Google e phatlalalitse khoutu ea mohloli oa projeke ea HIBA (Host Identity Based Authorization), e sisinyang ts'ebetsong ea mokhoa o mong oa tumello bakeng sa ho hlophisa phihlello ea basebelisi ka SSH mabapi le baamoheli (ho hlahloba hore na ho fihlella sesebelisoa se itseng ho lumelletsoe kapa che ha ho netefatsoa. sebelisa linotlolo tsa sechaba). Ho kopanngoa le OpenSSH ho fanoa ka ho hlalosa mohlokomeli oa HIBA ho AuthorizedPrincipalsCommand taelo ho /etc/ssh/sshd_config. Khoutu ea projeke e ngotsoe ka C mme e ajoa tlasa laesense ea BSD.
HIBA e sebelisa mekhoa e tloaelehileng ea netefatso e ipapisitseng le litifikeiti tsa OpenSSH bakeng sa taolo e feto-fetohang le e bohareng ea tumello ea mosebelisi mabapi le baamoheli, empa ha e hloke liphetoho tsa nako le nako ho li-audhised_keys le authorized_users difaele tse lehlakoreng la baamohedi bao kgokelo e etsoang ho bona. Sebakeng sa ho boloka lethathamo la linotlolo tse sebetsang tsa sechaba le maemo a phihlello ho li-file tse lumelletsoeng_(key|user), HIBA e kopanya tlhahisoleseling mabapi le litlamo tsa moamoheli oa basebelisi ka kotloloho ho litifikeiti ka botsona. Haholo-holo, katoloso e hlahisitsoe bakeng sa litifikeiti tsa moamoheli le litifikeiti tsa mosebelisi, tse bolokang maemo le maemo a ho fana ka phihlello ea mosebelisi.
Ho hlahloba lehlakoreng la moamoheli ho qalisoa ka ho letsetsa sebatli sa hiba-chk se boletsoeng ho AuthorizedPrincipalsCommand directive. Motlakase ona o khetha li-extensions tse kopantsoeng ho litifikeiti, 'me, ho latela tsona, li etsa qeto mabapi le ho fana kapa ho thibela phihlello. Melao ea phihlello e khethoa bohareng boemong ba bolaoli ba setifikeiti (CA) mme e kopantsoe le litifikeiti sethaleng sa tlhahiso ea tsona.
Ka lehlakoreng la setsi sa setifikeiti, lenane le akaretsang la matla a teng le bolokiloe (baamoheli bao likhokahano tsa bona li lumelletsoeng) le lethathamo la basebelisi ba lumelletsoeng ho sebelisa matla ana. Ho hlahisa litifikeiti tse netefalitsoeng tse nang le tlhaiso-leseling e kopaneng mabapi le mangolo-tsoibila, ho khothaletsoa ts'ebeliso ea hiba-gen, 'me ts'ebetso e hlokahalang ho theha bolaoli ba setifikeiti e kenyellelitsoe sengolong sa iba-ca.sh.
Ha mosebelisi a hokahana, bolaoli bo boletsoeng setifikeiting bo netefatsoa ke tekeno ea dijithale ea bolaoli ba setifikeiti, e lumellang hore licheke tsohle li etsoe ka botlalo ka lehlakoreng la moamoheli eo ho hoketsoeng ho eona, ntle le ho sebelisa litšebeletso tsa kantle. Lethathamo la linotlolo tsa sechaba tsa bolaoli ba setifikeiti bo netefalitseng litifikeiti tsa SSH le hlalositsoe ka taelo ea TrustedUserCAKeys.
Ntle le ho hokahanya basebelisi ka kotloloho ho mabotho, HIBA e u lumella ho hlalosa melao ea phihlello e bonolo haholoanyane. Mohlala, tlhahisoleseling joalo ka sebaka le mofuta oa litšebeletso li ka amahanngoa le baamoheli, 'me ha ho hlalosoa melao ea phihlello ea basebelisi, likhokahano li ka lumelloa ho baamoheli bohle ba nang le mofuta o itseng oa litšebeletso kapa ba amohelang sebakeng se itseng.
Source: opennet.ru