Ka mor'a likhoeli tse 'nè tsa tsoelo-pele lokolla , sebatli se bulehileng le ts'ebetsong ea seva bakeng sa ho sebetsa ka liprothokholo tsa SSH 2.0 le SFTP.
Ntlafatso ea bohlokoa tokollong ea OpenSSH 8.2 e bile bokhoni ba ho sebelisa netefatso ea lintlha tse peli ho sebelisa lisebelisoa tse tšehetsang protocol. , e ntlafalitsoeng ke selekane . U2F e lumella ho theha li-tokens tsa theko e tlase ho netefatsa boteng ba 'mele ba mosebelisi, ho sebelisana le bona ka USB, Bluetooth kapa NFC. Lisebelisoa tse joalo li khothalletsoa e le mokhoa oa ho netefatsa lintlha tse peli ho liwebsaete, li se li ntse li tšehetsoa ke li-browser tse kholo 'me li hlahisoa ke bahlahisi ba sa tšoaneng, ho akarelletsa le Yubico, Feitian, Thetis le Kensington.
Ho sebelisana le lisebelisoa tse netefatsang boteng ba mosebelisi, mefuta e mecha ea "ecdsa-sk" le "ed25519-sk" e kentsoe ho OpenSSH, e sebelisang li-algorithms tsa signature tsa ECDSA le Ed25519 tsa dijithale, li kopantsoe le SHA-256 hash. Mekhoa ea ho sebelisana le li-tokens e behiloe laeboraring e bohareng, e laetsoeng ka mokhoa o ts'oanang ho laeborari bakeng sa tšehetso ea PKCS#11 mme ke sephutheloana ka holim'a laeborari. , e fanang ka lisebelisoa tsa ho buisana le li-tokens ka holim'a USB (liprothokholo tsa FIDO U2F/CCAP 1 le FIDO 2.0/CCAP 2 lia tšehetsoa). Laeborari ea mahareng ea libsk-libfido2 e lokiselitsoeng ke baetsi ba OpenSSH ho ea mantlha libfido2, hammoho le bakeng sa OpenBSD.
Ho netefatsa le ho hlahisa senotlolo, o tlameha ho hlakisa parameter ea "SecurityKeyProvider" ho litlhophiso kapa u behe SSH_SK_PROVIDER e fapaneng ea tikoloho, e bontšang tsela e eang laebraring ea kantle libsk-libfido2.so (export SSH_SK_PROVIDER=/path/to/libsk-libfido2. joalo). Hoa khoneha ho aha openssh ka ts'ehetso e hahelletsoeng ka har'a laeborari ea layer (--with-security-key-builtin), ntlheng ena o hloka ho seta "SecurityKeyProvider=internal" parameter.
Ka mor'a moo o hloka ho matha "ssh-keygen -t ecdsa-sk" kapa, haeba linotlolo li se li bōpiloe le ho hlophisoa, hokela ho seva u sebelisa "ssh". Ha o sebelisa ssh-keygen, konopo e hlahisitsoeng e tla bolokoa ho "~/.ssh/id_ecdsa_sk" 'me e ka sebelisoa ka mokhoa o ts'oanang le linotlolo tse ling.
Senotlolo sa sechaba (id_ecdsa_sk.pub) se lokela ho kopitsoa ho seva ho file ea authorized_keys. Ka lehlakoreng la seva, ho netefalitsoe feela signature ea dijithale, 'me ho sebelisana le li-tokens ho etsoa ka lehlakoreng la bareki (ha ho hlokahale hore u kenye libsk-libfido2 ho seva, empa seva se tlameha ho tšehetsa mofuta oa senotlolo sa "ecdsa-sk") . Senotlolo sa lekunutu se hlahisitsoeng (id_ecdsa_sk) ha e le hantle ke senotlolo sa senotlolo, se etsa senotlolo sa 'nete feela se kopantsoeng le tatellano ea lekunutu e bolokiloeng ka lehlakoreng la matšoao a U2F. Haeba senotlolo sa id_ecdsa_sk se oela matsohong a mohlaseli, ho fetisa bopaki o tla boela a hloke ho fumana token ea hardware, ntle le hore senotlolo sa poraefete se bolokiloeng faeleng ea id_ecdsa_sk ha se na thuso.
