ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > FurSSH 8.0

FurSSH 8.0

Kadib shan bilood oo horumar ah soo bandhigay sii daayo OpenSSH 8.0, macmiil furan iyo hirgelinta server si loogu shaqeeyo SSH 2.0 iyo SFTP.

Isbeddellada ugu waaweyn:

  • Taageerada tijaabada ee habka isweydaarsiga muhiimka ah ee u adkeysanaya weerarrada xoogga ah ee kumbuyuutarka quantum ayaa lagu daray ssh iyo sshd. Kumbuyuutarrada Quantum-ka ayaa si aad ah ugu dhaqsaha badan xallinta mushkiladda kala-goynta tirada dabiiciga ah ee qodobbada muhiimka ah, kuwaas oo hoosta ka xarriiqaya algorithms-ka asymmetrical-ka casriga ah oo aan si wax ku ool ah loo xallin karin soo-saareyaasha qadiimiga ah. Habka la soo jeediyay wuxuu ku salaysan yahay algorithm NTRU Prime (shaqada ntrup4591761), oo loo sameeyay nidaamyada crypto-ka-post-quantum, iyo elliptical curve key sarrifka habka X25519;
  • Gudaha sshd, Awaamiirta Dhegeysiga iyo PermitOpen ma taageerto dhaxalka "martigeliyaha/dekedda", kaas oo la hirgeliyay 2001 si loogu beddelo "host:port" si loo fududeeyo la shaqaynta IPv6. Xaaladaha casriga ah, ereyga "[:: 6]: 1" ayaa loo sameeyay IPV22, iyo "martigeliyaha / dekedda" ayaa inta badan lagu wareersan yahay muujinta subnet (CIDR);
  • ssh, ssh-agent iyo ssh-kudar hadda furayaasha taageera ECDSA in PKCS # 11 calaamadaha;
  • Gudaha ssh-keygen, cabbirka muhiimka ah ee RSA ee caadiga ah ayaa la kordhiyay oo la gaarsiiyay 3072 bits, iyadoo la raacayo talooyinka cusub ee NIST;
  • ssh waxay ogolaataa isticmaalka "PKCS11Provider=none" dejinta si looga gudbo dardaaranka Bixiyaha PKCS11 ee ku qeexan ssh_config;
  • sshd waxay bixisaa bandhig xaalado marka isku xirka la joojiyo marka la isku dayo in la fuliyo amarrada xannibay "ForceCommand=internal-sftp" xaddidaadda sshd_config;
  • Gudaha ssh, marka la soo bandhigayo codsiga lagu xaqiijinayo aqbalaadda furaha cusub ee martida loo yahay, halkii laga heli lahaa jawaabta "haa", faraha saxda ah ee furaha hadda waa la aqbalayaa (iyada oo laga jawaabayo martiqaadka lagu xaqiijinayo xiriirka, isticmaaluhu wuxuu koobi karaa) Xashiish tixraac ah oo si gaar ah loo helay iyada oo la adeegsanayo sabuuradaha, si aan gacanta loo barbar dhigin;
  • ssh-keygen wuxuu bixiyaa si toos ah u kordhinta lambarka isku xigxiga shahaadada marka la abuurayo saxeexyada dhijitaalka ah ee shahaadooyinka badan ee khadka taliska;
  • Ikhtiyaar cusub "-J" ayaa lagu daray scp iyo sftp, oo u dhiganta goobta ProxyJump;
  • ssh-agent, ssh-pkcs11-helper iyo ssh-add, habaynta xulashada khadka taliska "-v" ayaa lagu daray si loo kordhiyo macluumaadka ka kooban wax soo saarka (marka la cayimo, doorashadan waxaa loo gudbiyaa hababka ilmaha, tusaale ahaan, marka ssh-pkcs11-caawiye laga waco ssh-agent);
  • Xulashada "-T" ayaa lagu daray ssh-add si loo tijaabiyo ku habboonaanta furayaasha wakiilka ssh-ka ee fulinta saxeexa dhijitaalka ah iyo hawlgallada xaqiijinta;
  • sftp-server waxa ay fulisaa taageerada "lsetstat at openssh.com" borotokoolka kordhinta, kaas oo ku daraya taageerada hawlgalka SSH2_FXP_SETSTAT ee SFTP, laakiin iyada oo aan la raacin xiriiriyeyaasha astaanta ah;
  • Waxaa lagu daray "-h" ikhtiyaarka sftp si uu u socodsiiyo amarrada chown/chgrp/chmod oo wata codsiyo aan isticmaalin isku-xirayaasha astaanta ah;
  • sshd waxay bixisaa dejinta $SSH_CONNECTION doorsoomiyaha deegaanka ee PAM;
  • Wixii sshd ah, qaabka u dhigma β€œMatch final” ayaa lagu daray ssh_config, kaas oo la mid ah β€œMatch canonical”, laakiin uma baahna in magaca martida loo noqdo in la awoodsiiyo;
  • Taageero lagu daray '@' horgalaha sftp si loo joojiyo tarjumaada soo saarista amarada lagu fuliyay qaabka dufcada;
  • Markaad soo bandhigto waxa ku jira shahaado adoo isticmaalaya amarka
    "ssh-keygen -Lf /path/certificate" hadda waxay soo bandhigaysaa algorithm-ka ay CA u adeegsatay si loo ansixiyo shahaadada;

