Pambuyo pamiyezi inayi yachitukuko, kutulutsidwa kwa OpenSSH 8.7, kukhazikitsidwa kotseguka kwa kasitomala ndi seva kuti agwire ntchito pama protocol a SSH 2.0 ndi SFTP, adawonetsedwa.
Zosintha zazikulu:
- Njira yoyesera yosinthira deta yawonjezedwa ku scp pogwiritsa ntchito protocol ya SFTP m'malo mwa protocol ya SCP/RCP. SFTP imagwiritsa ntchito njira zodziwikiratu za kagwiridwe ka mayina ndipo sigwiritsa ntchito kukonzanso kwa zipolopolo kumbali ya gulu lina, zomwe zimabweretsa zovuta zachitetezo. Kuti mulole SFTP mu scp, mbendera ya "-s" yaperekedwa, koma m'tsogolomu ikukonzekera kusintha ku protocol iyi mwachisawawa.
- sftp-server imagwiritsa ntchito zowonjezera ku protocol ya SFTP kukulitsa ~/ and ~user/ paths, zomwe ndizofunikira pa scp.
- scp utility yasintha machitidwe pokopera mafayilo pakati pa makamu awiri akutali (mwachitsanzo, "scp host-a:/path host-b:"), zomwe tsopano zimachitidwa mwachisawawa kudzera mwa wolandira wapakatikati, monga pofotokoza " -3" mbendera. Njirayi imakuthandizani kuti musapereke zidziwitso zosafunikira kwa wolandila woyamba ndi kutanthauzira katatu kwa mayina a fayilo mu chipolopolo (pa gwero, kopita ndi mbali ya dongosolo lanu), komanso mukamagwiritsa ntchito SFTP, imakupatsani mwayi wogwiritsa ntchito njira zonse zotsimikizira mukafika kutali. makamu, osati njira zosagwiritsa ntchito chabe . Chosankha cha "-R" chawonjezeredwa kuti chibwezeretse khalidwe lakale.
- Onjezani ForkAfterAuthentication ku ssh yofanana ndi "-f" mbendera.
- Kuyika kwa StdinNull ku ssh, kofanana ndi "-n" mbendera.
- Zokonda za SessionType zawonjezedwa ku ssh, momwe mungakhazikitsire mitundu yogwirizana ndi mbendera za "-N" (palibe gawo) ndi "-s" (subsystem).
- ssh-keygen imakupatsani mwayi woti mufotokozere nthawi yovomerezeka pamafayilo ofunikira.
- Onjezani mbendera ya "-Oprint-pubkey" ku ssh-keygen kuti musindikize kiyi yapagulu ngati gawo la siginecha ya sshsig.
- Mu ssh ndi sshd, onse kasitomala ndi seva asunthidwa kuti agwiritse ntchito fayilo yokhazikika yoletsa kwambiri yomwe imagwiritsa ntchito malamulo ngati chipolopolo pogwira mawu, mipata, ndi zilembo zothawa. Wophatikiza watsopanoyo samanyalanyazanso malingaliro omwe adapangidwa kale, monga kusiya mikangano pazosankha (mwachitsanzo, malangizo a DenyUsers sangasiyidwenso opanda kanthu), mawu osatsegulidwa, ndikutchula angapo = zilembo.
- Mukamagwiritsa ntchito zolemba za SSHFP DNS potsimikizira makiyi, ssh tsopano imayang'ana zolemba zonse zofananira, osati zomwe zili ndi siginecha ya digito.
- Mu ssh-keygen, popanga fungulo la FIDO ndi -Ochallenge njira, wosanjikiza womangidwa tsopano umagwiritsidwa ntchito pa hashing, m'malo mwa libfido2, yomwe imalola kugwiritsa ntchito zovuta zovuta zazikulu kapena zazing'ono kuposa 32 byte.
- Mu sshd, pokonza chilengedwe = "..." malangizo mumafayilo ovomerezeka_makiyi, machesi oyamba tsopano avomerezedwa ndipo pali malire a 1024 mayina osintha chilengedwe.
Madivelopa a OpenSSH adachenjezanso za kuwonongeka kwa ma aligorivimu pogwiritsa ntchito ma SHA-1 hashes chifukwa chakuchulukirako kwa kugundana ndi mawu oyambira (mtengo wosankha kugunda akuyerekeza pafupifupi madola 50 zikwi). Pakutulutsidwa kotsatira, tikukonzekera kuletsa mwachisawawa kuthekera kogwiritsa ntchito makina osindikizira a digito "ssh-rsa", omwe adatchulidwa mu RFC yoyambirira ya protocol ya SSH ndipo amagwiritsidwabe ntchito kwambiri.
Kuti muyese kugwiritsa ntchito ssh-rsa pamakina anu, mutha kuyesa kulumikiza kudzera ssh ndi "-oHostKeyAlgorithms=-ssh-rsa" njira. Nthawi yomweyo, kuletsa ma signature a digito a "ssh-rsa" mwachisawawa sikutanthauza kusiya kwathunthu kugwiritsa ntchito makiyi a RSA, popeza kuwonjezera pa SHA-1, protocol ya SSH imalola kugwiritsa ntchito ma algorithms ena a hashi. Makamaka, kuwonjezera pa "ssh-rsa", zidzakhala zotheka kugwiritsa ntchito "rsa-sha2-256" (RSA / SHA256) ndi "rsa-sha2-512" (RSA / SHA512) mitolo.
Kuti musinthe kusintha kwa ma aligorivimu atsopano, OpenSSH m'mbuyomu inali ndi UpdateHostKeys zokhazikitsidwa mwachisawawa, zomwe zimalola makasitomala kusintha okha ku ma algorithms odalirika. Pogwiritsa ntchito izi, kuwonjezera kwapadera kwa protocol kumathandizidwa "[imelo ndiotetezedwa]", kulola seva, itatha kutsimikizika, kudziwitsa kasitomala za makiyi onse omwe alipo. Makasitomala amatha kuwonetsa makiyi awa mufayilo yake ~/.ssh/known_hosts, zomwe zimalola makiyi olandila kusinthidwa ndikupangitsa kukhala kosavuta kusintha makiyi pa seva.
Kugwiritsiridwa ntchito kwa UpdateHostKeys kumachepetsedwa ndi mapanga angapo omwe angachotsedwe m'tsogolomu: fungulo liyenera kutchulidwa mu UserKnownHostsFile osati kugwiritsidwa ntchito mu GlobalKnownHostsFile; kiyi iyenera kukhala pansi pa dzina limodzi lokha; satifiketi yamakiyi olandila siyenera kugwiritsidwa ntchito; mu odziwika_hosts masks ndi dzina la alendo sayenera kugwiritsidwa ntchito; zosintha za VerifyHostKeyDNS ziyenera kuzimitsidwa; UserKnowHostsFile parameter iyenera kukhala yogwira.
Ma aligorivimu omwe akulimbikitsidwa kusamuka akuphatikiza rsa-sha2-256/512 kutengera RFC8332 RSA SHA-2 (yothandizidwa kuyambira OpenSSH 7.2 ndipo imagwiritsidwa ntchito mosakhazikika), ssh-ed25519 (yothandizidwa kuyambira OpenSSH 6.5) ndi ecdsa-sha2-nistp256/384 based pa RFC521 ECDSA (yothandizidwa kuyambira OpenSSH 5656).
Source: opennet.ru