Ho phaella moo, ka nako e sa lekanyetsoang, ha ho etsoa ts'ebetso leha e le efe ka linotlolo (ka bobeli nakong ea moloko le nakong ea ho netefatsa), ho hlokahala tiiso ea sebaka sa boteng ba 'mele ea mosebedisi, mohlala, ho etsoa tlhahiso ea ho ama sensor ho letšoao, e leng se etsang hore ho be thata ho etsa litlhaselo tse ka thōko ho litsamaiso tse nang le letšoao le amanang. Joalo ka mokhoa o mong oa ts'ireletso, password e ka boela ea hlalosoa nakong ea mohato oa ho qala oa ssh-keygen ho fihlella faele ea bohlokoa.
Mofuta o mocha oa OpenSSH o boetse o phatlalalitse ho theoha ho tlang ha algorithms ho sebelisa SHA-1 hashes ka lebaka la katleho ea litlhaselo tsa ho thulana ka sehlomathiso se fanoeng (litšenyehelo tsa ho khetha ho thulana li hakanyetsoa ho lidolara tse likete tse 45). Ho e 'ngoe ea litokollo tse tlang, ba rera ho thibela ka ho sa feleng bokhoni ba ho sebelisa senotlolo sa sechaba sa signature algorithm "ssh-rsa", e boletsoeng ho RFC ea mantlha bakeng sa protocol ea SSH mme e ntse e atile ts'ebetsong (ho leka ts'ebeliso. ea ssh-rsa lits'ebetsong tsa hau, u ka leka ho hokahanya ka ssh ka khetho "-oHostKeyAlgorithms=-ssh-rsa").
Ho theola phetoho ho li-algorithms tse ncha ho OpenSSH, nakong e tlang tokollo ea UpdateHostKeys e tla nolofalloa ka ho sa feleng, e tla fallisetsa bareki ho li-algorithms tse tšepahalang haholoanyane. Mekhoa e khothaletsoang ea ho falla e kenyelletsa rsa-sha2-256/512 e thehiloeng ho RFC8332 RSA SHA-2 (e tšehelitsoe ho tloha OpenSSH 7.2 'me e sebelisoa ka mokhoa oa kamehla), ssh-ed25519 (e tšehelitsoe ho tloha OpenSSH 6.5) le ecdsa-sha2-nistp256/384 ho RFC521 ECDSA (e tšehelitsoe ho tloha OpenSSH 5656).
Ho OpenSSH 8.2, bokhoni ba ho hokela ho sebelisa "ssh-rsa" bo ntse bo fumaneha, empa algorithm ena e tlositsoe lethathamong la CASignatureAlgorithms, le hlalosang li-algorithms tse lumelletsoeng bakeng sa ho saena mangolo a macha a dijithale. Ka mokhoa o ts'oanang, algorithm ea diffie-hellman-group14-sha1 e tlositsoe ho li-algorithms tsa phapanyetsano ea senotlolo tse tšehetsoeng. Hoa hlokomeloa hore tšebeliso ea SHA-1 ho setifikeiti e amahanngoa le kotsi e eketsehileng, kaha mohlaseli a na le nako e sa lekanyetsoang ea ho batla ho thulana ha setifikeiti se teng, ha nako ea tlhaselo ea linotlolo tsa moamoheli e fokotsoa ke nako ea khokahano (LoginGraceTime). ).
Ho matha ssh-keygen hona joale ho feto-fetoha ho rsa-sha2-512 algorithm, e tšehetsoeng ho tloha OpenSSH 7.2, e ka 'nang ea baka mathata a ho lumellana ha u leka ho sebetsana le litifikeiti tse saenneng ho OpenSSH 8.2 ho litsamaiso tse tsamaisang litokollo tsa khale tsa OpenSSH (ho sebetsana le taba ha Neng. ho hlahisa tekeno, o ka hlakisa ka ho hlaka "ssh-keygen -t ssh-rsa" kapa oa sebelisa li-algorithms tsa ecdsa-sha2-nistp256/384/521, tse tšehetsoeng ho tloha OpenSSH 5.7).
