Pambuyo pa miyezi inayi ya chitukuko kumasula , kasitomala wotseguka ndi kukhazikitsa seva kuti agwire ntchito kudzera pa SSH 2.0 ndi ma protocol a SFTP.
Kusintha kwakukulu pakutulutsidwa kwa OpenSSH 8.2 kunali kuthekera kogwiritsa ntchito kutsimikizika kwazinthu ziwiri pogwiritsa ntchito zida zomwe zimathandizira protocol. , yopangidwa ndi mgwirizano . U2F imalola kupanga ma tokeni otsika mtengo kuti atsimikizire kupezeka kwa wogwiritsa ntchito, kuyanjana nawo kudzera pa USB, Bluetooth kapena NFC. Zida zoterezi zimalimbikitsidwa ngati njira yotsimikizirika yazinthu ziwiri pa mawebusaiti, zimathandizidwa kale ndi asakatuli akuluakulu ndipo amapangidwa ndi opanga osiyanasiyana, kuphatikizapo Yubico, Feitian, Thetis ndi Kensington.
Kuti mulumikizane ndi zida zomwe zimatsimikizira kupezeka kwa wogwiritsa ntchito, mitundu yatsopano ya "ecdsa-sk" ndi "ed25519-sk" yawonjezedwa ku OpenSSH, yomwe imagwiritsa ntchito ECDSA ndi Ed25519 siginecha ya digito, kuphatikiza ndi SHA-256 hashi. Njira zolumikizirana ndi ma tokeni zimayikidwa mulaibulale yapakati, yomwe imayikidwa mofanana ndi laibulale yothandizira PKCS#11 ndipo ndi chokulunga pamwamba pa laibulale. , yomwe imapereka zida zoyankhulirana ndi ma tokeni pa USB (ma protocol a FIDO U2F/CTAP 1 ndi FIDO 2.0/CTAP 2 amathandizidwa). Laibulale yapakatikati libsk-libfido2 yokonzedwa ndi OpenSSH Madivelopa mu core libfido2, komanso kwa OpenBSD.
Kuti mutsimikizire ndikupanga kiyi, muyenera kutchula gawo la "SecurityKeyProvider" pazokonda kapena kukhazikitsa SSH_SK_PROVIDER kusintha kwa chilengedwe, kuwonetsa njira yopita ku library yakunja libsk-libfido2.so (export SSH_SK_PROVIDER=/path/to/libsk-libfido2. choncho). Ndizotheka kupanga openssh ndi chithandizo chokhazikika chalaibulale yosanjikiza (----security-key-builtin), pamenepa muyenera kukhazikitsa "SecurityKeyProvider=internal" parameter.
Kenako muyenera kuthamanga "ssh-keygen -t ecdsa-sk" kapena, ngati makiyi apangidwa kale ndikukonzedwa, gwirizanitsani ndi seva pogwiritsa ntchito "ssh". Mukathamanga ssh-keygen, makiyi opangidwa adzasungidwa mu "~/.ssh/id_ecdsa_sk" ndipo angagwiritsidwe ntchito mofanana ndi makiyi ena.
Kiyi yapagulu (id_ecdsa_sk.pub) iyenera kukopera ku seva mufayilo ya authorized_keys. Pa mbali ya seva, siginecha yokha ya digito imatsimikiziridwa, ndipo kuyanjana ndi zizindikiro kumachitidwa kumbali ya kasitomala (simufunika kukhazikitsa libsk-libfido2 pa seva, koma seva iyenera kuthandizira "ecdsa-sk" mtundu wachinsinsi) . Makiyi achinsinsi opangidwa (id_ecdsa_sk) ndiye chogwirizira, kupanga kiyi yeniyeni pokhapokha kuphatikiza ndi mndandanda wachinsinsi womwe umasungidwa kumbali ya chizindikiro cha U2F. Ngati fungulo la id_ecdsa_sk ligwera m'manja mwa wowukira, kuti adutse chitsimikiziro adzafunikanso kuti apeze chizindikiro cha hardware, popanda makiyi achinsinsi omwe amasungidwa mu fayilo ya id_ecdsa_sk alibe ntchito.
