ProHoster > Blog > litaba tsa inthanete > Ho lokolloa ha OpenSSH 8.0

Ho lokolloa ha OpenSSH 8.0

Kamora likhoeli tse hlano tsa nts'etsopele hlahisoa lokolla OpenSSH 8.0, sebatli se bulehileng le ts'ebetsong ea seva bakeng sa ho sebetsa ka liprothokholo tsa SSH 2.0 le SFTP.

Liphetoho tse kholo:

  • Tšehetso ea liteko bakeng sa mokhoa oa bohlokoa oa phapanyetsano o hanyetsanang le litlhaselo tse sehlōhō khomphuteng ea quantum e kenyelelitsoe ho ssh le sshd. Lik'homphieutha tsa Quantum li potlakile haholo ho rarolla bothata ba ho senya palo ea tlhaho hore e be lintlha tse ka sehloohong, e leng motheo oa li-algorithms tsa morao-rao tsa asymmetric encryption 'me li ke ke tsa rarolloa ka katleho ho li-processor tsa khale. Mokhoa o reriloeng o ipapisitse le algorithm NTRU Prime (tšebetso ntrup4591761), e ntlafalitsoeng bakeng sa li-cryptosystems tsa post-quantum, le mokhoa oa phapanyetsano oa senotlolo sa elliptic curve X25519;
  • Ho sshd, litaelo tsa ListenAddress le PermitOpen ha li sa tšehetsa syntax ea "host/port" ea lefa, e kentsoeng ts'ebetsong ka 2001 e le mokhoa o mong oa "host: port" ho nolofatsa ho sebetsa le IPv6. Maemong a sejoale-joale, syntax “[::6]:1” e thehiloe bakeng sa IPv22, 'me "host/port" hangata e ferekanngoa le ho bontša subnet (CIDR);
  • ssh, ssh-agent le ssh-eketsa hona joale linotlolo tsa tšehetso ECDSA ho PKCS#11 tokens;
  • Ho ssh-keygen, boholo ba senotlolo sa RSA bo ekelitsoe ho li-bits tsa 3072, ho latela litlhahiso tse ncha tsa NIST;
  • ssh e lumella ts'ebeliso ea "PKCS11Provider=none" setting ho tlola taelo ea PKCS11Provider e boletsoeng ho ssh_config;
  • sshd e fana ka pontšo ea lintlha tsa maemo ha khokahano e felisoa ha ho leka ho phethahatsa litaelo tse koetsoeng ke thibelo ea "ForceCommand=internal-sftp" ho sshd_config;
  • Ho ssh, ha o hlahisa kopo ea ho netefatsa ho amoheloa ha senotlolo se secha sa moamoheli, sebakeng sa karabo ea "e", monoana o nepahetseng oa senotlolo o se o amohetsoe (ho arabela memo ea ho netefatsa khokahano, mosebelisi a ka kopitsa Hash ea litšupiso e amohetsoeng ka thoko ka clipboard, e le hore u se ke ua e bapisa ka letsoho);
  • ssh-keygen e fana ka keketseho ea othomathike ea nomoro ea tatellano ea setifikeiti ha u theha li-signature tsa dijithale bakeng sa litifikeiti tse ngata molaong oa taelo;
  • Khetho e ncha "-J" e kentsoe ho scp le sftp, e lekanang le boemo ba ProxyJump;
  • Ho ssh-agent, ssh-pkcs11-helper le ssh-add, ts'ebetso ea "-v" khetho ea mola oa taelo e ekelitsoe ho eketsa litaba tsa tlhahiso-leseling (ha e hlalositsoe, khetho ena e fetisetsoa lits'ebetsong tsa bana, mohlala, ha ssh-pkcs11-helper e bitsoa ho tloha ssh-agent );
  • Khetho ea "-T" e kenyellelitsoe ho ssh-add ho lekola ho tshwaneleha ha linotlolo ho ssh-agent bakeng sa ho etsa tlhahiso ea mesaeno ea dijithale le ts'ebetso ea netefatso;
  • sftp-server e sebelisa ts'ehetso bakeng sa "lsetstat at openssh.com" protocol extension, e eketsang tšehetso bakeng sa ts'ebetso ea SSH2_FXP_SETSTAT bakeng sa SFTP, empa ntle le ho latela lihokelo tsa tšoantšetso;
  • E kenyellelitsoe "-h" khetho ea sftp ho tsamaisa litaelo tsa chown/chgrp/chmod ka likopo tse sa sebeliseng lihokelo tsa tšoantšetso;
  • sshd e fana ka tlhophiso ea $SSH_CONNECTION e fapaneng ea tikoloho bakeng sa PAM;
  • Bakeng sa sshd, mokhoa oa "Match final" o kenyelelitsoe ho ssh_config, e ts'oanang le "Match canonical", empa ha e hloke hore ho tloaeleha ha lebitso la moamoheli ho lumelletsoe;
  • Tšehetso e ekelitsoeng bakeng sa sehlomathiso sa '@' ho sftp ho thibela phetolelo ea litaelo tse entsoeng ka mokhoa oa batch;
  • Ha o hlahisa dikahare tsa setifikeiti o sebedisa taelo
    "ssh-keygen -Lf /path/certificate" hona joale e bonts'a algorithm e sebelisoang ke CA ho netefatsa setifikeiti;

