Kadib afar bilood oo horumar ah sii daayo , macmiil furan iyo hirgelinta server si loogu shaqeeyo SSH 2.0 iyo SFTP.
Horumarka muhiimka ah ee sii deynta OpenSSH 8.2 waxay ahayd awoodda isticmaalka xaqiijinta laba-geesoodka ah iyadoo la adeegsanayo aaladaha taageera borotokoolka , oo ay soo saareen isbahaysigu . U2F waxay u ogolaataa abuurista calaamado qalabeed oo qiimo jaban si loo xaqiijiyo joogitaanka jireed ee isticmaalaha, la falgalka iyaga oo isticmaalaya USB, Bluetooth ama NFC. Aaladaha noocan oo kale ah waxaa loo dallacsiiyaa habka xaqiijinta laba-geesoodka ah ee shabakadaha, waxaa horeyba u taageeray daalacashada waaweyn waxaana soo saaray warshado kala duwan, oo ay ku jiraan Yubico, Feitian, Thetis iyo Kensington.
Si loola falgalo aaladaha xaqiijinaya joogitaanka isticmaalaha, noocyo cusub oo furaha βecdsa-skβ iyo βed25519-skβ ayaa lagu daray OpenSSH, kuwaas oo adeegsada ECDSA iyo Ed25519 saxeexa dhijitaalka ah algorithms, oo lagu daray SHA-256 hash. Nidaamyada la falgalka calaamadaha waxaa lagu dhejiyaa maktabad dhexdhexaad ah, taas oo lagu shubay si la mid ah maktabadda si loogu taageero PKCS#11 oo ah duub dusha sare ee maktabadda. , kaas oo siiya agabka lagula xidhiidho calaamadaha USB (FIDO U2F/CTAP 1 iyo FIDO 2.0/CTAP 2 borotokool waa la taageeray). Maktabada dhexe libsk-libfido2 oo ay diyaariyeen soosaarayaasha OpenSSH galay xudunta u ah libfido2, iyo sidoo kale loogu talagalay OpenBSD.
Si aad u xaqiijiso oo aad u soo saarto furaha, waa in aad ku qeexdaa halbeegga "SecurityKeyProvider" ee goobaha ama aad dejiso doorsoomiyaha deegaanka SSH_SK_PROVIDER, taasoo tusinaysa dariiqa loo maro maktabadda dibadda libsk-libfido2.so (Dhoofinta SSH_SK_PROVIDER=/path/to/libsk-libfido2). sidaas). Waa suurtogal in la dhiso openssh oo leh taageero ku dhisan maktabadda lakabka (-with-security-key-builtin), kiiskan waxaad u baahan tahay inaad dejiso "SecurityKeyProvider=internal" parameter.
Marka xigta waxaad u baahan tahay inaad socodsiiso "ssh-keygen -t ecdsa-sk" ama, haddii furayaasha mar hore la sameeyay oo la habeeyey, ku xir serverka adoo isticmaalaya "ssh". Markaad socodsiiso ssh-keygen, lamaanaha muhiimka ah ee la sameeyay ayaa lagu keydin doonaa "~/.ssh/id_ecdsa_sk" waxaana loo isticmaali karaa si la mid ah furayaasha kale.
Furaha dadweynaha (id_ecdsa_sk.pub) waa in lagu koobiyeeyaa serferka ku jira faylka la oggolaaday_keys. Dhinaca server-ka, saxeexa dhijitaalka ah oo keliya ayaa la xaqiijiyay, iyo isdhexgalka calaamadaha ayaa lagu sameeyaa dhinaca macmiilka (uma baahnid inaad ku rakibto libsk-libfido2 server-ka, laakiin adeeguhu waa inuu taageeraa nooca muhiimka ah "ecdsa-sk") . Furaha gaarka ah ee la soo saaray (id_ecdsa_sk) asal ahaan waa gacan furaha, samaynta fure dhab ah oo keliya marka lagu daro taxanaha sirta ah ee lagu kaydiyay dhinaca calaamada U2F. Haddii furaha id_ecdsa_sk uu ku dhaco gacanta weerarka, si uu u dhaafo aqoonsiga waxa uu sidoo kale u baahan doonaa in uu galo calaamadda qalabka, taas oo la'aanteed furaha gaarka ah ee lagu kaydiyay faylka id_ecdsa_sk aanu faa'iido lahayn.