Kuphatikiza apo, mwachisawawa, pochita ntchito zilizonse ndi makiyi (panthawi ya m'badwo komanso nthawi yotsimikizika), kutsimikizika kwanuko kwa kukhalapo kwa wogwiritsa ntchito kumafunika, mwachitsanzo, akufunsidwa kukhudza sensa pa chizindikiro, zomwe zimapangitsa kuti zikhale zovuta kuchita kuukira kwakutali pamakina okhala ndi chizindikiro cholumikizidwa. Monga mzere wina wachitetezo, mawu achinsinsi amathanso kufotokozedwa panthawi yoyambira ya ssh-keygen kuti mupeze fayilo yayikulu.
Mtundu watsopano wa OpenSSH udalengezanso kuchotsedwa kwa ma algorithms omwe akubwera pogwiritsa ntchito SHA-1 hashes chifukwa cha mphamvu ya kugundana ndi prefix wopatsidwa (mtengo wosankha kugunda akuti pafupifupi 45 madola zikwi). M'modzi mwazomwe zikubwera, akukonzekera kuletsa mwachisawawa kuthekera kogwiritsa ntchito makina osindikizira a digito "ssh-rsa", omwe amatchulidwa mu RFC yoyambirira ya SSH protocol ndipo akadali ponseponse pochita (kuyesa kugwiritsa ntchito). ya ssh-rsa mumakina anu, mutha kuyesa kulumikiza kudzera pa ssh ndi kusankha "-oHostKeyAlgorithms=-ssh-rsa").
Kuti musinthe kusintha kwa ma aligorivimu atsopano mu OpenSSH, m'tsogolomu zosintha za UpdateHostKeys zidzayatsidwa mwachisawawa, zomwe zimasamutsa makasitomala ku ma algorithms odalirika. Ma aligorivimu omwe akulimbikitsidwa kusamuka akuphatikiza rsa-sha2-256/512 kutengera RFC8332 RSA SHA-2 (yothandizidwa kuyambira OpenSSH 7.2 ndipo imagwiritsidwa ntchito mosakhazikika), ssh-ed25519 (yothandizidwa kuyambira OpenSSH 6.5) ndi ecdsa-sha2-nistp256/384 based pa RFC521 ECDSA (yothandizidwa kuyambira OpenSSH 5656).
Mu OpenSSH 8.2, kuthekera kolumikizana pogwiritsa ntchito "ssh-rsa" kukadalipo, koma algorithm iyi yachotsedwa pamndandanda wa CASignatureAlgorithms, womwe umatanthawuza ma algorithms omwe amaloledwa kusaina masatifiketi atsopano pakompyuta. Momwemonso, diffie-hellman-group14-sha1 algorithm yachotsedwa pamakina osinthira makiyi omwe amathandizidwa. Zadziwika kuti kugwiritsa ntchito SHA-1 mu satifiketi kumalumikizidwa ndi chiwopsezo chowonjezereka, popeza wowukirayo ali ndi nthawi yopanda malire kuti afufuze kugunda kwa chiphaso chomwe chilipo, pomwe nthawi yowukira makiyi olandila imachepetsedwa ndi nthawi yolumikizira (LoginGraceTime). ).
Kuthamanga ssh-keygen tsopano kumasinthira ku rsa-sha2-512 algorithm, yomwe imathandizidwa kuyambira OpenSSH 7.2, yomwe ingapangitse zovuta zogwirizana poyesa kukonza ziphaso zosainidwa mu OpenSSH 8.2 pamakina omwe akutulutsa OpenSSH akale (kuti athetse vuto liti popanga siginecha, mutha kufotokoza momveka bwino "ssh-keygen -t ssh-rsa" kapena kugwiritsa ntchito ma algorithms a ecdsa-sha2-nistp256/384/521, othandizidwa kuyambira OpenSSH 5.7).
