Kuburitswa kweOpenSSH 9.2 kwakabudiswa, iko kuvhurwa kwemutengi uye server yekushanda uchishandisa iyo SSH 2.0 uye SFTP protocol. Iyo vhezheni nyowani inobvisa kusagadzikana kunotungamira kusunungurwa kaviri kwendangariro padanho rekutanga-rechokwadi. Kuburitswa kweOpenSSH 9.1 chete ndiko kunokanganisa; dambudziko harioneki mumavhezheni ekutanga.
Kugadzira mamiriro ekuratidzwa kwekusagadzikana, zvakakwana kushandura SSH mutengi banner kuita "SSH-2.0-FuTTYSH_9.1p1" kuitira kuseta mireza "SSH_BUG_CURVE25519PAD" uye "SSH_OLD_DHGEX", zvinoenderana neshanduro yeSSH. client. Mushure mekuseta mireza iyi, ndangariro ye "options.kex_algorithms" buffer inosunungurwa kaviri - paunenge uchiita do_ssh2_kex() basa, rinodaidza compat_kex_proposal(), uye pakuita do_authentication2() basa, rinodaidza input_userauth_request(), mm_getpwnamallow ), copy_set_server_options() pamwe neketani, assemble_algorithms() uye kex_assemble_names().
Kugadzira kushandiswa kwekushanda kwekusagadzikana kunoonekwa kunge kusingafadzike, sezvo maitiro ekushandisa akanyanya kuomarara - maraibhurari emazuva ano ekugovera ndangariro anopa dziviriro kubva pakusunungurwa kwendangariro kaviri, uye pre-auth process umo iko kukanganisa kuripo inomhanya neropafadzo dzakadzikiswa mune yakasarudzika. sandbox environment.
Pamusoro pekusagadzikana kwakaonekwa, kuburitswa kutsva kunogadzirisawo dzimwe nyaya mbiri dzekuchengetedza:
- Chikanganiso chakaitika pakugadzirisa "PermitRemoteOpen" kuseta, zvichiita kuti nharo yekutanga irege kuregererwa kana ichisiyana nehunhu "chero" uye "hapana". Dambudziko rinoonekwa mushanduro nyowani pane OpenSSH 8.7 uye inoita kuti cheki isvekwe kana mvumo imwe chete yatsanangurwa.
- Anorwisa anodzora sevha yeDNS inoshandiswa kugadzirisa mazita anogona kuwana kutsiviwa kwemavara akakosha (semuenzaniso, β*β) mumafaera anozivikanwa_hosts kana CanonicalizeHostname uye CanonicalizePermittedCNAMEs sarudzo dzakagoneswa mukugadzirisa, uye system solver ikasatarisisa mhinduro kubva kuDNS server. Kurwiswa kwacho kunoonekwa sekusabvira nekuti mazita akadzoserwa anofanirwa kuenderana nemamiriro akatsanangurwa kuburikidza neCanonicalizePermittedCNAMEs.
Dzimwe shanduko:
- Iyo EnableEscapeCommandline set yakawedzerwa kune ssh_config ye ssh kutonga kana mutengi-parutivi kugadzirisa kwe "~C" kutevedzana kwekupukunyuka kunopa mutsara wekuraira unogoneswa. Nekumisikidza, "~C" kubata kwave kuremara kushandisa yakaomesesa kusarura kwejecha, zvingangotyora masisitimu anoshandisa "~C" yekufambisa chiteshi panguva yekumhanya.
- Iyo ChannelTimeout dhairekitori yakawedzerwa kune sshd_config ye sshd yekuseta chiteshi kusaita nguva yekubuda (matanho asina traffic inorekodhwa kwenguva yakatsanangurwa mukuraira ichavharwa otomatiki). Yakasiyana nguva yekubuda inogona kusetwa yechikamu, X11, mumiririri, uye traffic redirection.
- Iyo UnusedConnectionTimeout dhairekitori yakawedzerwa ku sshd_config ye sshd, ichikubvumidza iwe kuseta nguva yekumisa macustomer connections anga asina machaneli anoshanda kwenguva yakati.
- Iyo "-V" sarudzo yakawedzerwa kune sshd kuratidza iyo vhezheni, yakafanana neyakafanana sarudzo mune ssh mutengi.
- Yakawedzera mutsara we "Host" kune inobuda ye "ssh -G", inoratidza kukosha kweiyo hostname nharo.
- Iyo "-X" sarudzo yakawedzerwa kune scp uye sftp kudzora SFTP protocol paramita senge kopi buffer size uye nhamba yezvikumbiro zvakamirira.
- ssh-keyscan inobvumira kuongorora kwezere CIDR kero mutsara, semuenzaniso "ssh-keyscan 192.168.0.0/24".
Source: opennet.ru