ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > FurSSH 8.4

FurSSH 8.4

Kadib afar bilood oo horumar ah soo bandhigay sii daynta OpenSSH 8.4, macmiil furan iyo hirgelinta adeegaha si loogu shaqeeyo isticmaalka SSH 2.0 iyo SFTP.

Isbeddellada ugu waaweyn:

  • Isbeddellada amniga:
    • Wakiilka ssh-ka, marka la isticmaalayo furayaasha FIDO ee aan loo abuurin xaqiijinta SSH (aqoonsiga furuhu kuma bilaabmayo xadhigga "ssh:"), waxay hadda hubinaysaa in farriinta la saxeexi doono iyadoo la adeegsanayo hababka loo isticmaalo borotokoolka SSH. Isbeddelku ma oggolaan doono ssh-wakiilka in loo wareejiyo martigaliyayaasha fog ee leh furayaasha FIDO si ay u xannibaan awoodda isticmaalka furayaashan si ay u abuuraan saxiixyada codsiyada aqoonsiga webka (kiis kale, marka browserku saxiixi karo codsiga SSH, ayaa marka hore laga saaray. iyadoo ay ugu wacan tahay adeegsiga horgalaha "ssh:" ee aqoonsiga furaha).
    • Jiilka muhiimka ah ee deganaanshaha ssh-keygen waxaa ka mid ah taageerada credProtect add-on lagu sifeeyay qeexida FIDO 2.1, kaas oo siiya ilaalin dheeraad ah furayaasha iyadoo u baahan PIN ka hor inta aan la samayn wax hawlgal ah oo keeni kara in furaha deegaanka laga soo saaro calaamadda.
  • Isbeddellada ku habboonaanta ee suurtogalka ah inay jebiyaan:
    • Si loo taageero FIDO/U2F, waxaa lagu talinayaa in la isticmaalo maktabadda libfido2 ugu yaraan nooca 1.5.0. Awoodda isticmaalka daabacado duug ah ayaa qayb ahaan la hirgeliyay, laakiin kiiskan, shaqooyinka sida furayaasha deegaanka, codsiga PIN, iyo isku xirka calaamado badan lama heli doono.
    • Gudaha ssh-keygen, xogta xaqiijiyaha ee lagama maarmaanka u ah xaqiijinta saxeexyada dhijitaalka ah ayaa lagu daray qaabka xogta xaqiijinta, iyada oo si ikhtiyaari ah loo kaydiyay marka la soo saarayo furaha FIDO.
    • API-ka la isticmaalo marka OpenSSH uu la falgalo lakabka gelitaanka calaamadaha FIDO waa la beddelay.
    • Marka la dhisayo nooca la qaadan karo ee OpenSSH, automake ayaa hadda loo baahan yahay si loo soo saaro qoraalka habaynta iyo faylalka la socda ee la dhisayo (haddii laga dhisayo faylka daamurka koodka ee la daabacay, dib-u-habaynta dib-u-habaynta looma baahna).
  • Taageero lagu daray FIDO furayaasha u baahan xaqiijinta PIN ee ssh iyo ssh-keygen. Si loo soo saaro furayaasha PIN, "xaqiijinta-loo baahan yahay" doorashada ayaa lagu daray ssh-keygen. Haddii furayaasha noocaas ah la isticmaalo, ka hor inta aan la samayn hawlgalka abuurista saxeexa, isticmaaluhu waxa lagu dhiirigelinayaa inuu xaqiijiyo ficilladooda isagoo gelaya lambarka sirta ah.
  • Gudaha sshd, ikhtiyaarka "xaqiijiyaha-loo baahan yahay" ayaa lagu hirgeliyay goobta_furaha la oggol yahay, taas oo u baahan adeegsiga awoodaha si loo xaqiijiyo joogitaanka isticmaaluhu inta lagu jiro hawlgallada calaamadda. Heerka FIDO wuxuu bixiyaa dhowr ikhtiyaar oo xaqiijinta noocaas ah, laakiin hadda OpenSSH waxay taageertaa xaqiijinta ku saleysan PIN.
  • sshd iyo ssh-keygen waxay kordhiyeen taageerada xaqiijinta saxeexyada dhijitaalka ah ee u hoggaansamaya heerka FIDO Webauthn, kaas oo u oggolaanaya furayaasha FIDO in lagu isticmaalo daalacashada shabakadda.
  • ssh gudaha Dejinta CertificateFile,
    Waddada Control, IdentityAgent, IdentityFile, Local Forward iyo
    RemoteForward waxa ay ogolaataa beddelka qiyamka doorsoomayaasha deegaanka ee lagu qeexay qaabka "${ENV}".

