Pambuyo pa miyezi isanu yachitukuko, kutulutsidwa kwa OpenSSH 8.5, kukhazikitsa kotseguka kwa kasitomala ndi seva kuti agwire ntchito pa SSH 2.0 ndi ma protocol a SFTP, akuwonetsedwa.
Madivelopa a OpenSSH atikumbutsa za kuchotsedwa kwa ma aligorivimu omwe akubwera pogwiritsa ntchito SHA-1 hashes chifukwa chakuchulukirako kwa kugundana ndi mawu oyambira (mtengo wosankha kugunda akuyerekeza pafupifupi $ 50 zikwi). M'modzi mwazomwe zikubwera, akukonzekera kuletsa mwachisawawa kuthekera kogwiritsa ntchito makina osindikizira a digito "ssh-rsa", omwe amatchulidwa mu RFC yoyambirira ya SSH protocol ndipo akadali ofala pochita.
Kuti muyese kugwiritsa ntchito ssh-rsa pamakina anu, mutha kuyesa kulumikiza kudzera ssh ndi "-oHostKeyAlgorithms=-ssh-rsa" njira. Nthawi yomweyo, kuletsa ma signature a digito a "ssh-rsa" mwachisawawa sikutanthauza kusiya kwathunthu kugwiritsa ntchito makiyi a RSA, popeza kuwonjezera pa SHA-1, protocol ya SSH imalola kugwiritsa ntchito ma algorithms ena a hashi. Makamaka, kuwonjezera pa "ssh-rsa", zidzakhala zotheka kugwiritsa ntchito "rsa-sha2-256" (RSA / SHA256) ndi "rsa-sha2-512" (RSA / SHA512) mitolo.
Kuti musinthe kusintha kwa ma aligorivimu atsopano, OpenSSH 8.5 ili ndi UpdateHostKeys zokhazikika zomwe zimayatsidwa mwachisawawa, zomwe zimalola makasitomala kusintha okha ku ma algorithms odalirika. Pogwiritsa ntchito izi, kuwonjezera kwapadera kwa protocol kumathandizidwa "[imelo ndiotetezedwa]", kulola seva, itatha kutsimikizika, kudziwitsa kasitomala za makiyi onse omwe alipo. Makasitomala amatha kuwonetsa makiyi awa mufayilo yake ~/.ssh/known_hosts, zomwe zimalola makiyi olandila kusinthidwa ndikupangitsa kukhala kosavuta kusintha makiyi pa seva.
Kugwiritsiridwa ntchito kwa UpdateHostKeys kumachepetsedwa ndi mapanga angapo omwe angachotsedwe m'tsogolomu: fungulo liyenera kutchulidwa mu UserKnownHostsFile osati kugwiritsidwa ntchito mu GlobalKnownHostsFile; kiyi iyenera kukhala pansi pa dzina limodzi lokha; satifiketi yamakiyi olandila siyenera kugwiritsidwa ntchito; mu odziwika_hosts masks ndi dzina la alendo sayenera kugwiritsidwa ntchito; zosintha za VerifyHostKeyDNS ziyenera kuzimitsidwa; UserKnowHostsFile parameter iyenera kukhala yogwira.
Ma aligorivimu omwe akulimbikitsidwa kusamuka akuphatikiza rsa-sha2-256/512 kutengera RFC8332 RSA SHA-2 (yothandizidwa kuyambira OpenSSH 7.2 ndipo imagwiritsidwa ntchito mosakhazikika), ssh-ed25519 (yothandizidwa kuyambira OpenSSH 6.5) ndi ecdsa-sha2-nistp256/384 based pa RFC521 ECDSA (yothandizidwa kuyambira OpenSSH 5656).
Zosintha zina:
- Kusintha kwachitetezo:
- Chiwopsezo chobwera chifukwa chomasulanso malo okumbukira omasulidwa kale (opanda kawiri) chakhazikitsidwa mu ssh-agent. Nkhaniyi idakhalapo kuyambira pomwe OpenSSH 8.2 idatulutsidwa ndipo itha kugwiritsidwa ntchito ngati wowukirayo atha kupeza socket ya ssh-agent pamakina akomweko. Chomwe chimapangitsa kuti kuberako kukhala kovuta kwambiri ndikuti muzu ndi wogwiritsa ntchito wapachiyambi ndi omwe ali ndi mwayi wopeza socket. Chochitika chowopsa kwambiri ndichakuti wothandizirayo amatumizidwa kuakaunti yomwe imayendetsedwa ndi wowukirayo, kapena kwa wolandila kumene woukirayo ali ndi mizu.
- sshd yawonjezera chitetezo kuti musadutse magawo akulu kwambiri ndi dzina la wosuta kupita ku PAM subsystem, yomwe imakulolani kuti mutseke zofooka mu ma module a PAM (Pluggable Authentication Module). Mwachitsanzo, kusinthaku kumalepheretsa sshd kuti isagwiritsidwe ntchito ngati vekitala kuti iwononge chiwopsezo chomwe chapezeka posachedwa ku Solaris (CVE-2020-14871).