Zosintha zina:
- Kuphatikizirani malangizo awonjezedwa ku sshd_config, komwe kumakulolani kuti muphatikize zomwe zili m'mafayilo ena omwe ali pano pa fayilo yosinthira (masks a glob angagwiritsidwe ntchito potchula dzina la fayilo);
- Njira "yopanda kukhudza-yofunikira" yawonjezeredwa ku ssh-keygen, yomwe imalepheretsa kufunikira kotsimikizira mwakuthupi kupeza chizindikiro pamene mukupanga fungulo;
- Lamulo la PubkeyAuthOptions lawonjezedwa ku sshd_config, lomwe limaphatikiza zosankha zosiyanasiyana zokhudzana ndi kutsimikizika kwachinsinsi pagulu. Pakadali pano, mbendera yokhayo "yosakhudza-yofunikira" ndiyomwe imathandizidwa kuti mudumphe macheke kuti muwone ngati zizindikiro zilidi. Mwa fanizo, njira ya "osakhudza-yofunikira" yawonjezedwa ku fayilo ya authorized_keys;
- Chowonjezera "-O write-attestation=/path" njira ya ssh-keygen kulola kuti ziphaso zowonjezera za FIDO zilembedwe popanga makiyi. OpenSSH sikugwiritsabe ntchito ziphaso izi, koma zitha kugwiritsidwa ntchito kutsimikizira kuti fungulo layikidwa mu sitolo yodalirika ya hardware;
- M'makonzedwe a ssh ndi sshd, tsopano ndizotheka kukhazikitsa njira yoyendetsera magalimoto kudzera pa IPQoS malangizo. (Makhalidwe Ochepa a Per-Hop);
- Mu ssh, poika mtengo "AddKeysToAgent = inde", ngati fungulo liribe gawo la ndemanga, lidzawonjezedwa kwa ssh-agent yosonyeza njira yopita ku kiyi monga ndemanga. MU
ssh-keygen ndi ssh-agent nawonso tsopano amagwiritsa ntchito zilembo za PKCS#11 ndi dzina la mutu wa X.509 m'malo mwa njira ya laibulale monga ndemanga mu kiyi; - Anawonjezera kuthekera kotumiza PEM kwa makiyi a DSA ndi ECDSA ku ssh-keygen;
- Anawonjezera chotheka chatsopano, ssh-sk-helper, chomwe chimagwiritsidwa ntchito kupatula laibulale yofikira zizindikiro za FIDO/U2F;
- Onjezani "--with-zlib" njira yopangira ssh ndi sshd kuti muphatikizidwe ndi zlib library library;
- Mogwirizana ndi zofunikira za RFC4253, chenjezo lokhudza kutsekereza mwayi wopitilira malire a MaxStartups limaperekedwa pachikwangwani chomwe chikuwonetsedwa pakulumikizana. Kuti muchepetse zowunikira, mutu wa sshd process, wowonekera mukamagwiritsa ntchito ps, tsopano ukuwonetsa kuchuluka kwa maulumikizidwe otsimikizika omwe ali pano komanso mawonekedwe a MaxStartups malire;
- Mu ssh ndi ssh-agent, poyitana pulogalamu kuti iwonetse pempho pawindo, yotchulidwa kudzera pa $SSH_ASKPASS, mbendera yokhala ndi mtundu wakuyitanira tsopano imaperekedwanso: "tsimikizirani" - dialog yotsimikizira (inde / ayi), "palibe β - uthenga, βkusowekapoβ β pempho lachinsinsi;
- Anawonjezera ntchito yatsopano ya siginecha ya digito "pezani-akuluakulu" ku ssh-keygen kuti mufufuze fayilo yololedwa yosayina kwa wogwiritsa ntchito yolumikizidwa ndi siginecha ya digito;
- Thandizo lothandizira pakudzipatula kwa sshd pa Linux pogwiritsa ntchito makina a seccomp: kuletsa mafoni a IPC, kulola clock_gettime64(), clock_nanosleep_time64 ndi clock_nanosleep().
Source: opennet.ru