ProHoster > Blog > internet nhau > Kuburitswa kweOpenSSH 8.0

Kuburitswa kweOpenSSH 8.0

Mushure memwedzi mishanu yebudiriro yakaunzwa kusunungura OpenSSH 8.0, mutengi akavhurika uye server kuisirwa kushanda kuburikidza neSSH 2.0 uye SFTP protocol.

Shanduko huru:

  • Rutsigiro rwekuyedza nzira yekutsinhana yakakosha inoshingirira kurwiswa kwehutsinye pakombuta yequantum yakawedzerwa kune ssh uye sshd. Makomputa eQuantum anokurumidza kukurumidza kugadzirisa dambudziko rekuparadza nhamba yechisikigo kuita zvinhu zvakakosha, izvo zviri pasi pemazuva ano asymmetric encryption algorithms uye haigone kugadziriswa zvinobudirira pane classical processors. Iyo yakarongwa nzira yakavakirwa pane algorithm NRU Prime (basa ntrup4591761), rakagadzirirwa post-quantum cryptosystems, uye elliptic curve kiyi kuchinjanisa nzira X25519;
  • Mune sshd, iyo TeereraAddress uye PermitOpen mirairo haichatsigire nhaka "host/port" syntax, iyo yakaitwa muna 2001 seimwe nzira ye "host: port" kurerutsa kushanda neIPv6. Mumamiriro ezvinhu emazuva ano, syntax β€œ[::6]:1” yakatemerwa IPv22, uye β€œhost/port” inowanzovhiringwa nekuratidza subnet (CIDR);
  • ssh, ssh-agent uye ssh-wedzera ikozvino makiyi ekutsigira ECDSA muPKCS#11 zviratidzo;
  • Mu ssh-keygen, iyo default RSA kiyi saizi yakawedzera kusvika 3072 bits, maererano neNIST mazano matsva;
  • ssh inobvumira kushandiswa kwe "PKCS11Provider=none" kuseta kudarika iyo PKCS11Provider rairo yakatsanangurwa mu ssh_config;
  • sshd inopa ratidziro yemamiriro ezvinhu kana kubatana kwapera paunenge uchiedza kuita mirairo yakavharwa ne "ForceCommand=yemukati-sftp" kurambidzwa mu sshd_config;
  • Mu ssh, pakuratidza chikumbiro chekusimbisa kugamuchirwa kwekiyi nyowani yekugamuchira, pachinzvimbo che "hongu" mhinduro, iyo chaiyo yemunwe kiyi yekiyi yave kugamuchirwa (mukupindura kokero yekusimbisa kubatana, mushandisi anogona kukopa zvakasiyana yakagashira referensi hash kuburikidza ne clipboard, kuti urege kuienzanisa nemaoko);
  • ssh-keygen inopa otomatiki kuwedzera kwechitupa nhamba yekutevedzana paunenge uchigadzira masiginecha edhijitari yezvitupa zvakawanda pamutsetse wekuraira;
  • Sarudzo nyowani "-J" yakawedzerwa kune scp uye sftp, yakaenzana neiyo ProxyJump yekumisikidza;
  • Mune ssh-agent, ssh-pkcs11-helper uye ssh-add, kugadzirisa kwe "-v" yekuraira mutsara sarudzo yakawedzerwa kuwedzera ruzivo rwemukati mezvinobuda (kana yatsanangurwa, iyi sarudzo inopfuudzwa kumaitiro emwana, kuitira muenzaniso, apo ssh-pkcs11-mubatsiri anodanwa kubva ssh-agent );
  • Iyo "-T" sarudzo yakawedzerwa kune ssh-add kuyedza kukodzera kwemakiyi mu ssh-agent yekugadzira siginecha yedhijitari uye mashandiro ekuona;
  • sftp-server inoshandisa tsigiro ye "lsetstat pa openssh.com" protocol yekuwedzera, iyo inowedzera tsigiro yeSSH2_FXP_SETSTAT mashandiro eSFTP, asi pasina kutevedzera zvinongedzo;
  • Yakawedzerwa "-h" sarudzo ye sftp kumhanya chown/chgrp/chmod mirairo ine zvikumbiro zvisingashandisi zvinongedzo zvinongedzo;
  • sshd inopa marongero eiyo $SSH_CONNECTION nharaunda inosiyana yePAM;
  • Kune sshd, "Mechi yekupedzisira" yekufananidza modhi yakawedzerwa kune ssh_config, iyo yakafanana ne "Match canonical", asi haidi kuti zita remugamuchiri rigone kugoneswa;
  • Yakawedzera tsigiro ye '@' prefix ku sftp kudzima kududzira kwekubuda kwemirairo yakaitwa mubatch mode;
  • Paunoratidza zviri muchitupa uchishandisa murairo
    "ssh-keygen -Lf / nzira/chitupa" ikozvino inoratidza algorithm inoshandiswa neCA kusimbisa chitupa;

  • Rutsigiro rwakavandudzwa rwenzvimbo yeCygwin, semuenzaniso kupa kuenzanisa-kusinganzwisisike kweboka nemazita evashandisi. Iyo sshd maitiro muCygwin port yakashandurwa kuita cygsshd kudzivirira kukanganiswa neMicrosoft-inopihwa OpenSSH port;
  • Yakawedzera kugona kuvaka neiyo yekuyedza OpenSSL 3.x bazi;
  • Yakabviswa vulnerability (CVE-2019-6111) mukushandiswa kweiyo scp utility, iyo inobvumira mafaera anopokana mudhairekitori rinotangwa kuti anyorwe padivi remutengi kana awana sevha inodzorwa neanorwisa. Dambudziko nderekuti kana uchishandisa scp, sevha inosarudza kuti ndeapi mafaera uye madhairekitori ekutumira kune mutengi, uye mutengi anongotarisa kurongeka kwemazita echinhu chakadzoserwa. Kutarisa-kudivi revatengi kunogumira pakungovharisa kufamba kupfuura dhairekitori razvino (β€œ../”), asi hazvitarise kuendeswa kwemafaira ane mazita akasiyana neaya akakumbirwa pakutanga. Panyaya yekudzokorodza kukopa (-r), mukuwedzera kune mazita emafaira, unogona zvakare kushandura mazita e subdirectories nenzira yakafanana. Semuenzaniso, kana mushandisi akakopa mafaera kudhairekitori repamba, sevha inodzorwa neanorwisa inogona kuburitsa mafaira ane mazita .bash_aliases kana .ssh/authorized_keys panzvimbo yemafaira akakumbirwa, uye anozochengetwa nescp utility mune yemushandisi. dhairekitori remba.

    Mukuburitswa kutsva, iyo scp utility yakagadziridzwa kuti itarise kunyorerana pakati pemazita efaira akakumbirwa uye ayo anotumirwa neseva, iyo inoitwa kudivi revatengi. Izvi zvinogona kukonzera matambudziko nekugadzirisa mask, sezvo masiki ekuwedzera mavara anogona kugadziriswa zvakasiyana pane sevha uye mativi evatengi. Kana mutsauko wakadaro ukaita kuti mutengi arege kugamuchira mafaera muscp, iyo "-T" sarudzo yakawedzerwa kudzima mutengi-parutivi kutarisa. Kuti ugadzirise dambudziko racho zvizere, gadziriso yepfungwa ye scp protocol inodiwa, iyo pachayo yatove yechinyakare, saka zvinokurudzirwa kushandisa mamwe mazuvano maprotocol akadai sftp uye rsync panzvimbo.

Source: opennet.ru

Voeg