I-Google ipapashe ikhowudi yemvelaphi yeprojekthi ye-HIBA (i-Host Identity Based Authorization), ephakamisa ukuphunyezwa kwendlela yogunyaziso eyongezelelweyo yokuququzelela ufikelelo lomsebenzisi nge-SSH ngokunxibelelana nababuki zindwendwe (ukukhangela ukuba ukufikelela kwisixhobo esithile kuvunyelwe okanye hayi xa kuqinisekiswa. usebenzisa izitshixo zikawonke-wonke). Ukudityaniswa ne-OpenSSH kunikezelwa ngokucacisa umphathi we-HIBA kwi-AuthorizedPrincipalsCommand umyalelo kwi-/etc/ssh/sshd_config. Ikhowudi yeprojekthi ibhalwe kwi-C kwaye isasazwe phantsi kwelayisensi ye-BSD.
I-HIBA isebenzisa iindlela zokuqinisekisa ezisemgangathweni ezisekelwe kwizatifikethi ze-OpenSSH zolawulo oluguquguqukayo kunye nolawulo oluphakathi logunyaziso lwabasebenzisi ngokunxulumene nababuki zindwendwe, kodwa ayifuni utshintsho lwexesha elithile kwiifayile ezigunyazisiweyo kunye nabasebenzisi abagunyazisiweyo kwicala lenginginya apho uqhagamshelo lwenziwa khona. Endaweni yokugcina uluhlu lwezitshixo zoluntu ezisebenzayo kunye neemeko zofikelelo kwiifayile ezigunyazisiweyo_(izitshixo|abasebenzisi), i-HIBA idibanisa ulwazi malunga nezibophelelo zomamkeli-msebenzisi ngqo kwiziqinisekiso ngokwazo. Ngokukodwa, ulwandiso luye lwacetywa kwizatifikethi zokusingatha kunye nezatifikethi zabasebenzisi, ezigcina iiparamitha zomnini kunye neemeko zokunika ukufikelela komsebenzisi.
Ukukhangela kwicala lenginginya kuqalwa ngokufowunela isiphathi se-hiba-chk esichazwe kumyalelo we-AuthorizedPrincipalsCommand. Le prosesa ichaza izandiso ezidityanisiweyo kwizatifikethi kwaye, ngokusekelwe kuzo, yenza isigqibo malunga nokunika okanye ukuvimba ukufikelela. Imithetho yokufikelela imiselwa phakathi kwinqanaba lesigunyaziso sezatifikethi (CA) kwaye idityaniswe kwizatifikethi kwinqanaba lesizukulwana sayo.
Kwicala leziko lesatifikethi, uluhlu oluqhelekileyo lwamandla akhoyo lugcinwa (imikhosi apho uxhulumaniso luvunyelwe) kunye noluhlu lwabasebenzisi abavunyelwe ukusebenzisa la magunya. Ukuvelisa izatifikethi eziqinisekisiweyo kunye nolwazi oludibeneyo malunga neziqinisekiso, i-hiba-gen utility icetywayo, kunye nokusebenza okuyimfuneko ukudala igunya lesatifikethi kufakwe kwi-iba-ca.sh script.
Xa umsebenzisi eqhagamshela, igunya elichazwe kwisatifikethi liqinisekiswa ngumsayino wedijithali wegunya lesatifikethi, elivumela ukuba zonke iitshekhi zenziwe ngokupheleleyo kwicala lomkhosi ekujoliswe kuwo apho uqhagamshelwano lwenziwa khona, ngaphandle kokubhenela kwiinkonzo zangaphandle. Uluhlu lwezitshixo zikawonke-wonke zogunyaziwe woqinisekiso oqinisekisa izatifikethi ze-SSH luxelwa ngomyalelo weTrustedUserCAKeys.
Ukongeza ekudibaniseni ngokuthe ngqo abasebenzisi kwimikhosi, i-HIBA ikuvumela ukuba uchaze imithetho yokufikelela eguquguqukayo. Umzekelo, ulwazi olunjengendawo kunye nohlobo lwenkonzo lunokunxulunyaniswa nenginginya, kwaye xa uchaza imithetho yofikelelo lomsebenzisi, uqhagamshelo lunokuvunyelwa kuzo zonke iinginginya ezinohlobo lwenkonzo enikiweyo okanye kwiinginginya kwindawo ethile.
umthombo: opennet.ru