ProHoster > Блог > wararka internetka > Siideynta OpenSSH 8.9 iyadoo la tirtirayo nuglaanta sshd

Siideynta OpenSSH 8.9 iyadoo la tirtirayo nuglaanta sshd

Ka dib lix bilood oo horumarin ah, siideynta OpenSSH 8.9, oo ah hirgelinta furan ee macmiilka iyo serverka ee ka shaqeynaya borotokoolka SSH 2.0 iyo SFTP, ayaa la soo bandhigay. Nooca cusub ee sshd wuxuu hagaajiyaa nuglaanta u oggolaan karta gelitaanka aan la hubin. Arrintu waxa sabab u ah tirada buux dhaafka ah ee koodhka xaqiijinta, laakiin waxa kaliya oo lagaga faa'iidaysan karaa marka lagu daro khaladaadka kale ee macquulka ah ee koodka.

Qaabkeeda hadda, nuglaanshaha lagama faa'iidaysan karo marka habka kala-soocidda mudnaanta la furo, maadaama muujinteeda lagu xannibay hubinno kala duwan oo lagu sameeyay koodka kala-soocidda mudnaanta. Habka kala-soocidda mudnaanta waxa loo sahlay si toos ah ilaa 2002 ilaa OpenSSH 3.2.2, oo waxay ahayd mid khasab ah tan iyo markii la sii daayay OpenSSH 7.5 oo la daabacay 2017. Intaa waxaa dheer, noocyada la qaadan karo ee OpenSSH ee ka bilaabmaya sii deynta 6.5 (2014), nuglaanta waxaa xannibay iyadoo la isku daray isku dhafka calanka ilaalinta qulqulka qulqulka.

Isbeddellada kale:

  • Nooca la qaadan karo ee OpenSSH ee sshd wuxuu meesha ka saaray taageeradii hooyo ee hashing-ka sirta ah iyadoo la adeegsanayo MD5 algorithm (oo u oggolaanaysa ku xidhidhiyaha maktabadaha dibadda sida libxcrypt inay soo noqoto).
  • ssh, sshd, ssh-add iyo ssh-wakiilka waxay hirgeliyaan nidaam-hoosaad si loo xaddido wareejinta iyo isticmaalka furayaasha lagu daray wakiilka ssh. Nidaam-hoosaadku wuxuu kuu oggolaanayaa inaad dejiso xeerar go'aaminaya sida iyo meesha furayaasha loogu isticmaali karo ssh-agent. Tusaale ahaan, in lagu daro fure kaliya oo loo isticmaali karo si loo xaqiijiyo marka isticmaale kasta uu ku xidho martigeliyaha scylla.example.org, isticmaaluhu perseus martigeliyaha cetus.example.org, iyo medea adeegsadaha martigeliyaha charybdis.example.org oo leh dib u habeyn iyada oo loo marayo martigeliyaha dhexe ee scylla.example.org, waxaad isticmaali kartaa amarka soo socda: $dshdsh "perseus@cetus.example.org" \ -h "scylla.example.org" \ -h "scylla.example.org>medea@charybdis.example.org" \ ~/.ssh/id_ed25519
  • ssh iyo sshd, algorithm-ka isku-dhafka ah "sntrup761x25519-sha512@openssh.com" (ECDH/x25519 + NTRU Prime), u adkeysi u leh xoogga kombuyuutarrada tirada, ayaa lagu daray si caadi ah liiska KexAlgorithms, kaas oo go'aaminaya nidaamka xulashada hababka muhiimka ah. Gudaha OpenSSH 8.9, habkan gorgortanka waxaa lagu daray hababka ECDH iyo DH, laakiin waxaa la qorsheeyay in si caadi ah loo isticmaalo siideynta soo socota.
  • ssh-keygen, ssh, iyo ssh-wakiilka ayaa wanaajiyay maaraynta furayaasha calaamada FIDO ee loo isticmaalo xaqiijinta aaladda, oo ay ku jiraan furayaasha xaqiijinta biometric.
  • Waxaa lagu daray "ssh-keygen -Y match-principals" amarka ssh-keygen si loo hubiyo isticmaalayaasha ee faylka la ogolyahay ee liiska.
  • ssh-add iyo ssh-agent waxay bixiyaan awooda lagu daro furayaasha FIDO ee lagu ilaaliyo koodhka PIN-ka wakiilka ssh (codsiga PIN waxa la soo bandhigay wakhtiga aqoonsiga).
  • ssh-keygen waxa ay ogolaataa doorashada hashing algorithm (sha512 ama sha256) inta lagu jiro jiilka saxeexa.
  • Gudaha ssh iyo sshd, si loo horumariyo waxqabadka, xogta shabakada si toos ah ayaa loogu akhriyaa kaydka xidhmooyinka soo socda, iyada oo laga gudbayo kaydinta dhexe ee xidhmada. Meelaynta tooska ah ee xogta la helay ee kanaalka kaydinta ayaa loo hirgeliyay si la mid ah.
  • Gudaha ssh, dardaaranka PubkeyAuthentication ayaa balaadhiyey liiska cabirrada la taageeray (haa|maya|aan xidhnayn|martigeliyaha-xidhka) si loo bixiyo awoodda lagu dooranayo kordhinta borotokoolka si loo isticmaalo.

Soo saarista mustaqbalka, qalabka scp waxaa loo qorsheeyay inuu u beddelo SFTP si caadi ah, isagoo beddelaya hab-maamuuska SCP/RCP ee dhaxalka ah. SFTP waxay isticmaashaa habab badan oo la saadaalin karo oo lagu maareeyo magacyada waxayna ka fogaataa maaraynta amniga ee qaababka glob ee magacyada faylasha iyada oo loo marayo qolofka martida kale. Gaar ahaan, marka la isticmaalayo SCP iyo RCP, adeegaha ayaa go'aamiya faylasha iyo tusmooyinka loo dirayo macmiilka, halka macmiilku uu kaliya hubiyo magacyada shayga la soo celiyay si sax ah. Tani waxay u oggolaanaysaa jebinta amniga haddii hubinta saxda ah aan laga sameyn dhinaca macmiilka. server Magacyada faylasha wareejinta marka laga reebo kuwa la codsaday. Hab-maamuuska SFTP waa ka xor dhibaatooyinkan, laakiin ma taageerayo ballaarinta waddooyinka gaarka ah sida "~/." Si wax looga qabto farqigan, kordhinta hab-maamuuska SFTP cusub oo loogu talagalay ballaarinta waddooyinka ~/ iyo ~user/ ayaa lagu soo jeediyay sii deynta OpenSSH ee hore ee hirgelinta server-ka SFTP.

Source: opennet.ru

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers 🔥 Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster