Ukukhutshwa kwe-OpenSSH 9.3 kushicilelwe, ukuphunyezwa okuvulekileyo komxhasi kunye neseva yokusebenza usebenzisa i-SSH 2.0 kunye ne-SFTP protocol. Inguqulelo entsha ilungisa iingxaki zokhuseleko:
- Impazamo ebhadlileyo ichongiwe kusetyenziso lwe-ssh-add ngenxa yokuba, xa ufaka izitshixo zamakhadi e-smart kwi-arhente ye-ssh, izithintelo ezibaluliweyo kusetyenziswa i-"ssh-yongeza -h" ukhetho aluzange lugqithiselwe kwi-arhente. Ngenxa yoko, isitshixo songezwa kwi-arhente, apho kungekho zithintelo ezisetyenzisiweyo, ukuvumela uxhulumaniso kuphela kwimikhosi ethile.
- Ubuthathaka buchongiwe kusetyenziso lwe-ssh olunokukhokelela ekufundeni idatha ukusuka kwindawo yokupakisha ngaphandle kwesithinteli esinikiweyo xa kusetyenzwa ngeempendulo ze-DNS ezifomathwe ngokukodwa, ukuba i-VerifyHostKeyDNS isicwangciso senziwe ukuba sisebenze kwifayile yoqwalaselo. Ingxaki ikuzalisekiso olwakhelwe ngaphakathi lwe getrrsetbyname() umsebenzi, osetyenziswa kwiinguqulelo eziphathekayo ze OpenSSH eqokelelwe ngaphandle kokusebenzisa ithala leencwadi langaphandle le ldns (-with-ldns) nakwiinkqubo ezinamathala eencwadi asezantsi angaxhasi i getrrsetbyname( ) umnxeba. Ukuba nokwenzeka kokusetyenziswa kobuthathaka, ngaphandle kokuqalisa ukwaliwa kwenkonzo kumthengi we-ssh, kuvavanywa njengento engenakwenzeka.
Ukongeza, unokuqaphela ubuthathaka kwilayibrari ye-libskey ebandakanyiweyo kwi-OpenBSD, esetyenziswa kwi-OpenSSH. Ingxaki ibikhona ukusukela ngo-1997 kwaye inokubangela ukuphuphuma kwe-stack buffer xa kusetyenzwa ngamagama abamkeli afomathiweyo ngokukodwa. Kuqatshelwe ukuba ngaphandle kwenyani yokuba ukubonakaliswa kobuthathaka kunokuqaliswa ukude nge-OpenSSH, ekusebenzeni ubuthathaka abunamsebenzi, kuba ukuze izibonakalise, igama lenginginya ehlaselweyo (/etc/hostname) kufuneka iqulathe ngaphezulu kwe. 126 oonobumba, kwaye isithinteli sinokuphuphuma kuphela ngoonobumba abanekhowudi enguziro ('\0').
Utshintsho olungakhuselekanga lubandakanya:
- Inkxaso eyongeziweyo ye "-Ohashalg=sha1|sha256" ipharamitha kwi-ssh-keygen kunye ne-ssh-keyscan ukukhetha i-algorithm yokubonisa i-nugget ye-SSHFP.
- sshd yongeze "-G" ukhetho lokwahlulahlula kwaye ubonise uqwalaselo olusebenzayo ngaphandle kokuzama ukulayisha izitshixo zabucala kwaye ngaphandle kokwenza iitshekhi ezongezelelweyo, ezikuvumela ukuba ujonge uqwalaselo kwinqanaba phambi kokuvelisa okuphambili kwaye uqhube itshekhi ngabasebenzisi abangenalungelo.
- I-sshd yongeza ukubekwa wedwa kwiqonga leLinux ngokusebenzisa i-seccomp kunye ne-seccomp-bpf inkqubo yokucoca iminxeba. Iiflegi ze mmap, madvise kunye nefutex zongezwe kuluhlu lweminxeba evunyelweyo yesixokelelwano.
umthombo: opennet.ru