ProHoster > Blog > litaba tsa inthanete > Ho lokolloa ha OpenSSH 8.4

Ho lokolloa ha OpenSSH 8.4

Ka mor'a likhoeli tse 'nè tsa tsoelo-pele hlahisoa ho lokolloa ha OpenSSH 8.4, moreki ea bulehileng le ts'ebetsong ea seva bakeng sa ho sebetsa o sebelisa liprothokholo tsa SSH 2.0 le SFTP.

Liphetoho tse kholo:

  • Liphetoho tsa ts'ireletso:
    • Ho ssh-agent, ha u sebelisa linotlolo tsa FIDO tse sa kang tsa etsoa bakeng sa netefatso ea SSH (ID ea senotlolo ha e qale ka khoele "ssh:"), joale e hlahloba hore molaetsa o tla saena ho sebelisoa mekhoa e sebelisoang ho protocol ea SSH. Phetoho e ke ke ea lumella ssh-agent hore e fetisetsoe ho baamoheli ba hole ba nang le linotlolo tsa FIDO ho thibela bokhoni ba ho sebelisa linotlolo tsena ho hlahisa li-signature bakeng sa likopo tsa netefatso ea webo (boemo bo ka morao, ha sebatli se ka saena kopo ea SSH, ha se kenyelletsoe qalong. ka lebaka la tshebediso ya “ssh:" sehlongoapele ho sekhetho sa senotlolo).
    • ssh-keygen's Resident key generation e kenyelletsa ts'ehetso bakeng sa tlatsetso ea credProtect e hlalositsoeng ho tlhaloso ea FIDO 2.1, e fanang ka tšireletso e eketsehileng bakeng sa linotlolo ka ho hloka PIN pele o etsa ts'ebetso leha e le efe e ka 'nang ea fella ka ho ntša senotlolo sa moahi ho tloha letšoao.
  • Liphetoho tse ka 'nang tsa senyeha tsa ho lumellana:
    • Ho tšehetsa FIDO/U2F, ho khothalletsoa ho sebelisa laebrari ea libfido2 bonyane mofuta oa 1.5.0. Bokhoni ba ho sebelisa likhatiso tsa khale bo kentsoe tšebetsong hanyane, empa ntlheng ena, lits'ebetso tse joalo ka linotlolo tsa bolulo, kopo ea PIN, le ho hokahanya li-tokens tse ngata li ke ke tsa fumaneha.
    • Ho ssh-keygen, data ea netefatso e hlokahalang bakeng sa ho netefatsa ho tiisa li-signature tsa dijithale e kentsoe sebopeho sa tlhaiso-leseling ea netefatso, e bolokiloeng ka boikhethelo ha e hlahisa senotlolo sa FIDO.
    • API e sebelisitsoeng ha OpenSSH e sebelisana le lera bakeng sa ho fihlella li-tokens tsa FIDO e fetotsoe.
    • Ha ho ntse ho etsoa mofuta o nkehang oa OpenSSH, automake e se e hlokahala ho hlahisa sengoloa sa tlhophiso le lifaele tse tsamaellanang tsa moaho (haeba ho aha ho tsoa ho faele ea khoutu e phatlalalitsoeng, tlhophiso e ncha ha e hlokehe).
  • Ts'ehetso e ekelitsoeng bakeng sa linotlolo tsa FIDO tse hlokang netefatso ea PIN ho ssh le ssh-keygen. Ho hlahisa linotlolo ka PIN, khetho ea "verify-required" e kentsoe ho ssh-keygen. Haeba linotlolo tse joalo li sebelisoa, pele o etsa ts'ebetso ea ho theha li-signature, mosebelisi o khothalletsoa ho netefatsa liketso tsa bona ka ho kenya PIN khoutu.
  • Ho sshd, khetho ea "verify-required" e kenngoa ts'ebetsong ea authorized_keys, e hlokang ho sebelisoa ha bokhoni ho netefatsa boteng ba mosebedisi nakong ea ts'ebetso le letšoao. Tekanyetso ea FIDO e fana ka likhetho tse 'maloa bakeng sa netefatso e joalo, empa hajoale OpenSSH e ts'ehetsa feela netefatso e thehiloeng ho PIN.
  • sshd le ssh-keygen li kentse tšehetso bakeng sa ho netefatsa li-signature tsa digital tse lumellanang le maemo a FIDO Webauthn, e lumellang linotlolo tsa FIDO hore li sebelisoe ho libatli tsa marang-rang.
  • Ho ssh ho litlhophiso tsa CertificateFile,
    ControlPath, IdentityAgent, IdentityFile, LocalForward le
    RemoteForward e lumella ho nkeloa sebaka ha boleng ho tsoa ho mefuta e fapaneng ea tikoloho e boletsoeng ka sebopeho "${ENV}".

