Siideynta OpenSSH 9.2 waa la daabacay, hirgelinta furan ee macmiilka iyo serverka si loogu shaqeeyo isticmaalka SSH 2.0 iyo SFTP borotokoolka. Nooca cusubi wuxuu meesha ka saarayaa nuglaanta u horseedaysa in la labanlaabo xusuusta marxaladda aqoonsiga ka hor. Kaliya siidaynta OpenSSH 9.1 ayaa saamaysay; dhibaatadu kama soo baxayso noocyadii hore.
Si loo abuuro shuruudo muujinta nuglaanta, waa ku filan in la beddelo banner-ka macmiilka SSH "SSH-2.0-FuTTYSH_9.1p1" si loo dejiyo calanka "SSH_BUG_CURVE25519PAD" iyo "SSH_OLD_DHGEX", taas oo ku xiran nooca SSH macmiilka. Ka dib markii la dejiyo calamadan, xusuusta "options.kex_algorithms" baffer laba jeer ayaa la sii daayay - marka la fulinayo shaqada do_ssh2_kex (), kaas oo wacaya compat_kex_proposal (), iyo marka la fulinayo shaqada do_authentication2 (), kaas oo ugu yeera input_userauth_request (), mm_getpwn ), koobi_set_server_options() oo ay weheliyaan silsiladda , ururinta_algorithms () iyo kex_assemble_names ().
Abuuritaanka ka faa'iidaysiga shaqo ee nuglaanta ayaa loo arkaa mid aan macquul ahayn, maadaama habka ka faa'iidaysigu aad u adag yahay - maktabadaha qoondaynta xusuusta casriga ah waxay bixiyaan ilaalin ka hortagga xusuusta labanlaabka, iyo habka hore ee aqoonsiga kaas oo qaladku ku jiro wuxuu la socdaa mudnaanta la dhimay ee meel go'doonsan. deegaanka sandbox.
Marka lagu daro nuglaanta la xusay, siideynta cusub ayaa sidoo kale hagaajinaysa laba arrimood oo kale oo amniga ah:
- Khalad ayaa dhacay markii la farsamaynayey goobta "PermitRemoteOpen", taasoo keentay in doodda kowaad la iska indho tiro haddii ay ka duwan tahay qiyamka "mid" iyo "midna". Dhibaatadu waxay u muuqataa noocyo ka cusub OpenSSH 8.7 waxayna sababtaa in jeegga la boodo marka hal ogolaansho oo keliya la cayimo.
- Weeraryahan xakameynaya server-ka DNS ee loo isticmaalo in lagu xalliyo magacyada wuxuu gaari karaa beddelka jilayaasha gaarka ah (tusaale, "*") faylalka caanka ah ee loo yaqaan 'hosts files' haddii CanonicalizeHostname iyo CanonicalizePermittedCNAMEs xulashooyinka ay awood u yeeshaan qaabeynta, iyo xaliyaha nidaamku ma hubiyo saxnaanta jawaabaha ka imanaya server-ka DNS. Weerarka waxaa loo arkaa mid aan dhici karin sababtoo ah magacyada la soo celiyay waa inay waafaqaan shuruudaha lagu qeexay CanonicalizePermittedCNAMEs.
Isbeddellada kale:
- Goobta 'EnableEscapeCommandline' ayaa lagu daray ssh_config ee ssh si loo xakameeyo in habka macaamilka-dhinaca ee taxanaha baxsadka "~ C" ee bixiya khadka amarka la kartiyeeyey. Sida caadiga ah, "~C" wax ka qabashada hadda waa naafo si loo isticmaalo go'doominta sanduuqa ciid adag, oo laga yaabo inay jebiyaan nidaamyada u isticmaala "~ C" gudbinta dekeda wakhtiga runtime.
- Awaamiirta ChannelTimeout ayaa lagu daray sshd_config ee sshd si loo dejiyo wakhtiga shaqayn la'aanta kanaalka (kanaalada aan taraafikada lagu diiwaan gelin wakhtiga lagu sheegay dardaaranka si toos ah ayaa loo xidhi doonaa). Wakhtiyo kala duwan ayaa loo dejin karaa fadhiga, X11, wakiilka, iyo hagida taraafikada.
- Dardaaranka UnusedConnectionTimeout ayaa lagu daray sshd_config ee sshd, taas oo kuu ogolaanaysa inaad dejiso wakhti goynta isku xidhka macmiilka ee aan lahayn kanaalada firfircoon ee wakhti cayiman.
- Xulashada "-V" ayaa lagu daray sshd si loo muujiyo nooca, oo la mid ah ikhtiyaarka la midka ah ee macmiilka ssh.
- Waxaa lagu daray xariiqda "Host" soo saarista "ssh -G", taasoo ka tarjumaysa qiimaha doodda magaca martida loo yahay.
- Xulashada "-X" ayaa lagu daray scp iyo sftp si loo xakameeyo cabbirrada borotokoolka SFTP sida cabbirka kaydinta koobiga iyo tirada codsiyada la sugayo.
- ssh-keyscan waxa ay ogolaataa in la iskaan karo ciwaanka CIDR buuxa, tusaale ahaan "ssh-keyscan 192.168.0.0/24".
Source: opennet.ru