Intaa waxaa dheer, sida caadiga ah, marka la fulinayo hawlgal kasta oo leh furayaasha (labadaba inta lagu jiro jiilka iyo inta lagu jiro aqoonsiga), xaqiijinta maxaliga ah ee joogitaanka jireed ee isticmaalaha ayaa loo baahan yahay, tusaale ahaan, waxaa la soo jeediyay in la taabto dareemayaasha calaamadda, taas oo adkeyneysa in lagu qaado weeraro fogaan ah nidaamyada leh calaamad ku xiran. Sida safka kale ee difaaca, erayga sirta ah ayaa sidoo kale lagu qeexi karaa inta lagu jiro marxaladda bilowga ee ssh-keygen si loo galo faylka muhiimka ah.
Nooca cusub ee OpenSSH wuxuu sidoo kale ku dhawaaqay hoos u dhigista soo socota ee algorithms iyadoo la adeegsanayo SHA-1 hashes sababtoo ah waxtarka weerarrada isku dhaca oo leh horgale la bixiyay (kharashka xulashada isku dhaca waxaa lagu qiyaasaa ku dhawaad ββ45 kun oo doolar). Mid ka mid ah siidaynta soo socota, waxay qorsheynayaan inay si caadi ah u baabi'iyaan awoodda isticmaalka furaha dadweynaha ee saxeexa dhijitaalka ah algorithm "ssh-rsa", kaas oo lagu sheegay RFC asalka ah ee borotokoolka SSH oo weli ku baahsan ficil ahaan (si loo tijaabiyo isticmaalka ee ssh-rsa ee nidaamyadaaga, waxaad isku dayi kartaa inaad ku xirto ssh ikhtiyaarka "-oHostKeyAlgorithms = -ssh-rsa").
Si loo fududeeyo u gudubka algorithms-yada cusub ee OpenSSH, mustaqbalka sii daynta dejinta UpdateHostKeys waxaa loo suurtagelin doonaa si caadi ah, kaas oo si toos ah macaamiisha ugu guuri doona algorithms la isku halayn karo. Algorithms-yada lagu taliyay ee socdaalka waxaa ka mid ah rsa-sha2-256/512 oo ku salaysan RFC8332 RSA SHA-2 (la taageeray ilaa OpenSSH 7.2 oo si caadi ah loo isticmaalo), ssh-ed25519 (taageeray tan iyo OpenSSH 6.5) iyo ecdsa-sha2-nistp256/384/521 ku salaysan on RFC5656 ECDSA (taageeray ilaa OpenSSH 5.7).
Gudaha OpenSSH 8.2, awoodda isku xidhka iyadoo la isticmaalayo "ssh-rsa" weli waa la heli karaa, laakiin algorithm-kan waa laga saaray liiska CASigntureAlgorithms, kaas oo qeexaya algorithms loo oggol yahay si dhijitaal ah loogu saxiixo shahaadooyin cusub. Sidoo kale, diffie-hellman-group14-sha1 algorithm waa laga saaray algorithms-isweydaarsiga furaha ah ee la taageeray. Waxaa la xusay in isticmaalka SHA-1 ee shahaadooyinka ay la xiriirto khatar dheeraad ah, maadaama uu weeraryahanku haysto wakhti aan xadidnayn oo uu ku raadiyo shil shahaado jirta, halka wakhtiga la weerarayo furayaasha martida loo yahay ay xaddidan tahay wakhtiga xidhiidhka (LoginGraceTime). ).
Ku socodsiinta ssh-keygen hadda waxay ku dhacaysaa rsa-sha2-512 algorithm, kaas oo la taageeray tan iyo OpenSSH 7.2, kaas oo abuuri kara arrimo ku habboon marka la isku dayo in la farsameeyo shahaadooyinka lagu saxiixay OpenSSH 8.2 ee nidaamyada socodsiiya sii deynta OpenSSH ee duugga ah (si looga shaqeeyo arrinta marka Marka abuurista saxeex, waxaad si cad u qeexi kartaa "ssh-keygen -t ssh-rsa" ama isticmaal ecdsa-sha2-nistp256/384/521 algorithms, la taageeray tan iyo OpenSSH 5.7).
