Saddex bilood oo horumar ah ka dib
Siideynta cusub waxay ku darsataa ilaalinta weerarrada scp ee u oggolaanaya server-ku inuu gudbiyo magacyo kale oo fayl ah oo aan ahayn kuwa la codsaday (oo lid ku ah
Tilmaamahan, marka lagu xidho server-ka uu gacanta ku hayo weeraryahan, waxa loo isticmaali karaa in lagu badbaadiyo magacyada kale ee faylalka iyo waxyaabaha kale ee ku jira isticmaalaha FS marka la koobiyeeyo iyada oo la isticmaalayo scp qaabaynta u horseedaysa fashil marka la wacayo utimes (tusaale, marka utimes mamnuuco nidaamka SELinux ama nidaamka call filter). Suurtagalnimada weerarrada dhabta ah waxaa lagu qiyaasaa inay aad u yar tahay, maadaama qaabeynta caadiga ah wicitaanka utimes uusan guuldareysan. Intaa waxaa dheer, weerarku maaha mid aan la ogaan karin - marka la wacayo scp, qalad wareejinta xogta ayaa la muujiyay.
Isbeddellada guud:
- sftp, habaynta dooda "-1" waa la joojiyay, oo la mid ah ssh iyo scp, oo hore loo aqbalay laakiin la iska indhatiray;
- Gudaha sshd, marka la isticmaalayo IgnoreRhosts, hadda waxaa jira saddex doorasho: "haa" - iska illow rhosts/shoss, "maya" - ixtiraam rhosts/shoss, iyo "shots-only" - u oggolow ".shosts" laakiin diido ".rhosts";
- Ssh hadda waxay taageertaa % TOKEN beddelka goobaha LocalFoward iyo RemoteForward ee loo isticmaalo in lagu hagaajiyo saldhigyada Unix;
- Oggolow in furaha dadweynaha laga soo raro faylka aan qarsoodi ahayn oo wata fure gaar ah haddii aanu jirin fayl gaar ah oo leh furaha dadweynaha;
- Haddii libcrypto ay ku jirto nidaamka, ssh iyo sshd hadda waxay adeegsadaan hirgelinta chacha20 algorithm ee maktabaddan, halkii ay ka ahaan lahaayeen hirgelinta la qaadi karo ee la dhisay, taas oo ka dambeysa waxqabadka;
- Hirgeliyay awoodda lagu daadinayo waxa ku jira liiska binary ee shahaadooyinka la buriyay markii la fulinayay amarka "ssh-keygen -lQf /path";
- Nooca la qaadan karo wuxuu fuliyaa qeexitaannada nidaamyada kaas oo calaamadaha leh ikhtiyaarka SA_RESTART ay joojiyaan hawlgalka xulashada;
- Ku dhis dhibaatooyinka nidaamyada HP/UX iyo AIX waa la xaliyay;
- Dhibaatooyinka go'an ee ku saabsan dhismaha seccomp sandbox ee qaar ka mid ah qaabeynta Linux;
- Ogaanshaha maktabadda libfido2 oo la hagaajiyay oo la xaliyay arrimaha dhismaha ikhtiyaarka "--leh-security-key-builtin".
Horumarinta OpenSSH waxay sidoo kale mar kale ka digeen burburka soo socda ee algorithms iyagoo isticmaalaya SHA-1 hashes sababtoo ah
Si loo fududeeyo u gudubka algorithms-yada cusub ee OpenSSH, mustaqbalka sii daynta dejinta UpdateHostKeys waxaa loo suurtagelin doonaa si caadi ah, kaas oo si toos ah macaamiisha ugu guuri doona algorithms la isku halayn karo. Algorithms-yada lagu taliyay ee socdaalka waxaa ka mid ah rsa-sha2-256/512 oo ku salaysan RFC8332 RSA SHA-2 (la taageeray ilaa OpenSSH 7.2 oo si caadi ah loo isticmaalo), ssh-ed25519 (taageeray tan iyo OpenSSH 6.5) iyo ecdsa-sha2-nistp256/384/521 ku salaysan on RFC5656 ECDSA (taageeray ilaa OpenSSH 5.7).
Siidaynta u dambaysay, "ssh-rsa" iyo "diffie-hellman-group14-sha1" ayaa laga saaray liiska CASigntureAlgorithms ee qeexaya algorithms-yada loo oggol yahay inay si dhijitaal ah u saxeexaan shahaadooyin cusub, maadaama isticmaalka SHA-1 shahaadooyinka ay keenayso khatar dheeraad ah taas oo ay sabab u tahay in weerarku uu haysto wakhti aan xadidnayn oo uu ku raadiyo shil shahaado jirta, halka wakhtiga la weerarayo furayaasha martida loo yahay ay xadidan tahay wakhtiga xidhiidhka (LoginGraceTime).
Source: opennet.ru