Mushure memwedzi mina yebudiriro kusunungura , mutengi akavhurika uye server kuisirwa kushanda kuburikidza neSSH 2.0 uye SFTP protocol.
Kuvandudza kwakakosha mukuburitswa kweOpenSSH 8.2 kwaive kugona kushandisa zvinhu zviviri-zvimisikidzo uchishandisa zvishandiso zvinotsigira protocol. , yakagadzirwa nemubatanidzwa . U2F inobvumira kugadzirwa kweakaderera-mutengo Hardware tokeni kuratidza kuvepo kwemushandisi kwemuviri, kutaurirana navo kuburikidza ne USB, Bluetooth kana NFC. Midziyo yakadaro inosimudzirwa senzira yekusimbisa zvinhu zviviri pawebhusaiti, yakatotsigirwa nemabhurawuza makuru uye inogadzirwa nevagadziri vakasiyana-siyana, kusanganisira Yubico, Feitian, Thetis neKensington.
Kudyidzana nemidziyo inosimbisa kuvapo kwemushandisi, mhando nyowani "ecdsa-sk" uye "ed25519-sk" dzakawedzerwa kuOpenSSH, inoshandisa ECDSA uye Ed25519 dijitari siginecha algorithms, yakasanganiswa neSHA-256 hash. Matanho ekudyidzana nematokeni anoiswa muraibhurari yepakati, iyo inotakurwa nenzira yakafanana kuraibhurari yePKCS#11 rutsigiro uye iri kuputira pamusoro peraibhurari. , iyo inopa maturusi ekutaurirana nematokeni pamusoro pe USB (FIDO U2F/CTAP 1 uye FIDO 2.0/CTAP 2 mapuroteni anotsigirwa). Raibhurari yepakati libsk-libfido2 yakagadzirirwa nevagadziri veOpenSSH mukati mepakati libfido2, zvakare yeOpenBSD.
Kuti utende uye ugadzire kiyi, unofanirwa kutsanangura iyo "SecurityKeyProvider" parameter muzvirongwa kana kuseta SSH_SK_PROVIDER nharaunda inoshanduka, ichiratidza nzira yekunze raibhurari libsk-libfido2.so (export SSH_SK_PROVIDER=/path/to/libsk-libfido2. saka). Zvinogoneka kuvaka openssh neyakavakwa-murutsigiro yerayibhurari (--ine-security-kiyi-builtin), mune iyi kesi iwe unofanirwa kuseta iyo "SecurityKeyProvider = yemukati" paramende.
Tevere iwe unofanirwa kumhanya "ssh-keygen -t ecdsa-sk" kana, kana makiyi atogadzirwa uye akagadziriswa, batanidza kune sevha uchishandisa "ssh". Paunenge uchimhanya ssh-keygen, iyo inogadzirwa kiyi peya ichachengetwa mu "~/.ssh/id_ecdsa_sk" uye inogona kushandiswa zvakafanana kune mamwe makiyi.
Kiyi yeruzhinji (id_ecdsa_sk.pub) inofanira kukopwa kuseva mufaira remvumo. Padivi reseva, siginecha yedhijitari chete ndiyo inosimbiswa, uye kudyidzana nematokeni kunoitwa parutivi rwemutengi (haufanire kuisa libsk-libfido2 pane sevha, asi sevha inofanirwa kutsigira "ecdsa-sk" kiyi mhando) . Iyo yakagadzirwa yakavanzika kiyi (id_ecdsa_sk) inonyanya kubata kiyi, ichigadzira kiyi chaiyo musanganiswa neakavanzika akatevedzana akachengetwa padivi rechiratidzo cheU2F. Kana iyo id_ecdsa_sk kiyi ikawira mumaoko eanorwisa, kuti apfuure huchokwadi achadawo kuwana mukana weiyo hardware tokeni, pasina iyo yakavanzika kiyi yakachengetwa muid_ecdsa_sk faira haina basa.
