Emva kweenyanga ezintlanu zophuhliso ukukhulula , umxhasi ovulekileyo kunye nokuphunyezwa kweseva yokusebenza nge-SSH 2.0 kunye ne-SFTP protocol.
Utshintsho oluphambili:
- Inkxaso yovavanyo yendlela yokutshintshiselana engundoqo echasene nokuhlaselwa kwe-brute-force kwikhompyutheni ye-quantum yongezwe kwi-ssh kunye ne-sshd. Iikhompyuter ze-Quantum zikhawuleza kakhulu ekusombululeni ingxaki yokubola inani lendalo kwizinto eziphambili, eziphantsi kwe-algorithms ye-asymmetric encryption yanamhlanje kwaye ayinakusonjululwa ngempumelelo kwiiprosesa zeklasiki. Indlela ecetywayo isekelwe kwi-algorithm (umsebenzi ntrup4591761), iphuhliselwe i-post-quantum cryptosystems, kunye ne-elliptic curve key exchange method X25519;
- Kwi-sshd, imiyalelo ye- ListenAddress kunye ne-PermitOpen ayisayixhasi i-"host/port" syntax yelifa, eyaphunyezwa ngo-2001 njengenye indlela "yehostela: port" ukwenza lula ukusebenza nge-IPv6. Kwiimeko zangoku, i-syntax β[::6]:1β isekwe kwi-IPv22, kwaye i-βhost/portβ ihlala ibhidaniswa nokubonisa i-subnet (CIDR);
- ssh, ssh-arhente kunye ne-ssh-yongeza ngoku izitshixo zenkxaso kwii-PKCS#11 iimpawu;
- Kwi-ssh-keygen, ubungakanani be-RSA obungagqibekanga bunyuswe kwii-bits ze-3072, ngokuhambelana neengcebiso ezintsha ze-NIST;
- i-ssh ivumela ukusetyenziswa kolungiselelo lwe-"PKCS11Provider=none" ukukhupha umyalelo woMboneleli we-PKCS11 ochazwe kwi-ssh_config;
- I-sshd ibonelela ngomboniso welog yeemeko xa uxhulumaniso luyekisiwe xa kuzanywa ukuphumeza imiyalelo evalwe nguthintelo "ForceCommand=internal-sftp" kwi-sshd_config;
- Kwi-ssh, xa ubonisa isicelo sokuqinisekisa ukwamkelwa kweqhosha elitsha lomninimzi, endaweni yempendulo ethi "ewe", umnwe ochanekileyo wesitshixo wamkelwe ngoku (ekuphenduleni isimemo sokuqinisekisa uxhulumaniso, umsebenzisi unokukopisha I-hash efunyenwe ngokwahlukeneyo yereferensi ngebhodi eqhotyoshwayo, ukuze ungayithelekisi ngesandla;
- I-ssh-keygen ibonelela ngokunyuswa okuzenzekelayo kwenombolo yolandelelwano lwesatifikethi xa usenza utyikityo lwedijithali lwezatifikethi ezininzi kumgca womyalelo;
- Ukhetho olutsha "-J" longezwe kwi-scp kunye ne-sftp, elilingana nesetingi se-ProxyJump;
- Kwi-arhente ye-ssh, i-ssh-pkcs11-helper kunye ne-ssh-yongeza, ukuqhubekekiswa kwe "-v" ukhetho lwelayini yomyalelo yongezwe ukunyusa umxholo wolwazi lwemveliso (xa lukhankanyiwe, olu khetho lugqithiselwa kwiinkqubo zomntwana, umzekelo, xa i-ssh-pkcs11-helper ibizwa kwi-ssh-arhente );
- Inketho ethi "-T" yongezwe kwi-ssh-yongeza ukuvavanya ukufaneleka kwezitshixo kwi-ssh-arhente yokwenza indalo yesiginitsha yedijithali kunye nemisebenzi yokuqinisekisa;
- I-sftp-server isebenzisa inkxaso yolwandiso lweprotocol βlsetstat at openssh.comβ, elongeza inkxaso yokusebenza kwe-SSH2_FXP_SETSTAT ye-SFTP, kodwa ngaphandle kokulandela amakhonkco anomfuziselo;
