Mushure memwedzi mishanu yebudiriro, kuburitswa kweOpenSSH 8.5, kuvhurwa kwakavhurika kwemutengi uye sevha yekushanda pamusoro peSSH 2.0 uye SFTP protocol, inoratidzwa.
Vagadziri veOpenSSH vakatiyeuchidza nezve kudzima kuri kuuya kwealgorithms uchishandisa SHA-1 hashes nekuda kwekuwedzera kwehunyanzvi hwekudhumhana neakapihwa prefix (mutengo wekusarudza kudhumhana unofungidzirwa kusvika pamadhora zviuru makumi mashanu). Mune imwe yekuburitswa kuri kuuya, vanoronga kudzima nekutadza kugona kushandisa "ssh-rsa" yeruzhinji kiyi yedhijitari siginecha algorithm, iyo inotaurwa muRFC yekutanga yeSSH protocol uye inoramba yakapararira mukuita.
Kuti uedze kushandiswa kwe ssh-rsa pane ako masisitimu, unogona kuedza kubatanidza kuburikidza ne ssh ne "-oHostKeyAlgorithms=-ssh-rsa" sarudzo. Panguva imwecheteyo, kudzima "ssh-rsa" masiginecha edhijitari nekukasira hazvirevi kusiya zvachose kushandiswa kweRSA makiyi, sezvo kuwedzera kune SHA-1, iyo SSH protocol inobvumira kushandiswa kweimwe hash kuverenga algorithms. Kunyanya, kuwedzera kune "ssh-rsa", zvicharamba zvichikwanisika kushandisa "rsa-sha2-256" (RSA / SHA256) uye "rsa-sha2-512" (RSA / SHA512) masumbu.
Kuti utsvedze shanduko kune nyowani algorithms, OpenSSH 8.5 ine iyo UpdateHostKeys kuisirwa inogoneswa nekusarudzika, iyo inobvumira vatengi kuti vashandure otomatiki kune akavimbika algorithms. Uchishandisa iyi kuseta, yakakosha protocol yekuwedzera inogoneswa "[email inodzivirirwa]", ichibvumira sevha, mushure mehuchokwadi, kuzivisa mutengi nezvese aripo makiyi ekugamuchira. Mutengi anogona kuratidza makiyi aya mu ~/.ssh/known_hosts faira, iyo inobvumira makiyi ekugamuchira kuti avandudzwe uye zvinoita kuti zvive nyore kuchinja makiyi paseva.
Kushandiswa kweUpdateHostKeys kunogumira nemapako akati wandei anogona kubviswa mune ramangwana: kiyi inofanirwa kutaurwa muUserKnownHostsFile uye isingashandiswe muGlobalKnownHostsFile; kiyi inofanira kunge iripo pasi pezita rimwe chete; a host key certificate haifaniri kushandiswa; mune inozivikanwa_hosts masks ane zita reanotambira harifanirwe kushandiswa; iyo VerifyHostKeyDNS setting inofanira kuvharwa; Iyo UserKnownHostsFile parameter inofanira kushanda.
Inokurudzirwa maalgorithms ekutama anosanganisira rsa-sha2-256/512 zvichibva paRFC8332 RSA SHA-2 (inotsigirwa kubva OpenSSH 7.2 uye inoshandiswa nekusingaperi), ssh-ed25519 (inotsigirwa kubva OpenSSH 6.5) uye ecdsa-sha2-nistp256/384 based paRFC521 ECDSA (inotsigirwa kubvira OpenSSH 5656).
Dzimwe shanduko:
- Chengetedzo shanduko:
- Kusagadzikana kunokonzerwa nekusunungura zvakare nzvimbo yakasunungurwa yendangariro (mbiri-isina) yakagadziriswa mu ssh-agent. Nyaya yavepo kubva pakaburitswa OpenSSH 8.2 uye inogona kushandiswa kana munhu anorwisa akawana ssh-agent socket pane yemuno system. Chinoita kuti kushandiswa kunyanye kuomera ndechekuti mudzi chete uye mushandisi wepakutanga anokwanisa kuwana socket. Iyo inonyanya kurwisa mamiriro ezvinhu ndeyekuti mumiririri anodzoserwa kuakaundi inodzorwa neanorwisa, kana kune muenzi uyo anorwisa ane midzi yekuwana.
- sshd yakawedzera dziviriro pakupfuura maparamita akakura kwazvo aine zita remushandisi kune PAM subsystem, iyo inokutendera kuti uvhare kusagadzikana muPAM (Pluggable Authentication Module) system modules. Semuenzaniso, shanduko inodzivirira sshd kubva kushandiswa sevheta kushandisa ichangobva kuwanikwa mudzi kusagadzikana muSolaris (CVE-2020-14871).