Uye zvakare, nekusarudzika, kana uchiita chero mashandiro nemakiyi (zvese panguva yechizvarwa uye panguva yehuchokwadi), kusimbiswa kwenzvimbo kwekuvapo kwemushandisi kwemuviri kunodiwa, semuenzaniso, inokurudzirwa kubata sensor pane chiratidzo, izvo zvinoita kuti zviome kuita. ita kurwisa kure kune masisitimu ane chiratidzo chakabatana. Semumwe mutsara wekudzivirira, password inogona zvakare kutsanangurwa panguva yekutanga chikamu che ssh-keygen kuti uwane iyo kiyi faira.
Iyo itsva vhezheni yeOpenSSH yakazivisawo kudzika kuri kuuya kwealgorithms uchishandisa SHA-1 hashes nekuda kushanda kwekurovera kurwiswa nechivakashure chakapihwa (mutengo wekusarudza kudhumhana unofungidzirwa kusvika zviuru makumi mana nezvishanu zvemadhora). Mune imwe yezvinoburitswa zviri kuuya, vanoronga kudzima nekutadza kugona kushandisa iyo yeruzhinji kiyi yedhijitari siginecha algorithm "ssh-rsa", iyo inotaurwa muRFC yekutanga yeSSH protocol uye inoramba yakapararira mukuita (kuyedza kushandiswa. ye ssh-rsa mumasisitimu ako, unogona kuedza kubatanidza kuburikidza ne ssh nesarudzo "-oHostKeyAlgorithms=-ssh-rsa").
Kutsvedzerera shanduko kune nyowani algorithms muOpenSSH, mune ramangwana kuburitswa iyo UpdateHostKeys marongero anozogoneswa nekusarudzika, ayo anozongotamisa vatengi kune algorithms akavimbika. Inokurudzirwa maalgorithms ekutama anosanganisira rsa-sha2-256/512 zvichibva paRFC8332 RSA SHA-2 (inotsigirwa kubva OpenSSH 7.2 uye inoshandiswa nekusingaperi), ssh-ed25519 (inotsigirwa kubva OpenSSH 6.5) uye ecdsa-sha2-nistp256/384 based paRFC521 ECDSA (inotsigirwa kubvira OpenSSH 5656).
MuOpenSSH 8.2, kugona kubatanidza uchishandisa "ssh-rsa" kuchiri kuwanikwa, asi iyi algorithm yakabviswa paCASsignatureAlgorithms runyorwa, iyo inotsanangura maalgorithms anotenderwa kusaina zvitupa zvitsva. Saizvozvo, iyo diffie-hellman-group14-sha1 algorithm yakabviswa kubva kune yakasarudzika kiyi yekutsinhana algorithms inotsigirwa. Zvinocherechedzwa kuti kushandiswa kweSHA-1 muzvitupa kwakabatana nenjodzi yakawedzerwa, sezvo anorwisa aine nguva isina muganho yekutsvaga kudhumhana kwechitupa chiripo, nepo nguva yekurwiswa kwemakiyi ekugamuchira inogumira nekubatanidza nguva (LoginGraceTime. )
Kumhanya ssh-keygen ikozvino kunokanganisa kune rsa-sha2-512 algorithm, inotsigirwa kubva OpenSSH 7.2, iyo inogona kugadzira nyaya dzekuenderana paunenge uchiedza kugadzirisa zvitupa zvakasainwa muOpenSSH 8.2 pamasisitimu anomhanyisa akare OpenSSH kuburitswa (kushanda kutenderedza nyaya kana rinhi. kugadzira siginicha, unogona kudoma zvakajeka "ssh-keygen -t ssh-rsa" kana kushandisa ecdsa-sha2-nistp256/384/521 algorithms, inotsigirwa kubva OpenSSH 5.7).