  • Taageerada la wanaajiyay ee deegaanka Cygwin, tusaale ahaan bixinta isbarbardhigga kiis-la'aanta ee magacyada kooxda iyo isticmaaleyaasha. Habka sshd ee dekedda Cygwin ayaa loo beddelay cygsshd si looga fogaado faragelinta dekedda OpenSSH ee Microsoft ay bixiso;
  • Lagu daray awoodda lagu dhisayo laanta tijaabada ee OpenSSL 3.x;
  • La tirtiray nuglaanta (CVE-2019-6111) ee hirgelinta utility scp, kaas oo u oggolaanaya faylalka aan sabab lahayn ee hagaha bartilmaameedka in lagu qoro dhinaca macmiilka marka la gelayo server-ka uu gacanta ku hayo weeraryahan. Dhibaatadu waxay tahay marka la isticmaalayo scp, server-ku wuxuu go'aamiyaa faylasha iyo hagayaasha loo dirayo macmiilka, macmiilku kaliya wuxuu hubiyaa saxnaanta magacyada shayga la soo celiyay. Hubinta-dhinaca macmiilku waxay ku xaddidan tahay oo keliya xannibista safarka ka baxsan tusaha hadda (β€œ../”), laakiin aan xisaabta lagu darin wareejinta faylasha leh magacyo ka duwan kuwii markii hore la codsaday. Marka laga hadlayo nuqulka soo noqnoqda (-r), marka lagu daro magacyada faylalka, waxaad sidoo kale u maamuli kartaa magacyada agaasime-hoosaadyo si la mid ah. Tusaale ahaan, haddii adeegsaduhu uu nuqul ka sameeyo faylalka tusaha guriga, server-ka uu gacanta ku hayo qofka wax weeraray waxa uu soo saari karaa faylal leh magacyada .bash_aliases ama .ssh/authorized_keys halkii laga isticmaali lahaa faylasha la codsaday, waxaana lagu kaydin doonaa utility scp ee isticmaalaha hagaha guriga.

    Siidaynta cusub, utility scp waa la cusboonaysiiyay si loo hubiyo xidhiidhka u dhexeeya magacyada faylka la codsaday iyo kuwa uu soo diray server-ku, kaas oo lagu sameeyay dhinaca macmiilka. Tani waxay dhibaato ku keeni kartaa habaynta waji-xidhka, maadaama laga yaabo in jilayaasha fidinta waji-xidhka si kala duwan loogu farsameeyo server-ka iyo dhinacyada macmiilka. Haddii kala duwanaanshahan oo kale uu keeno macmiilku inuu joojiyo aqbalida faylasha scp, ikhtiyaarka "-T" ayaa lagu daray si loo joojiyo hubinta dhinaca macmiilka. Si loo saxo dhibaatada, dib u habeyn fikradeed ee borotokoolka scp ayaa loo baahan yahay, taas oo lafteedu horeyba u dhacday, sidaas darteed waxaa lagula talinayaa in la isticmaalo borotokoolka casriga ah sida sftp iyo rsync.

Source: opennet.ru

Add a comment