Liphetoho tse ling:
- Taelo ea Kenyelletsa e kenyellelitsoe ho sshd_config, e u lumellang hore u kenyelle litaba tsa lifaele tse ling sebakeng sa hajoale sa faele ea tlhophiso (li-glob masks li ka sebelisoa ha ho hlakisoa lebitso la faele);
- Khetho ea "no-touch-e hlokehang" e kenyelelitsoe ho ssh-keygen, e thibelang tlhokahalo ea ho tiisa 'mele ho fumana letšoao ha o hlahisa senotlolo;
- Taelo ea PubkeyAuthOptions e kentsoe ho sshd_config, e kopanyang likhetho tse fapaneng tse amanang le netefatso ea linotlolo tsa sechaba. Hajoale, ke folakha ea "no-touch-required" feela e tšehetsoang ho tlola tlhahlobo ea boteng ba 'mele bakeng sa netefatso ea matšoao. Ka papiso, khetho ea "no-touch-required" e kentsoe faeleng ea authorized_keys;
- E ekelitsoe "-O write-attestation =/path" kgetho ho ssh-keygen ho lumella litifikeiti tse eketsehileng tsa bopaki tsa FIDO hore li ngoloe ha ho etsoa linotlolo. OpenSSH ha e so sebelise litifikeiti tsena, empa hamorao li ka sebelisoa ho netefatsa hore senotlolo se behiloe lebenkeleng le tšepahalang la lisebelisoa;
- Litlhophisong tsa ssh le sshd, joale hoa khoneha ho beha mokhoa oa ho beha sephethephethe pele ka taelo ea IPQoS. (Maiteko a Tlase a Per-Hop Behaviour);
- Ho ssh, ha u beha boleng "AddKeysToAgent=e", haeba senotlolo se se na sebaka sa maikutlo, se tla ekeletsoa ho ssh-agent e bontšang tsela ea senotlolo e le maikutlo. IN
ssh-keygen le ssh-agent le tsona hona joale li sebelisa li-label tsa PKCS#11 le lebitso la sehlooho la X.509 sebakeng sa tsela ea laebrari joalo ka litlhaloso senotlolo; - E ekelitse bokhoni ba ho romela PEM bakeng sa linotlolo tsa DSA le ECDSA ho ssh-keygen;
- E kentse sesebelisoa se secha se ka phethisoang, ssh-sk-helper, se sebelisetsoang ho arola laeborari ea phihlello ea li-tokens tsa FIDO/U2F;
- E kenyellelitse "-with-zlib" khetho ea ho haha ho ssh le sshd bakeng sa ho bokella ka tšehetso ea laebrari ea zlib;
- Ho latela tlhokahalo ea RFC4253, temoso mabapi le thibelo ea phihlello ka lebaka la ho feta meeli ea MaxStartups e fanoa banner e bonts'itsoeng nakong ea khokahano. Ho nolofatsa ho hlahlojoa, sshd process header, e bonahalang ha u sebelisa ts'ebeliso ea ps, hona joale e bonts'a palo ea likhokahano tse tiisitsoeng hona joale le boemo ba moeli oa MaxStartups;
- Ho ssh le ssh-agent, ha o letsetsa lenaneo ho hlahisa memo skrineng, e boletsoeng ka $SSH_ASKPASS, folakha e nang le mofuta oa memo e se e fetisoa: "netefatsa" - puisano ea netefatso (e / che), "ha ho letho ” - molaetsa oa tlhahisoleseling, "se na letho" - kopo ea password;
- E kentse ts'ebetso e ncha ea "find-principals" ea "find-principals" ho ssh-keygen ho batla faele ea ba saenneng ba lumelletsoeng bakeng sa mosebelisi e amanang le tekeno e boletsoeng ea dijithale;
- Tšehetso e ntlafetseng bakeng sa ho itšehla thajana ha sshd ho Linux ho sebelisa mochine oa seccomp: ho tima mehala ea tsamaiso ea IPC, ho lumella clock_gettime64(), clock_nanosleep_time64 le clock_nanosleep().
Source: opennet.ru