Dzimwe shanduko:
- An Include dhairekitori yakawedzerwa kune sshd_config, iyo inokutendera iwe kuti ubatanidze zviri mune mamwe mafaera panzvimbo iripo yefaira rekugadzirisa (glob masks inogona kushandiswa pakutsanangura zita refaira);
- Iyo "hapana-inobata-inodiwa" sarudzo yakawedzerwa kune ssh-keygen, iyo inodzima kudikanwa kwekusimbisa mumuviri kuwana kune chiratidzo paunenge uchigadzira kiyi;
- Iyo PubkeyAuthOptions dhairekitori yakawedzerwa kune sshd_config, iyo inosanganisa akasiyana sarudzo dzine chekuita neruzhinji kiyi yechokwadi. Parizvino, chete mureza we "hapana-kubata-unodikanwa" unotsigirwa kusvetuka cheki yekuvapo kwechiratidzo chechokwadi chechiratidzo. Nekufananidza, iyo "hapana-kubata-inodiwa" sarudzo yakawedzerwa kune authorized_keys faira;
- Yakawedzerwa "-O write-attestation =/path" sarudzo ku ssh-keygen kubvumira mamwe mafido zvitupa zvekusimbisa kuti zvinyorwe paunenge uchigadzira makiyi. OpenSSH haisati yashandisa zvitupa izvi, asi zvinogona kushandiswa kuona kuti kiyi yakaiswa muchitoro chehardware chakavimbika;
- Mune ssh uye sshd marongero, zvave kugoneka kuseta iyo traffic yekutanga modhi kuburikidza neIPQoS kuraira. (Kudzika-Kuedza Per-Hop Behavior);
- Mu ssh, pakuisa kukosha "AddKeysToAgent = hongu", kana kiyi isina nzvimbo yekutaura, inowedzerwa kune ssh-agent inoratidza nzira yekiyi sekutaura. IN
ssh-keygen uye ssh-agent zvakare ikozvino shandisa PKCS#11 mavara uye X.509 zita rezvidzidzo panzvimbo yeraibhurari nzira semashoko mukiyi; - Yakawedzera kugona kutumira kunze PEM yeDSA uye ECDSA makiyi kune ssh-keygen;
- Yakawedzera nyowani inogoneka, ssh-sk-mubatsiri, inoshandiswa kuparadzanisa FIDO/U2F tokeni raibhurari yekuwana;
- Yakawedzerwa "--ne-zlib" kuvaka sarudzo kune ssh uye sshd yekubatanidza ne zlib raibhurari rutsigiro;
- Zvinoenderana nezvinodiwa zveRFC4253, yambiro pamusoro pekuvhara kwekupinda nekuda kwekupfuura MaxStartups miganho inopiwa mubhenji rinoratidzwa panguva yekubatanidza. Kurerutsa diagnostics, iyo sshd process header, inoonekwa kana uchishandisa ps utility, ikozvino inoratidza nhamba yeikozvino inotenderwa kubatana uye chimiro cheMaxStartups muganhu;
- Mune ssh uye ssh-agent, pakufonera chirongwa kuratidza kukoka pachiratidziri, chakataurwa kuburikidza ne $SSH_ASKPASS, mureza une rudzi rwekukoka wave kutumirwa: "simbisa" - dialog yekusimbisa (hongu/kwete), "hapana β - meseji yeruzivo, βisina chinhuβ β password chikumbiro;
- Yakawedzera dhijitari nyowani siginecha mashandiro "tsvaga-vakuru" kune ssh-keygen kutsvaga inobvumidzwa-masaina faira kumushandisi ane hukama neyakatsanangurwa siginecha yedhijitari;
- Yakavandudzwa tsigiro ye sshd process yekuzviparadzanisa nevamwe paLinux uchishandisa iyo seccomp mechanism: kudzima IPC system mafoni, kubvumira clock_gettime64(), clock_nanosleep_time64 uye clock_nanosleep().
Source: opennet.ru