ProHoster > Blog > litaba tsa inthanete > Ho lokolloa ha OpenSSH 8.7

Ho lokolloa ha OpenSSH 8.7

Kamora likhoeli tse 'ne tsa nts'etsopele, ho ile ha hlahisoa tokollo ea OpenSSH 8.7, ts'ebetsong e bulehileng ea moreki le seva bakeng sa ho sebetsa ho feta liprothokholo tsa SSH 2.0 le SFTP.

Liphetoho tse kholo:

  • Mokhoa oa liteko oa phetisetso ea data o kentsoe ho scp ho sebelisoa protocol ea SFTP ho fapana le protocol ea khale ea SCP/RCP. SFTP e sebelisa mekhoa e tsebahalang ea ho sebetsana le mabitso mme ha e sebelise ts'ebetso ea likhetla tsa lipaterone tsa glob ka lehlakoreng le leng la moamoheli, e leng se bakang mathata a ts'ireletso. Ho nolofalletsa SFTP ho scp, folakha ea "-s" e 'nile ea etsoa, ​​​​empa nakong e tlang ho reriloe ho fetohela ho protocol ena ka ho feletseng.
  • sftp-server e kenya lisebelisoa ho protocol ea SFTP ho holisa ~/ le ~user/ litsela, tse hlokahalang bakeng sa scp.
  • Ts'ebeliso ea scp e fetotse boits'oaro ha u kopitsa lifaele lipakeng tsa mabotho a mabeli a hole (mohlala, "scp host-a:/path host-b:"), e seng e etsoa ka boiketsetso ka moamoheli oa lehae ea mahareng, joalo ka ha o hlakisa " -3" folakha. Mokhoa ona o u lumella ho qoba ho fetisetsa mangolo a sa hlokahaleng ho moamoheli oa pele le tlhaloso e meraro ea mabitso a lifaele ka har'a khetla (mohloling, moo u eang teng le lehlakoreng la sistimi ea lehae), 'me ha u sebelisa SFTP, e u lumella ho sebelisa mekhoa eohle ea netefatso ha u fihla hole. baamoheli, eseng feela mekhoa e sa sebelisaneng . Khetho ea "-R" e kenyellelitsoe ho tsosolosa boitšoaro ba khale.
  • E kentse ForkAfterAuthentication setting ho ssh e tsamaellanang le "-f" folakha.
  • E kentse boemo ba StdinNull ho ssh, e tsamaellanang le "-n" folakha.
  • Setting ea SessionType e kentsoe ho ssh, eo ka eona u ka setang mekhoa e tsamaellanang le lifolakha tsa "-N" (no session) le "-s" (subsystem).
  • ssh-keygen e u lumella ho hlakisa nako ea bohlokoa ea bohlokoa lifaeleng tsa bohlokoa.
  • E kentse folakha ea "-Oprint-pubkey" ho ssh-keygen ho hatisa senotlolo se feletseng sa sechaba e le karolo ea sshsig signature.
  • Ho ssh le sshd, moreki le seva li falliselitsoe ho sebelisa sehatisi sa faele sa tlhophiso se sebelisang melao e kang khetla bakeng sa ho sebetsana le mantsoe a qotsitsoeng, libaka le litlhaku tse balehang. Sebapali se secha le sona ha se iphapanyetse likhopolo tse entsoeng pele, joalo ka ho tlohela likhang likhethong (mohlala, taelo ea DenyUsers e ke ke ea hlola e siuoa e se na letho), mantsoe a qotsitsoeng a sa koaloang, le ho hlakisa litlhaku tse ngata =.
  • Ha u sebelisa lirekoto tsa SSHFP DNS ha u netefatsa linotlolo, ssh joale e hlahloba lirekoto tsohle tse tsamaellanang, eseng feela tse nang le mofuta o itseng oa signature ea dijithale.
  • Ho ssh-keygen, ha o hlahisa senotlolo sa FIDO ka khetho ea -Ochallenge, lera le hahiloeng le se le sebelisoa bakeng sa hashing, ho e-na le libfido2, e lumellang ho sebelisoa ha lihlopha tsa phephetso tse kholo kapa tse nyenyane ho feta 32 byte.
  • Ho sshd, ha ho sebetsoa tikoloho = "..." litaelo ho li-file tse lumelletsoeng_li-keys, papali ea pele e se e amohetsoe 'me ho na le moeli oa mabitso a 1024 a fapaneng a tikoloho.

