ProHoster > Blog > internet nhau > Kuburitswa kweOpenSSH 8.7

Kuburitswa kweOpenSSH 8.7

Mushure memwedzi mina yebudiriro, kuburitswa kweOpenSSH 8.7, kuvhurwa kwakavhurika kwemutengi uye sevha yekushanda pamusoro peSSH 2.0 uye SFTP protocol, yakaunzwa.

Shanduko huru:

  • Iyo yekuyedza data yekufambisa modhi yakawedzerwa kune scp uchishandisa iyo SFTP protocol panzvimbo yechinyakare SCP/RCP protocol. SFTP inoshandisa nzira dzinofanotaurwa dzekubata mazita uye haishandise ganda kugadzirisa eglob mapatani kune rimwe divi remugamuchiri, izvo zvinogadzira matambudziko ekuchengetedza. Kugonesa SFTP mu scp, iyo "-s" mureza yakatsanangurwa, asi mune ramangwana inorongwa kushandura kune iyi protocol nekusarudzika.
  • sftp-server inoshandisa mawedzero kuSFTP protocol yekuwedzera iyo ~/ uye ~ mushandisi/ nzira, inodiwa kune scp.
  • Iyo scp utility yakachinja maitiro pakukopa mafaera pakati peaviri ari kure mauto (semuenzaniso, "scp host-a:/path host-b:"), izvo zvave kuitwa nekusarudzika kuburikidza nepakati penzvimbo inotambira, sepakutsanangura iyo " -3” mureza. Iyi nzira inokubvumira kuti udzivise kupfuudza zvisingakoshi kune wekutanga mugamuchiri uye dudziro katatu yemazita emafaira mugoko (panzvimbo, kwainoenda uye nenharaunda system side), uye kana uchishandisa SFTP, inokutendera iwe kushandisa ese echokwadi nzira kana uchinge wasvika kure. mauto, uye kwete nzira dzisiri dzekudyidzana . Iyo "-R" sarudzo yakawedzerwa kudzoreredza maitiro ekare.
  • Yakawedzera ForkAfterAuthentication kuseta kune ssh inoenderana ne "-f" mureza.
  • Yakawedzera StdinNull kuseta kune ssh, inoenderana ne "-n" mureza.
  • SessionType set yakawedzerwa kune ssh, iyo yaunogona kuseta mamodhi anoenderana ne "-N" (hapana chikamu) uye "-s" (subsystem) mireza.
  • ssh-keygen inokubvumira kuti utaure nguva yakakosha yechokwadi mumafaira makuru.
  • Yakawedzera "-Oprint-pubkey" mureza kune ssh-keygen kudhinda kiyi yeruzhinji sechikamu che sshsig siginicha.
  • Mu ssh uye sshd, zvese mutengi uye sevha zvakafambiswa kuti ishandise yakawedzera kudzora kumisikidza faira parser inoshandisa goko-semitemo yekubata makotesheni, nzvimbo, uye kutiza mavara. Iyo itsva parser zvakare hairegeredze fungidziro dzakamboitwa, sekusiya nharo mune sarudzo (semuenzaniso, iyo DenyUsers kuraira haichagone kusiiwa isina chinhu), makotesheni asina kuvharwa, uye kutsanangura akawanda = mavara.
  • Paunenge uchishandisa SSHFP DNS marekodhi paunenge uchisimbisa makiyi, ssh ikozvino inotarisa ese marekodhi anoenderana, kwete iwo chete ane chaiyo mhando yedhijitari siginecha.
  • Mu ssh-keygen, paunenge uchigadzira kiyi yeFIDO ne -Ochallenge sarudzo, iyo yakavakirwa-mukati layer ikozvino inoshandiswa kune hashing, pane libfido2, iyo inobvumira kushandiswa kwematambudziko sequences akakura kana madiki pane 32 bytes.
  • Mu sshd, kana kugadzirisa nharaunda = "..." mirairo mune mvumo_makiyi mafaera, mutambo wekutanga wave kugamuchirwa uye pane muganho we1024 nharaunda inosiyana mazita.

Vagadziri veOpenSSH vakayambirawo nezve kuparara kwealgorithms vachishandisa SHA-1 hashes nekuda kwekuwedzera kugona kwekudhumhana neakapihwa prefix (mutengo wekusarudza kudhumhana unofungidzirwa kusvika zviuru makumi mashanu zvemadhora). Mukuburitswa kunotevera, tinoronga kudzima nekutadza kugona kushandisa kiyi yeruzhinji siginecha algorithm "ssh-rsa", iyo yakataurwa muRFC yekutanga yeSSH protocol uye inoramba ichishandiswa zvakanyanya mukuita.

Kuti uedze kushandiswa kwe ssh-rsa pane ako masisitimu, unogona kuedza kubatanidza kuburikidza ne ssh ne "-oHostKeyAlgorithms=-ssh-rsa" sarudzo. Panguva imwecheteyo, kudzima "ssh-rsa" masiginecha edhijitari nekukasira hazvirevi kusiya zvachose kushandiswa kweRSA makiyi, sezvo kuwedzera kune SHA-1, iyo SSH protocol inobvumira kushandiswa kweimwe hash kuverenga algorithms. Kunyanya, kuwedzera kune "ssh-rsa", zvicharamba zvichikwanisika kushandisa "rsa-sha2-256" (RSA / SHA256) uye "rsa-sha2-512" (RSA / SHA512) masumbu.

Kutsvedza shanduko kuenda kumaalgorithms matsva, OpenSSH yaimbove neUpdateHostKeys kuisirwa inogoneswa nekusarudzika, iyo inobvumira vatengi kuti vashandure otomatiki kune akavimbika algorithms. Uchishandisa iyi kuseta, yakakosha protocol yekuwedzera inogoneswa "[email inodzivirirwa]", ichibvumira sevha, mushure mehuchokwadi, kuzivisa mutengi nezvese aripo makiyi ekugamuchira. Mutengi anogona kuratidza makiyi aya mu ~/.ssh/known_hosts faira, iyo inobvumira makiyi ekugamuchira kuti avandudzwe uye zvinoita kuti zvive nyore kuchinja makiyi paseva.

Kushandiswa kweUpdateHostKeys kunogumira nemapako akati wandei anogona kubviswa mune ramangwana: kiyi inofanirwa kutaurwa muUserKnownHostsFile uye isingashandiswe muGlobalKnownHostsFile; kiyi inofanira kunge iripo pasi pezita rimwe chete; a host key certificate haifaniri kushandiswa; mune inozivikanwa_hosts masks ane zita reanotambira harifanirwe kushandiswa; iyo VerifyHostKeyDNS setting inofanira kuvharwa; Iyo UserKnownHostsFile parameter inofanira kushanda.

Inokurudzirwa maalgorithms ekutama anosanganisira rsa-sha2-256/512 zvichibva paRFC8332 RSA SHA-2 (inotsigirwa kubva OpenSSH 7.2 uye inoshandiswa nekusingaperi), ssh-ed25519 (inotsigirwa kubva OpenSSH 6.5) uye ecdsa-sha2-nistp256/384 based paRFC521 ECDSA (inotsigirwa kubvira OpenSSH 5656).

Source: opennet.ru

Voeg