Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kwa OpenSSH 9.6 ndikuchotsa zofooka

Kutulutsidwa kwa OpenSSH 9.6 ndikuchotsa zofooka

Kutulutsidwa kwa OpenSSH 9.6 kwasindikizidwa, kukhazikitsidwa kotseguka kwa kasitomala ndi seva yogwira ntchito pogwiritsa ntchito ma protocol a SSH 2.0 ndi SFTP. Mtundu watsopano umakonza zovuta zitatu zachitetezo:

  • Chiwopsezo mu protocol ya SSH (CVE-2023-48795, "Terrapin"), yomwe imalola kuwukira kwa MITM kubweza kulumikizanako kuti agwiritse ntchito ma aligorivimu otsimikizika ocheperako ndikuyimitsa chitetezo polimbana ndi njira zam'mbali zomwe zimalowetsanso zolowera popenda kuchedwa. pakati pa makiyi pa kiyibodi. Njira yowukirayo ikufotokozedwa m'nkhani yosiyana.
  • Chiwopsezo cha ssh utility chomwe chimalola kulowetsa m'malo mwa malamulo a chipolopolo mwakusintha malowedwe ndi zikhalidwe zokhala ndi zilembo zapadera. Chiwopsezochi chitha kugwiritsidwa ntchito ngati wachiwembu awongolera malowedwe olowera ndi dzina la olandila omwe aperekedwa ku ssh, ProxyCommand ndi malangizo a LocalCommand, kapena midadada ya "match exec" yomwe ili ndi zilembo zakutchire monga %u ndi %h. Mwachitsanzo, malowedwe olakwika ndi wolandila atha kulowetsedwa m'makina omwe amagwiritsa ntchito ma submodules mu Git, popeza Git samaletsa kutchula zilembo zapadera m'mayina a wolandila ndi ogwiritsa ntchito. Kusatetezeka kofananako kumawonekeranso mu libssh.
  • Panali cholakwika mu ssh-wothandizira pomwe, powonjezera makiyi achinsinsi a PKCS#11, zoletsa zidagwiritsidwa ntchito pa kiyi yoyamba yomwe idabwezedwa ndi chizindikiro cha PKCS#11. Vutoli silikhudza makiyi achinsinsi, ma tokeni a FIDO, kapena makiyi opanda malire.

Zosintha zina:

  • "%j" idawonjezedwa m'malo mwa ssh, kukulira ku dzina la olandila lotchulidwa kudzera mu malangizo a ProxyJump.
  • ssh yawonjezera chithandizo chokhazikitsa ChannelTimeout kumbali ya kasitomala, yomwe ingagwiritsidwe ntchito kuthetsa mayendedwe osagwira ntchito.
  • Thandizo lowonjezera powerenga makiyi achinsinsi a ED25519 mumtundu wa PEM PKCS8 kuti ssh, sshd, ssh-add ndi ssh-keygen (kale mawonekedwe a OpenSSH okha ndi omwe adathandizidwa).
  • Kuwonjezedwa kwa protocol kwawonjezedwa ku ssh ndi sshd kuti mukambiranenso ma siginecha a digito kuti atsimikizire makiyi agulu pambuyo poti dzina lolowera lilandilidwe. Mwachitsanzo, pogwiritsa ntchito kukulitsa, mutha kugwiritsa ntchito ma algorithms ena okhudzana ndi ogwiritsa ntchito pofotokoza PubkeyAcceptedAlgorithms mu block "Match user".
  • Anawonjeza zowonjezera za protocol ku ssh-add ndi ssh-agent kuti akhazikitse ziphaso potsegula makiyi a PKCS#11, kulola masatifiketi okhudzana ndi makiyi achinsinsi a PKCS#11 kuti agwiritsidwe ntchito pazinthu zonse za OpenSSH zomwe zimathandizira ssh-agent, osati ssh chabe.
  • Kuzindikirika bwino kwa mbendera zosakhazikika kapena zosakhazikika monga "-fzero-call-used-regs" mu clang.
  • Kuti muchepetse mwayi wamachitidwe a sshd, mitundu ya OpenSolaris yomwe imathandizira mawonekedwe a getpflags() amagwiritsa ntchito PRIV_XPOLICY mode m'malo mwa PRIV_LIMIT.

Source: opennet.ru

Kuwonjezera ndemanga