- Zvinogona kutyora kuenderana shanduko:
- Π ssh ΠΈ sshd ΠΏΠ΅ΡΠ΅ΡΠ°Π±ΠΎΡΠ°Π½ ΡΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠ°Π»ΡΠ½ΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡΡΠ°ΠΌΠΈ, ΡΡΠΎΠΉΠΊΠΈΠΉ ΠΊ ΠΏΠΎΠ΄Π±ΠΎΡΡ Π½Π° ΠΊΠ²Π°Π½ΡΠΎΠ²ΠΎΠΌ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ΅. ΠΠ²Π°Π½ΡΠΎΠ²ΡΠ΅ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΡ ΠΊΠ°ΡΠ΄ΠΈΠ½Π°Π»ΡΠ½ΠΎ Π±ΡΡΡΡΠ΅Π΅ ΡΠ΅ΡΠ°ΡΡ Π·Π°Π΄Π°ΡΡ ΡΠ°Π·Π»ΠΎΠΆΠ΅Π½ΠΈΡ Π½Π°ΡΡΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΡΠΈΡΠ»Π° Π½Π° ΠΏΡΠΎΡΡΡΠ΅ ΠΌΠ½ΠΎΠΆΠΈΡΠ΅Π»ΠΈ, ΠΊΠΎΡΠΎΡΠ°Ρ Π»Π΅ΠΆΠΈΡ Π² ΠΎΡΠ½ΠΎΠ²Π΅ ΡΠΎΠ²ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ Π°ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΠΈ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎ Π½Π΅ ΡΠ΅ΡΠ°Π΅ΠΌΠ° Π½Π° ΠΊΠ»Π°ΡΡΠΈΡΠ΅ΡΠΊΠΈΡ ΠΏΡΠΎΡΠ΅ΡΡΠΎΡΠ°Ρ . ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΡΠ½ΠΎΠ²Π°Π½ Π½Π° Π°Π»Π³ΠΎΡΠΈΡΠΌΠ΅ NTRU Prime, ΡΠ°Π·ΡΠ°Π±ΠΎΡΠ°Π½Π½ΠΎΠΌ Π΄Π»Ρ ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΡΠΌΠ½ΡΡ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ, ΠΈ ΠΌΠ΅ΡΠΎΠ΄Π΅ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡΡΠ°ΠΌΠΈ Π½Π° Π±Π°Π·Π΅ ΡΠ»Π»ΠΈΠΏΡΠΈΡΠ΅ΡΠΊΠΈΡ ΠΊΡΠΈΠ²ΡΡ X25519. ΠΠΌΠ΅ΡΡΠΎ [email inodzivirirwa] ΠΌΠ΅ΡΠΎΠ΄ ΡΠ΅ΠΏΠ΅ΡΡ ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΡΡΡ ΠΊΠ°ΠΊ [email inodzivirirwa] (iyo sntrup4591761 algorithm yakatsiviwa ne sntrup761).
- Mune ssh uye sshd, kurongeka uko kwakatsigirwa nedhijitari siginecha algorithms inoziviswa yakashandurwa. ED25519 yave kupihwa kutanga pachinzvimbo cheECDSA.
- Mu ssh uye sshd, kuseta TOS/DSCP mhando yemasevhisi paramita yezvikamu zvinodyidzana zvino yaitwa isati yatanga kubatana kweTCP.
- Cipher rutsigiro rwakamiswa mu ssh uye sshd [email inodzivirirwa], iyo yakafanana neaes256-cbc uye yakashandiswa RFC-4253 isati yatenderwa.
- Nekumisikidza, iyo CheckHostIP parameter yakaremara, iyo bhenefiti isingakodzeri, asi kushandiswa kwayo kunokanganisa zvakanyanya kutenderera kwakakosha kune mauto kuseri kwezviyereso zvekutakura.
- PerSourceMaxStartups uye PerSourceNetBlockSize marongero akawedzerwa kune sshd kudzikamisa kusimba kwekutangisa vanobata zvinoenderana nekero yemutengi. Aya ma paramita anobvumidza iwe kunyatso kudzora muganho pakutangwa kwemaitiro, uchienzaniswa neyakajairwa MaxStartups kurongedza.
- Iyo nyowani LogVerbose yekumisikidza yakawedzerwa kune ssh uye sshd, iyo inokutendera iwe kusimudza zvine simba mwero wedebugging ruzivo rwakakandwa murogi, nekugona kusefa nematemplate, mabasa uye mafaera.
- Mune ssh, kana uchigamuchira kiyi nyowani yekutambira, ese mazita evatambi uye IP kero dzine chekuita nekiyi dzinoratidzwa.
- ssh inobvumira iyo UserKnownHostsFile=hapana sarudzo yekudzima kushandiswa kweiyo inozivikanwa_hosts faira paunenge uchiona makiyi ekugamuchira.
- Iyo KnownHostsCommand set yakawedzerwa kune ssh_config ye ssh, ichikutendera iwe kuti uwane inozivikanwa_hosts data kubva mukubuda kweiyo murairo wataurwa.
- Yakawedzera PermitRemoteOpen sarudzo ku ssh_config ye ssh kuti ikubvumire kudzoreredza kwekuenda kana uchishandisa RemoteForward sarudzo neSOCKS.
- Mune ssh yemakiyi eFIDO, chikumbiro chePIN chakadzokororwa chinopihwa kana dhijitari yatadza kushanda nekuda kwePIN isiriyo uye mushandisi asiri kukumbirwa PIN (semuenzaniso, kana data rebhayometric rakakodzera risingawanikwe uye mudziyo wakawira kumashure kune manual PIN yekupinda).
- sshd inowedzera tsigiro yekuwedzera sisitimu inofona kune iyo seccomp-bpf-yakavakirwa process yekuzviparadzanisa nzira paLinux.
- Iyo contrib/ssh-copy-id utility yakagadziridzwa.
Source: opennet.ru