Isbeddellada kale:
- Dardaaran ku dar ah ayaa lagu daray sshd_config, kaas oo kuu ogolaanaya inaad ku darto waxyaabaha ku jira faylalka kale booska hadda ee faylka qaabeynta (glob masks waxaa loo isticmaali karaa marka la tilmaamayo magaca faylka);
- Xulashada "aan-taabasho-loo baahnayn" ayaa lagu daray ssh-keygen, kaas oo curyaamiya baahida jir ahaan loo xaqiijiyo gelitaanka calaamadda marka furaha la abuurayo;
- Awaamiirta PubkeyAuthOptions ayaa lagu daray sshd_config, kaas oo isku daray doorashooyin kala duwan oo la xidhiidha aqoonsiga furaha dadweynaha. Hadda, kaliya calanka "aan taabasho-loo baahnayn" ayaa la taageerayaa si looga boodo hubinta joogitaanka jireed ee xaqiijinta calaamadda. Marka la barbardhigo, ikhtiyaarka "aan taabasho-loo baahan yahay" ayaa lagu daray faylka la oggolaaday;
- Waxaa lagu daray "-O write-attestation=/path" ikhtiyaarka ssh-keygen si loogu oggolaado shahaado caddaynta FIDO oo dheeraad ah in la qoro marka furayaasha la abuurayo. OpenSSH weli ma isticmaasho shahaadooyinkan, laakiin hadhow waxaa loo isticmaali karaa si loo xaqiijiyo in furaha la geliyo dukaanka qalabka lagu kalsoon yahay;
- Goobaha ssh iyo sshd, hadda waxaa suurtagal ah in la dejiyo habka kala hormarinta taraafikada iyada oo loo marayo dardaaranka IPQoS (Dadaalka Hoose ee Dabeecada Hop-ka);
- Gudaha ssh, marka la dejinayo qiimaha "AddKeysToAgent=haa", haddii furuhu aanu ku jirin goob faallo ah, waxaa lagu dari doonaa wakiilka ssh-ka oo tilmaamaya jidka furaha faallo ahaan. IN
ssh-keygen iyo ssh-agent sidoo kale hadda waxay isticmaalaan calaamadaha PKCS#11 iyo magaca mawduuca X.509 halkii ay ka isticmaali lahaayeen dariiqa maktabadda sida faallooyinka furaha; - Waxaa lagu daray awoodda lagu dhoofiyo PEM ee furayaasha DSA iyo ECDSA ssh-keygen;
- Waxaa lagu daray hawl-fulin cusub, ssh-sk-caawiye, oo loo adeegsaday in lagu karantiilo FIDO/U2F token galitaanka maktabadda;
- Lagu darey "-with-zlib" doorasho dhismo si ssh iyo sshd loogu daro taageerada maktabadda zlib;
- Iyadoo la raacayo shuruudaha RFC4253, digniin ku saabsan xannibaadda gelitaanka sababtoo ah xad dhaafka MaxStartups ayaa lagu bixiyaa banner-ka la soo bandhigay inta lagu guda jiro xiriirinta. Si loo fududeeyo ogaanshaha, madaxa habka sshd, oo la arki karo marka la isticmaalayo utility ps, hadda wuxuu muujinayaa tirada isku xirka hadda la xaqiijiyay iyo heerka xadka MaxStartups;
- Gudaha ssh iyo ssh-agent, markaad wacdo barnaamij si ay u soo bandhigto martiqaad shaashadda, oo lagu qeexay $SSH_ASKPASS, calanka nooca martiqaadka ah ayaa hadda sidoo kale la gudbiyaa: "xaqiiji" - wadahadalka xaqiijinta (haa/maya), "midna "- fariinta macluumaadka, "madhan" - codsi sir ah;
- Waxaa lagu daray hawlgal cusub oo saxeexa dhijitaalka ah "heli-maamule" ssh-keygen si loo baadho faylka saxeexayaasha la oggol yahay ee isticmaalaha ee la xidhiidha saxeex dhijitaal ah oo cayiman;
- Taageerada la wanaajiyay ee go'doominta nidaamka sshd ee Linux iyadoo la adeegsanayo habka seccomp: joojinta wicitaanada nidaamka IPC, u oggolaanaya clock_gettime64 (), clock_nanosleep_time64 iyo clock_nanosleep ().
Source: opennet.ru