwerenge makiyi ochokera ku stdin omwe ayenera kuchotsedwa.
  • Mu sshd, chiyambi ndi kutha kwa ndondomeko yodulira kugwirizana kumawonetsedwa mu chipika, choyendetsedwa ndi MaxStartups parameter.

Madivelopa a OpenSSH adakumbukiranso kuchotsedwa kwa ma aligorivimu komwe kukubwera pogwiritsa ntchito SHA-1 hashes chifukwa cha kukwezedwa mphamvu ya kugundana ndi prefix wopatsidwa (mtengo wosankha kugunda akuti pafupifupi 45 madola zikwi). M'modzi mwazomwe zikubwera, akukonzekera kuletsa mwachisawawa kuthekera kogwiritsa ntchito makina osindikizira a digito "ssh-rsa", omwe amatchulidwa mu RFC yoyambirira ya SSH protocol ndipo akadali ponseponse pochita (kuyesa kugwiritsa ntchito). ya ssh-rsa mumakina anu, mutha kuyesa kulumikiza kudzera pa ssh ndi kusankha "-oHostKeyAlgorithms=-ssh-rsa").

Kuti musinthe kusintha kwa ma aligorivimu atsopano mu OpenSSH, kumasulidwa kotsatira kudzathandizira kukhazikitsa kwa UpdateHostKeys mwachisawawa, komwe kumasamutsa makasitomala ku ma algorithms odalirika. Ma aligorivimu omwe akulimbikitsidwa kusamuka akuphatikiza rsa-sha2-256/512 kutengera RFC8332 RSA SHA-2 (yothandizidwa kuyambira OpenSSH 7.2 ndipo imagwiritsidwa ntchito mosakhazikika), ssh-ed25519 (yothandizidwa kuyambira OpenSSH 6.5) ndi ecdsa-sha2-nistp256/384 based pa RFC521 ECDSA (yothandizidwa kuyambira OpenSSH 5656).

Source: opennet.ru

Kuwonjezera ndemanga