  • ssh iyo ssh-wakiilka ayaa ku daray taageerada $SSH_ASKPASS_REQUIRE doorsoomiyaha deegaanka, kaas oo loo isticmaali karo in lagu suurtageliyo ama la joojiyo wicitaanka ssh-askpass.
  • Gudaha ssh ee ssh_config ee dardaaranka AddKeysToAgent, awoodda lagu xaddidayo muddada furaha ayaa lagu daray. Ka dib marka xadka la cayimay uu dhaco, furayaasha si toos ah ayaa looga tirtiraa wakiilka ssh.
  • Scp iyo sftp, adoo isticmaalaya calanka "-A", waxaad hadda si cad u ogolaan kartaa dib u jahaynta scp iyo sftp adoo isticmaalaya ssh-agent (diritaanku waa naafo).
  • Taageero lagu daray '%k' beddelka ssh settings, kaas oo qeexaya magaca furaha martida loo yahay. Habkan waxa loo isticmaali karaa in lagu qaybiyo furayaasha faylal kala duwan (tusaale, "UserKnownHostsFile ~/.ssh/known_hosts.d/%k").
  • Oggolow isticmaalka "ssh-add -d -" hawlgalka si loo akhriyo furayaasha stdin ee la tirtirayo.
  • Gudaha sshd, bilawga iyo dhamaadka habka gooynta isku xirka ayaa ka muuqda log, oo lagu habeeyey iyadoo la adeegsanayo cabbirka MaxStartups.

Soosaarayaasha OpenSSH waxay kaloo dib u xasuusiyeen soo saarista algorithms-ka soo socda iyagoo isticmaalaya SHA-1 hashes sababtoo ah dallacaad waxtarka weerarrada isku dhaca oo leh horgale la bixiyay (kharashka xulashada isku dhaca waxaa lagu qiyaasaa ku dhawaad ​​45 kun oo doolar). Mid ka mid ah siidaynta soo socota, waxay qorsheynayaan inay si caadi ah u baabi'iyaan awoodda isticmaalka furaha dadweynaha ee saxeexa dhijitaalka ah algorithm "ssh-rsa", kaas oo lagu sheegay RFC asalka ah ee borotokoolka SSH oo weli ku baahsan ficil ahaan (si loo tijaabiyo isticmaalka ee ssh-rsa ee nidaamyadaaga, waxaad isku dayi kartaa inaad ku xirto ssh ikhtiyaarka "-oHostKeyAlgorithms = -ssh-rsa").

Si loo fududeeyo u gudubka algorithms-yada cusub ee OpenSSH, sii-deynta xigta waxay awood u siin doontaa dejinta UpdateHostKeys si caadi ah, kaas oo si toos ah macaamiisha ugu guuri doona algorithms la isku halayn karo. Algorithms-yada lagu taliyay ee socdaalka waxaa ka mid ah rsa-sha2-256/512 oo ku salaysan RFC8332 RSA SHA-2 (la taageeray ilaa OpenSSH 7.2 oo si caadi ah loo isticmaalo), ssh-ed25519 (taageeray tan iyo OpenSSH 6.5) iyo ecdsa-sha2-nistp256/384/521 ku salaysan on RFC5656 ECDSA (taageeray tan iyo OpenSSH 5.7).

Source: opennet.ru

Add a comment