- Zosintha zomwe zitha kusokoneza kugwirizanitsa:
- Π ssh ΠΈ sshd ΠΏΠ΅ΡΠ΅ΡΠ°Π±ΠΎΡΠ°Π½ ΡΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠ°Π»ΡΠ½ΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡΡΠ°ΠΌΠΈ, ΡΡΠΎΠΉΠΊΠΈΠΉ ΠΊ ΠΏΠΎΠ΄Π±ΠΎΡΡ Π½Π° ΠΊΠ²Π°Π½ΡΠΎΠ²ΠΎΠΌ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ΅. ΠΠ²Π°Π½ΡΠΎΠ²ΡΠ΅ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΡ ΠΊΠ°ΡΠ΄ΠΈΠ½Π°Π»ΡΠ½ΠΎ Π±ΡΡΡΡΠ΅Π΅ ΡΠ΅ΡΠ°ΡΡ Π·Π°Π΄Π°ΡΡ ΡΠ°Π·Π»ΠΎΠΆΠ΅Π½ΠΈΡ Π½Π°ΡΡΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΡΠΈΡΠ»Π° Π½Π° ΠΏΡΠΎΡΡΡΠ΅ ΠΌΠ½ΠΎΠΆΠΈΡΠ΅Π»ΠΈ, ΠΊΠΎΡΠΎΡΠ°Ρ Π»Π΅ΠΆΠΈΡ Π² ΠΎΡΠ½ΠΎΠ²Π΅ ΡΠΎΠ²ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ Π°ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΠΈ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎ Π½Π΅ ΡΠ΅ΡΠ°Π΅ΠΌΠ° Π½Π° ΠΊΠ»Π°ΡΡΠΈΡΠ΅ΡΠΊΠΈΡ ΠΏΡΠΎΡΠ΅ΡΡΠΎΡΠ°Ρ . ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΡΠ½ΠΎΠ²Π°Π½ Π½Π° Π°Π»Π³ΠΎΡΠΈΡΠΌΠ΅ NTRU Prime, ΡΠ°Π·ΡΠ°Π±ΠΎΡΠ°Π½Π½ΠΎΠΌ Π΄Π»Ρ ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΡΠΌΠ½ΡΡ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ, ΠΈ ΠΌΠ΅ΡΠΎΠ΄Π΅ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡΡΠ°ΠΌΠΈ Π½Π° Π±Π°Π·Π΅ ΡΠ»Π»ΠΈΠΏΡΠΈΡΠ΅ΡΠΊΠΈΡ ΠΊΡΠΈΠ²ΡΡ X25519. ΠΠΌΠ΅ΡΡΠΎ [imelo ndiotetezedwa] ΠΌΠ΅ΡΠΎΠ΄ ΡΠ΅ΠΏΠ΅ΡΡ ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΡΡΡ ΠΊΠ°ΠΊ [imelo ndiotetezedwa] (algorithm ya sntrup4591761 yasinthidwa ndi sntrup761).
- Mu ssh ndi sshd, dongosolo lomwe ma siginecha a digito amalengezedwa asinthidwa. ED25519 tsopano ikuperekedwa koyamba m'malo mwa ECDSA.
- Mu ssh ndi sshd, kukhazikitsa TOS/DSCP khalidwe la magawo a utumiki wa magawo oyankhulana tsopano kwachitika musanakhazikitse mgwirizano wa TCP.
- Thandizo la Cipher lathetsedwa mu ssh ndi sshd [imelo ndiotetezedwa], yomwe ili yofanana ndi aes256-cbc ndipo idagwiritsidwa ntchito RFC-4253 isanavomerezedwe.
- Mwachikhazikitso, chizindikiro cha CheckHostIP ndi cholephereka, phindu lake ndilopanda pake, koma kugwiritsidwa ntchito kwake kumasokoneza kwambiri kuzungulira kwa makamu omwe ali kumbuyo kwa oyendetsa katundu.
- Makonda a PerSourceMaxStartups ndi PerSourceNetBlockSize awonjezedwa ku sshd kuti achepetse kuchulukira koyambitsa zowongolera potengera adilesi ya kasitomala. Magawo awa amakulolani kuti muzitha kuwongolera bwino malire pakukhazikitsa njira, poyerekeza ndi ma MaxStartups ambiri.
- Malo atsopano a LogVerbose awonjezedwa ku ssh ndi sshd, zomwe zimakulolani kuti mukweze mwamphamvu mulingo wazovuta zomwe zatayidwa mu chipika, ndikutha kusefa ndi ma templates, ntchito ndi mafayilo.
- Mu ssh, povomereza kiyi yatsopano yolandirira, mayina onse olandila ndi ma adilesi a IP okhudzana ndi kiyiyo akuwonetsedwa.
- ssh imalola UserKnownHostsFile=palibe njira yoletsa kugwiritsa ntchito fayilo yodziwika_hosts pozindikira makiyi olandila.
- Kukonzekera kwa KnownHostsCommand kwawonjezedwa ku ssh_config kwa ssh, kukulolani kuti mudziwe zambiri_hosts deta kuchokera ku lamulo lotchulidwa.
- Onjezani njira ya PermitRemoteOpen ku ssh_config kwa ssh kukulolani kuti muchepetse komwe mukupita mukamagwiritsa ntchito njira ya RemoteForward ndi SOCKS.
- Mu ssh pa makiyi a FIDO, pempho la PIN mobwerezabwereza limaperekedwa ngati siginecha ya digito yalephera chifukwa cha PIN yolakwika ndipo wogwiritsa ntchito sanapemphe PIN (mwachitsanzo, pamene deta yolondola ya biometric sinapezeke ndipo chipangizo chinabwerera ku PIN yolowera pamanja).
- sshd imawonjezera chithandizo cha mafoni owonjezera ku seccomp-bpf-based process isolation mechanism pa Linux.
- Chothandizira/ssh-copy-id chida chasinthidwa.
Source: opennet.ru