Mushure memwedzi mitatu yekuvandudzwa kusunungura , mutengi akavhurika uye server kuisirwa kushanda kuburikidza neSSH 2.0 uye SFTP protocol.
Kuburitswa kutsva kunowedzera dziviriro kubva ku scp kurwiswa kunobvumira sevha kupfuudza mamwe mafaera pane ayo akakumbirwa (kusiyana ne , kurwiswa hakuiti kuti zvikwanise kushandura dhairekitori rakasarudzwa nemushandisi kana glob mask). Rangarira kuti muSCP, sevha inosarudza mafaera nemadhairekitori ekutumira kune mutengi, uye mutengi anongotarisa kurongeka kwemazita echinhu chakadzoserwa. Izvo zvakakosha zvedambudziko rakaonekwa ndezvekuti kana iyo utimes system yekufona ikatadza, ipapo zviri mukati mefaira zvinodudzirwa sefaira metadata.
Ichi ficha, kana ichibatanidza kune sevha inodzorwa neanorwisa, inogona kushandiswa kuchengetedza mamwe mazita efaira uye zvimwe zvirimo muFS yemushandisi paunenge uchikopa uchishandisa scp mumagadzirirwo anotungamira kukundikana pakufona utimes (semuenzaniso, kana utimes uchirambidzwa iyo SELinux mutemo kana system yekufona sefa) . Mukana wekurwiswa chaiko unofungidzirwa kuve kushoma, sezvo mune zvakajairwa zvigadziriso iyo utimes kufona haikundike. Mukuwedzera, kurwiswa hakuiti kusingaonekwi - kana kudana scp, kukanganisa kwekutumira data kunoratidzwa.
General shanduko:
- Mu sftp, kugadzirisa kwe "-1" nharo yakamiswa, yakafanana ne ssh uye scp, iyo yakagamuchirwa kare asi isina hanya;
- Mu sshd, paunenge uchishandisa IgnoreRhosts, pane zvino sarudzo nhatu: "hongu" - kufuratira rhosts / shosts, "kwete" - respect rhosts / shosts, uye "shosts-chete" - bvumira ".shosts" asi disable ".rhosts";
- Ssh ikozvino inotsigira % TOKEN kutsiva muLocalFoward uye RemoteForward marongero anoshandiswa kutungamira Unix sockets;
- Bvumira kurodha makiyi eruzhinji kubva kufaira risina kunyorwa nekiyi yakavanzika kana pasina faira rakaparadzana rine kiyi yeruzhinji;
- Kana libcrypto iripo muhurongwa, ssh uye sshd ikozvino inoshandisa kushandiswa kwechacha20 algorithm kubva muraibhurari ino, panzvimbo yekugadzirwa kwekutakura kunotakurika, iyo inosara shure mukushanda;
- Wakaita kugona kurasa zviri mukati mebhinari runyorwa rwezvitupa zvakabviswa paunenge uchiita murairo "ssh-keygen -lQf / nzira";
- Iyo inotakurika shanduro inoshandisa tsananguro dzemasisitimu umo masaini ane SA_RESTART sarudzo anovhiringa kushanda kwesarudzo;
- Yakagadziriswa matambudziko nekuungana paHP/UX uye AIX masisitimu;
- Yakagadziriswa matambudziko nekuvaka seccomp sandbox pane mamwe maLinux masisitimu;
- Yakavandudzwa libfido2 raibhurari yekuona uye yakagadzirisa nyaya dzekuvaka ne "--ne-security-key-builtin" sarudzo.
Vagadziri veOpenSSH vakayambira zvakare nezve kuparara kuri kuuya kwealgorithms vachishandisa SHA-1 hashes nekuda kushanda kwekurovera kurwiswa nechivakashure chakapihwa (mutengo wekusarudza kudhumhana unofungidzirwa kusvika zviuru makumi mana nezvishanu zvemadhora). Mune imwe yezvinoburitswa zviri kuuya, vanoronga kudzima nekutadza kugona kushandisa iyo yeruzhinji kiyi yedhijitari siginecha algorithm "ssh-rsa", iyo inotaurwa muRFC yekutanga yeSSH protocol uye inoramba yakapararira mukuita (kuyedza kushandiswa. ye ssh-rsa mumasisitimu ako, unogona kuedza kubatanidza kuburikidza ne ssh nesarudzo "-oHostKeyAlgorithms=-ssh-rsa").
Kutsvedzerera shanduko kune nyowani algorithms muOpenSSH, mune ramangwana kuburitswa iyo UpdateHostKeys marongero anozogoneswa nekusarudzika, ayo anozongotamisa vatengi kune algorithms akavimbika. Inokurudzirwa maalgorithms ekutama anosanganisira rsa-sha2-256/512 zvichibva paRFC8332 RSA SHA-2 (inotsigirwa kubva OpenSSH 7.2 uye inoshandiswa nekusingaperi), ssh-ed25519 (inotsigirwa kubva OpenSSH 6.5) uye ecdsa-sha2-nistp256/384 based paRFC521 ECDSA (inotsigirwa kubvira OpenSSH 5656).
Nezvekuburitswa kwekupedzisira, "ssh-rsa" uye "diffie-hellman-group14-sha1" akabviswa muCASignatureAlgorithms runyorwa runotsanangura maalgorithms anotenderwa kusaina zvitupa zvitsva, sezvo kushandisa SHA-1 muzvitupa kunopa imwe njodzi. nekuda kwekuti munhu anorwisa ane nguva isina muganho yekutsvaga kudhumhana kwechitupa chiripo, nepo nguva yekurwiswa kwemakiyi ekugamuchira inoganhurwa neiyo yekubatanidza timeout (LoginGraceTime).
Source: opennet.ru