ProHoster > Blog > internet nhau > Kuburitswa kweOpenSSH 8.4

Kuburitswa kweOpenSSH 8.4

Mushure memwedzi mina yebudiriro yakaunzwa kuburitswa kweOpenSSH 8.4, mutengi akavhurika uye kusevha server kushanda uchishandisa iyo SSH 2.0 uye SFTP protocol.

Shanduko huru:

  • Chengetedzo shanduko:
    • Mu ssh-agent, kana uchishandisa makiyi eFIDO asina kusikirwa SSH authentication (kiyi ID haitangi netambo "ssh:"), ikozvino inotarisa kuti meseji ichasainwa uchishandisa nzira dzinoshandiswa muSSH protocol. Shanduko iyi haibvumire ssh-agent kuti iendeswe kune mauto ari kure ane makiyi eFIDO kuvharidzira kugona kushandisa makiyi aya kugadzira masiginecha ezvikumbiro zvekusimbisa webhu (iyo reverse kesi, kana browser ichigona kusaina chikumbiro cheSSH, chinotanga kubviswa. nekuda kwekushandiswa kwe "ssh:" prefix mune kiyi identifier).
    • ssh-keygen's Resident key generation inosanganisira tsigiro yecredProtect add-on inotsanangurwa muFIDO 2.1 tsanangudzo, iyo inopa imwe dziviriro yemakiyi nekuda PIN isati yaita chero oparesheni inogona kuguma nekubvisa kiyi yekugara kubva pachiratidzo.
  • Zvinogona kutyora kuenderana shanduko:
    • Kutsigira FIDO/U2F, zvinokurudzirwa kushandisa raibhurari ye libfido2 kanenge vhezheni 1.5.0. Kugona kushandisa editions echinyakare kwaitwa zvishoma, asi mune iyi kesi, mabasa akadai seanogara makiyi, PIN chikumbiro, uye yekubatanidza akawanda tokeni hazvizovepo.
    • Mu ssh-keygen, iyo data yechokwadi inodiwa kuti uone kusimbisa masiginecha edhijitari yakawedzerwa kune iyo fomati yeruzivo rwekusimbisa, nesarudzo yakachengetedzwa paunenge uchigadzira kiyi yeFIDO.
    • Iyo API inoshandiswa kana OpenSSH ichidyidzana neiyo layer yekuwana maFIDO tokens yakashandurwa.
    • Paunenge uchivaka inotakurika vhezheni yeOpenSSH, otomatiki ikozvino yave kudiwa kugadzira iyo script yekumisikidza uye inoperekedza mafaera ekuvaka (kana kuvaka kubva kune yakadhindwa kodhi tar faira, kuvandudza gadziriso hazvidiwi).
  • Yakawedzerwa rutsigiro rweFIDO makiyi anoda PIN ongororo mu ssh uye ssh-keygen. Kugadzira makiyi nePIN, iyo "verify-inodiwa" sarudzo yawedzerwa kune ssh-keygen. Kana makiyi akadaro akashandiswa, asati aita basa rekugadzira siginecha, mushandisi anokurudzirwa kusimbisa zviito zvavo nekuisa PIN kodhi.
  • Mu sshd, iyo "verify-inodiwa" sarudzo inoshandiswa mumvumo_makiyi marongero, ayo anoda kushandiswa kwehunyanzvi kuratidza kuvepo kwemushandisi panguva yekushanda nechiratidzo. Iyo FIDO chiyero inopa akati wandei sarudzo dzekusimbisa kwakadaro, asi parizvino OpenSSH inongotsigira PIN-based verification.
  • sshd uye ssh-keygen vakawedzera tsigiro yekusimbisa masiginecha edhijitari anoenderana neFIDO Webauthn standard, iyo inobvumira makiyi eFIDO kuti ashandiswe mumabhurawuza.
  • Mune ssh mune CertificateFile marongero,
    ControlPath, IdentityAgent, IdentityFile, LocalForward uye
    RemoteForward inobvumira kutsiviwa kwemitengo kubva kumamiriro ekunze anotsanangurwa mufomati "${ENV}".

  • ssh uye ssh-agent vawedzera rutsigiro rweiyo $SSH_ASKPASS_REQUIRE nharaunda inosiyana, inogona kushandiswa kugonesa kana kudzima iyo ssh-askpass kufona.
  • Mu ssh mu ssh_config muAddKeysToAgent kuraira, kugona kudzikamisa nguva yechokwadi yekiyi kwakawedzerwa. Mushure mekunge muganho wakatarwa wapera, makiyi anobviswa otomatiki kubva ku ssh-agent.
  • Mu scp uye sftp, uchishandisa iyo "-A" mureza, unogona ikozvino kubvumidza zvakajeka redirection kune scp uye sftp uchishandisa ssh-agent ( redirection yakadzimwa nekusarudzika).
  • Yakawedzera tsigiro ye '% k' inotsiva mune ssh marongero, ayo anotsanangura iyo kiyi yezita. Izvi zvinogona kushandiswa kugovera makiyi mumafaira akasiyana (semuenzaniso, β€œUserKnownHostsFile ~/.ssh/known_hosts.d/%k”).
  • Bvumira kushandiswa kwe "ssh-add -d -" kushanda kuverenga makiyi kubva ku stdin anozodzimwa.
  • Mune sshd, kutanga uye kupera kwekubatanidza kuchekerera maitiro kunoratidzwa mugiyo, inodzorwa uchishandisa iyo MaxStartups parameter.

Vagadziri veOpenSSH vakarangarirawo kumiswa kuri kuuya kwealgorithms vachishandisa SHA-1 hashes nekuda kusimudzirwa kushanda kwekurovera kurwiswa nechivakashure chakapihwa (mutengo wekusarudza kudhumhana unofungidzirwa kusvika zviuru makumi mana nezvishanu zvemadhora). Mune imwe yezvinoburitswa zviri kuuya, vanoronga kudzima nekutadza kugona kushandisa iyo yeruzhinji kiyi yedhijitari siginecha algorithm "ssh-rsa", iyo inotaurwa muRFC yekutanga yeSSH protocol uye inoramba yakapararira mukuita (kuyedza kushandiswa. ye ssh-rsa mumasisitimu ako, unogona kuedza kubatanidza kuburikidza ne ssh nesarudzo "-oHostKeyAlgorithms=-ssh-rsa").

Kutsvedza shanduko kune nyowani algorithms muOpenSSH, kuburitswa kunotevera kunogonesa iyo UpdateHostKeys kuseta nekusarudzika, iyo inozongotamisa vatengi kune yakavimbika algorithms. Inokurudzirwa maalgorithms ekutama anosanganisira rsa-sha2-256/512 zvichibva paRFC8332 RSA SHA-2 (inotsigirwa kubva OpenSSH 7.2 uye inoshandiswa nekusingaperi), ssh-ed25519 (inotsigirwa kubva OpenSSH 6.5) uye ecdsa-sha2-nistp256/384 based paRFC521 ECDSA (inotsigirwa kubvira OpenSSH 5656).

Source: opennet.ru

Voeg