  • Tšehetso e ntlafetseng bakeng sa tikoloho ea Cygwin, mohlala ho fana ka papiso e sa tsotelleng ea mabitso a lihlopha le a basebelisi. Ts'ebetso ea sshd boema-kepeng ba Cygwin e fetotsoe ho cygsshd ho qoba ho kena-kenana le koung ea OpenSSH e fanoeng ke Microsoft;
  • E ekelitse bokhoni ba ho aha ka lekala la liteko la OpenSSL 3.x;
  • E felisitsoe bofokodi (CVE-2019-6111) ts'ebetsong ea ts'ebeliso ea scp, e lumellang lifaele tse hanyetsanang bukeng ea sepheo hore li ngoloe ka lehlakoreng la bareki ha li fihlella seva e laoloang ke mohlaseli. Bothata ke hore ha u sebelisa scp, seva se etsa qeto ea hore na ke lifaele life le li-directory tse lokelang ho romelloa ho mofani, 'me mofani o hlahloba feela ho nepahala ha mabitso a ntho e khutlisitsoeng. Ho hlahloba ka lehlakoreng la bareki ho lekanyelitsoe feela ho thibela maeto a fetang bukana ea hajoale (“../”), empa ha e nahane ka phetisetso ea lifaele tse nang le mabitso a fapaneng le a neng a kopiloe qalong. Tabeng ea ho kopitsa khafetsa (-r), ntle le mabitso a lifaele, o ka boela oa theola mabitso a subdirectories ka tsela e ts'oanang. Ka mohlala, haeba mosebedisi a kopiletsa lifaele bukeng ea lapeng, seva e laoloang ke mohlaseli e ka hlahisa lifaele tse nang le mabitso a .bash_aliases kapa .ssh/authorized_keys ho e-na le lifaele tse kopiloeng, 'me li tla bolokoa ke scp utility ho mosebedisi. bukeng ea lapeng.

    Khatisong e ncha, ts'ebeliso ea scp e ntlafalitsoe ho lekola ngollano lipakeng tsa mabitso a lifaele tse kopiloeng le tse rometsoeng ke seva, e etsoang ka lehlakoreng la bareki. Sena se ka baka mathata ka ts'ebetso ea mask, kaha litlhaku tsa katoloso ea mask li ka sebetsoa ka tsela e fapaneng ho seva le mahlakoreng a bareki. Haeba liphapang tse joalo li ka etsa hore moreki a khaotse ho amohela lifaele ho scp, khetho ea "-T" e kentsoe ho tima ho hlahloba lehlakore la bareki. Ho lokisa bothata ka botlalo, ho hlokahala hore ho lokisoe mohopolo oa scp protocol, eo ka boeona e seng e siiloe ke nako, ka hona, ho khothalletsoa ho sebelisa liprothokholo tsa sejoale-joale tse kang sftp le rsync.

Source: opennet.ru

Eketsa ka tlhaloso