Baetsi ba OpenSSH ba boetse ba lemositse ka ho senyeha ha li-algorithms ho sebelisa li-hashes tsa SHA-1 ka lebaka la ts'ebetso e ntseng e eketseha ea litlhaselo tsa ho thulana ka sehlomathiso se fanoeng (litšenyehelo tsa ho khetha ho thulana ho hakanyetsoa ho lidolara tse ka bang likete tse 50). Tokollong e latelang, re rera ho tima ka ho sa feleng bokhoni ba ho sebelisa senotlolo sa sechaba sa signature algorithm "ssh-rsa", e boletsoeng ho RFC ea mantlha bakeng sa protocol ea SSH mme e ntse e sebelisoa haholo ts'ebetsong.

Ho leka ts'ebeliso ea ssh-rsa lits'ebetsong tsa hau, u ka leka ho hokahanya ka ssh ka khetho ea "-oHostKeyAlgorithms=-ssh-rsa". Ka nako e ts'oanang, ho thibela "ssh-rsa" li-signature tsa digital ka ho sa feleng ha ho bolele ho tlohela ka ho feletseng tšebeliso ea linotlolo tsa RSA, kaha ho phaella ho SHA-1, protocol ea SSH e lumella tšebeliso ea li-algorithms tse ling tsa hash. Haholo-holo, ho phaella ho "ssh-rsa", ho tla lula ho khoneha ho sebelisa liphutheloana tsa "rsa-sha2-256" (RSA / SHA256) le "rsa-sha2-512" (RSA / SHA512).

Ho theola phetoho ho li-algorithms tse ncha, OpenSSH e kile ea e-ba le tlhophiso ea UpdateHostKeys e nolofalitsoeng ke kamehla, e lumellang bareki hore ba fetohele ho li-algorithms tse tšepahalang haholoanyane. U sebelisa tlhophiso ena, katoloso e khethehileng ea protocol e nolofalitsoe "[imeile e sirelelitsoe]", ho lumella seva, kamora ho netefatsoa, ​​ho tsebisa moreki ka linotlolo tsohle tse teng tsa moamoheli. Moreki a ka hlahisa linotlolo tsena faeleng ea ~/.ssh/known_hosts, e lumellang linotlolo tsa moamoheli ho nchafatsoa le ho etsa hore ho be bonolo ho fetola linotlolo ho seva.

Tšebeliso ea UpdateHostKeys e lekanyelitsoe ke li-caveats tse 'maloa tse ka tlosoang nakong e tlang: senotlolo se tlameha ho boleloa ho UserKnownHostsFile mme se se ke sa sebelisoa ho GlobalKnownHostsFile; senotlolo se tlameha ho ba teng tlasa lebitso le le leng feela; setifikeiti sa senotlolo sa moamoheli ha sea lokela ho sebelisoa; ho tse tsebahalang_hosts limaske ka lebitso la moamoheli ha lia lokela ho sebelisoa; tlhophiso ea VerifyHostKeyDNS e tlameha ho koaloa; UserKnownHostsFile parameter e tlameha ho sebetsa.

Li-algorithms tse khothalelitsoeng tsa ho falla li kenyelletsa rsa-sha2-256/512 e thehiloeng ho RFC8332 RSA SHA-2 (e tšehelitsoe ho tloha OpenSSH 7.2 'me e sebelisoa ka mokhoa oa kamehla), ssh-ed25519 (e tšehelitsoe ho tloha OpenSSH 6.5) le ecdsa-sha2-nistp256/384 ho RFC521 ECDSA (e tšehelitsoe ho tloha ho OpenSSH 5656).

Source: opennet.ru

Eketsa ka tlhaloso