ProHoster > Blog > internet nhau > Kuburitswa kweOpenSSH 9.6 nekubviswa kwekusagadzikana

Kuburitswa kweOpenSSH 9.6 nekubviswa kwekusagadzikana

Kuburitswa kweOpenSSH 9.6 kwakabudiswa, iko kuvhurwa kwemutengi uye server yekushanda uchishandisa iyo SSH 2.0 uye SFTP protocol. Iyo vhezheni itsva inogadzirisa zvinhu zvitatu zvekuchengetedza:

  • Kusagadzikana muSSH protocol (CVE-2023-48795, "Terrapin" kurwisa), iyo inobvumira kurwiswa kweMITM kudzoreredza kubatanidza kuti ishandise isina kuchengetedzeka yechokwadi maalgorithms uye kudzima dziviriro kubva padivi-chiteshi kurwisa kunodzokorora kupinza nekuongorora kunonoka. pakati pemakiyi pakiibhodhi . Nzira yekurwisa inotsanangurwa mune imwe nyaya yenhau.
  • Kusagadzikana mune ssh utility iyo inobvumira kutsiviwa kweanopokana gomba mirairo kuburikidza nekunyengedza kwekupinda uye kukosha kweanotambira ane mavara akakosha. Kusadzikama kunogona kushandiswa kana munhu anorwisa achidzora mabiko ekupinda uye zita remugamuchiri anopfuudzwa kune ssh, ProxyCommand uye LocalCommand mirairo, kana "match exec" zvibhuroko zvine mavara emusango akadai %u uye %h. Semuyenzaniso, kupinda zvisina kururama uye mugamuchiri anogona kutsiviwa mumasisitimu anoshandisa submodules muGit, sezvo Git isingarambidze kudoma akakosha mavara mune anotambira nemazita evashandisi. Kusagadzikana kwakafanana kunoonekwawo mune libssh.
  • Paive nebug mu ssh-agent apo, pakuwedzera PKCS#11 makiyi akavanzika, zvirambidzo zvakaiswa kukiyi yekutanga yakadzoswa nePKCS#11 tokeni. Nyaya yacho haikanganisi makiyi ega ega ega, makiyi eFIDO, kana makiyi asina kurambidzwa.

Dzimwe shanduko:

  • Yakawedzera "% j" inotsiva ssh, ichiwedzera kupinda zita remugamuchiri rakatsanangurwa kuburikidza neiyo ProxyJump rairo.
  • ssh yakawedzera rutsigiro rwekumisikidza ChannelTimeout padivi remutengi, iyo inogona kushandiswa kumisa isingashande chiteshi.
  • Yakawedzerwa rutsigiro rwekuverenga ED25519 makiyi akavanzika muPEM PKCS8 fomati kune ssh, sshd, ssh-add uye ssh-keygen (yaimbova OpenSSH fomati yaitsigirwa chete).
  • Kuwedzeredzwa kweprotocol kwakawedzerwa kune ssh uye sshd kutauriranazve dhijitari siginecha algorithms yeruzhinji kiyi yechokwadi mushure mekunge zita rekushandisa ragamuchirwa. Semuenzaniso, uchishandisa kuwedzera, unogona kusarudza kushandisa mamwe maalgorithms ane chekuita nevashandisi nekutsanangura PubkeyAcceptedAlgorithms mu "Match user" block.
  • Yakawedzera protocol yekuwedzera kune ssh-add uye ssh-agent yekuseta zvitupa paunenge uchiisa PKCS#11 makiyi, zvichibvumira zvitupa zvine chekuita nePKCS#11 makiyi epachivande kuti ashandiswe muzvinhu zvese zveOpenSSH zvinotsigira ssh-agent, kwete ssh chete.
  • Kuvandudzwa kwekuona kweasingatsigirwe kana kusagadzikana mireza yekubatanidza se "-fzero-call-used-regs" mu clang.
  • Kudzikamisa maropafadzo eiyo sshd maitiro, shanduro dzeOpenSolaris dzinotsigira getpflags() interface dzinoshandisa iyo PRIV_XPOLICY modhi pachinzvimbo chePRIV_LIMIT.

Source: opennet.ru

Voeg