  • ssh le ssh-agent ba kentse tšehetso bakeng sa $SSH_ASKPASS_REQUIRE e fapaneng ea tikoloho, e ka sebelisoang ho nolofalletsa kapa ho tima mohala oa ssh-askpass.
  • Ho ssh ho ssh_config taelong ea AddKeysToAgent, bokhoni ba ho fokotsa nako ea ho nepahala ha senotlolo bo kentsoe. Kamora hore moeli o boletsoeng o felile, linotlolo li hlakoloa ka bo eona ho ssh-agent.
  • Ho scp le sftp, ka ho sebelisa "-A" folakha, joale u ka lumella ka ho hlaka hore ho tsamaisoa hape ho scp le sftp ho sebelisa ssh-agent (ho khutlisetsa morao ho thibetsoe ka ho sa feleng).
  • Ts'ehetso e ekelitsoeng bakeng sa ho kenya '%k' sebakeng sa ssh, e hlalosang lebitso la senotlolo sa moamoheli. Karolo ena e ka sebelisoa ho aba linotlolo lifaeleng tse arohaneng (mohlala, “UserKnownHostsFile ~/.ssh/known_hosts.d/%k”).
  • Lumella ts'ebeliso ea ts'ebetso ea "ssh-add -d -" ho bala linotlolo tse tsoang ho stdin tse lokelang ho hlakoloa.
  • Ho sshd, qalo le qetello ea ts'ebetso ea ho faola khokahanyo e bonts'oa ho log, e laoloang ho sebelisoa parameter ea MaxStartups.

Bahlahisi ba OpenSSH ba boetse ba hopola ho felisoa ho tlang ha li-algorithms ho sebelisa SHA-1 hashes ka lebaka la phahamiso katleho ea litlhaselo tsa ho thulana ka sehlomathiso se fanoeng (litšenyehelo tsa ho khetha ho thulana li hakanyetsoa ho lidolara tse likete tse 45). Ho e 'ngoe ea litokollo tse tlang, ba rera ho thibela ka ho sa feleng bokhoni ba ho sebelisa senotlolo sa sechaba sa signature algorithm "ssh-rsa", e boletsoeng ho RFC ea mantlha bakeng sa protocol ea SSH mme e ntse e atile ts'ebetsong (ho leka ts'ebeliso. ea ssh-rsa lits'ebetsong tsa hau, u ka leka ho hokahanya ka ssh ka khetho "-oHostKeyAlgorithms=-ssh-rsa").

Ho theola phetoho ho li-algorithms tse ncha ho OpenSSH, tokollo e latelang e tla etsa hore tlhophiso ea UpdateHostKeys e ikemisetse, e tla fallisetsa bareki ho li-algorithms tse tšepahalang haholoanyane. Li-algorithms tse khothalelitsoeng tsa ho falla li kenyelletsa rsa-sha2-256/512 e thehiloeng ho RFC8332 RSA SHA-2 (e tšehelitsoe ho tloha OpenSSH 7.2 'me e sebelisoa ka mokhoa oa kamehla), ssh-ed25519 (e tšehelitsoe ho tloha OpenSSH 6.5) le ecdsa-sha2-nistp256/384 ho RFC521 ECDSA (e tšehelitsoe ho tloha OpenSSH 5656).

Source: opennet.ru

Eketsa ka tlhaloso