- Inketho eyongeziweyo "-h" kwi-sftp ukusebenzisa i-chown/chgrp/chmod imiyalelo enezicelo ezingasebenzisi amakhonkco anomfuziselo;
- sshd ibonelela ngocwangciso lwe $SSH_CONNECTION umahluko wokusingqongileyo wePAM;
- Kwi-sshd, "Umdlalo wokugqibela" wemowudi yokudibanisa yongezwe kwi-ssh_config, efana ne-"Match canonical", kodwa ayifuni ukwenziwa kwesiqhelo kwegama lenginginya ukuze kuvulwe;
- Inkxaso eyongeziweyo ye '@' isimaphambili kwi sftp ukuvala uguqulo lwemveliso yemiyalelo ephunyeziweyo kwimo yebhetshi;
- Xa ubonisa imixholo yesatifikethi usebenzisa umyalelo
"ssh-keygen -Lf /path/certificate" ngoku ibonisa i-algorithm esetyenziswa yi-CA ukuqinisekisa isatifikethi; - Inkxaso ephuculweyo yemekobume ye-Cygwin, umzekelo ukubonelela ngothelekiso olungenamvakalelo lwamagama eqela kunye nabasebenzisi. Inkqubo ye-sshd kwizibuko le-Cygwin itshintshelwe kwi-cygsshd ukunqanda ukuphazamisana nezibuko le-OpenSSH elinikezelwe nguMicrosoft;
- Yongezwe isakhono sokwakha ngomfuniselo we-OpenSSL 3.x yesebe;
- Iphelisiwe (CVE-2019-6111) ekuphunyezweni kwe-scp utility, evumela ukuba iifayile ezingafanelekanga kwi-target directory ukuba zibhalwe ngaphezulu kwicala lomxhasi xa ufikelela kumncedisi olawulwa ngumhlaseli. Ingxaki kukuba xa usebenzisa i-scp, umncedisi uthatha isigqibo sokuba zeziphi iifayile kunye nabalawuli abaza kuthumela kumxhasi, kwaye umxhasi ujonga kuphela ukuchaneka kwamagama ezinto ezibuyisiweyo. Ukukhangela kwicala lomxumi kuthintelwe kuphela ekuthinteleni uhambo olungaphaya koluhlu lwangoku (β../β), kodwa aluthatheli ngqalelo ugqithiselo lweefayile ezinamagama ahlukileyo kulawo ebecelwe ekuqaleni. Kwimeko yokhuphelo oluphinda-phindayo (-r), ukongeza kumagama eefayile, ungalawula amagama oovimba beefayili ngendlela efanayo. Umzekelo, ukuba umsebenzisi ukhuphela iifayile kulawulo lwasekhaya, umncedisi olawulwa ngumhlaseli unokuvelisa iifayile ezinamagama .bash_aliases okanye .ssh/authorized_keys endaweni yeefayile eziceliweyo, kwaye ziya kugcinwa nge-scp into eluncedo kumsebenzisi. uluhlu lwasekhaya.
Ekukhululweni okutsha, i-scp utility ihlaziywe ukujonga imbalelwano phakathi kwamagama efayile aceliwe kunye nalawo athunyelwe ngumncedisi, owenziwe kwicala lomxhasi. Oku kunokubangela iingxaki ngoqhubekeko lwemaski, kuba iimpawu zokwandisa imaski zinokulungiswa ngokwahlukileyo kumncedisi nakumacala omxumi. Kwimeko apho lo mahluko ubangele ukuba umxhasi ayeke ukwamkela iifayile kwi-scp, ukhetho "-T" longezwe ukukhubaza ukujonga kwicala lomxhasi. Ukuyilungisa ngokupheleleyo ingxaki, ukusetyenzwa kwakhona kwengqiqo yeprotocol ye-scp iyafuneka, yona ngokwayo esele iphelelwe lixesha, ngoko kuyacetyiswa ukuba kusetyenziswe iiprothokholi zanamhlanje ezinje nge-sftp kunye ne-rsync endaweni yoko.
umthombo: opennet.ru