Emva kweenyanga ezintathu zophuhliso
Ukukhutshwa okutsha kwongeza ukhuseleko kuhlaselo lwe-scp oluvumela umncedisi ukuba adlule amanye amagama efayile kunalawo aceliweyo (ngokuchaseneyo
Eli nqaku, xa uqhagamshela kumncedisi olawulwa ngumhlaseli, unokusetyenziselwa ukugcina amanye amagama efayile kunye nomnye umxholo kwiFS yomsebenzisi xa ukhuphela usebenzisa i-scp kuqwalaselo olukhokelela kukusilela xa ufowuna amaxesha (umzekelo, xa usetyenziso luthintelwe umgaqo-nkqubo we-SELinux okanye isihluzo sokufowuna senkqubo) . Ukubakho kohlaselo lokwenyani kuqikelelwa ukuba kuncinci, kuba kuqwalaselo oluqhelekileyo umnxeba osetyenziswayo awusileli. Ukongezelela, ukuhlaselwa akubonakali - xa ubiza i-scp, impazamo yokudlulisa idatha ibonisiwe.
Utshintsho ngokubanzi:
- Kwi-sftp, ukuqhutyelwa phambili kwengxabano "-1" kumisiwe, kufana ne-ssh kunye ne-scp, eyamkelwa ngaphambili kodwa ingahoywa;
- Kwi-sshd, xa usebenzisa i-IgnoreRhosts, ngoku kukho iindlela ezintathu zokukhetha: "ewe" - ungayihoyi i-rhosts / i-hosts, "hayi" - ihlonipha i-rhosts / i-hosts, kunye ne-"hosts-only" - vumela ".shosts" kodwa khubaza ".rhosts";
- I-Ssh ngoku ixhasa uguqulelo lwe-%TOKEN kwi-LocalFoward kunye ne-RemoteForward izicwangciso ezisetyenziselwa ukwalathisa iisokethi ze-Unix;
- Vumela ukulayisha izitshixo zikawonke-wonke kwifayile engafihlwanga ngesitshixo sabucala ukuba akukho fayile yahlukileyo ngesitshixo sikawonke-wonke;
- Ukuba i-libcrypto ikhona kwinkqubo, i-ssh kunye ne-sshd ngoku isebenzisa ukuphunyezwa kwe-algorithm ye-chacha20 ukusuka kweli thala leencwadi, endaweni yokuphunyezwa kwe-portable eyakhelweyo, ehamba ngasemva ekusebenzeni;
- Kuphunyezwe ukukwazi ukulahla imixholo yoluhlu lokubini lwezatifikethi ezirhoxisiweyo xa uphumeza umyalelo "ssh-keygen -lQf /path";
- Uguqulelo oluphathekayo lusebenzisa iinkcazelo zeenkqubo apho umqondiso ngokhetho lwe-SA_RESTART luphazamisa ukusebenza kokukhetha;
- Ukusonjululwa kweengxaki ngendibano kwiinkqubo ze-HP/UX kunye ne-AIX;
- Iingxaki ezilungisiweyo ngokwakhiwa kwebhokisi yesanti ye-seccomp kwezinye iimeko zeLinux;
- Ukuphuculwa kokufunyanwa kwethala leencwadi le-libfido2 kwaye kwasonjululwa imiba yokwakha ngo "--nge-security-key-builtin" ukhetho.
Abaphuhlisi be-OpenSSH baphinde balumkisa malunga nokubola okuzayo kwe-algorithms usebenzisa i-SHA-1 hashes ngenxa
Ukugudisa utshintsho kwii-algorithms ezintsha kwi-OpenSSH, ekukhutshweni kwexesha elizayo i-UpdateHostKeys useto luya kwenziwa ngokuzenzakalelayo, oluya kufuduka ngokuzenzekelayo abathengi kwii-algorithms ezithembekileyo. Ii-algorithms ezicetyiswayo zokufuduka ziquka i-rsa-sha2-256/512 esekwe kwi-RFC8332 RSA SHA-2 (ixhaswe ukususela kwi-OpenSSH 7.2 kwaye isetyenziswe ngokungagqibekanga), ssh-ed25519 (ixhaswe ukususela kwi-OpenSSH 6.5) kunye ne-ecdsa-sha2-nistp256/384 esekelwe kwi-ecdsa-sha521-nistp5656/5.7 kwi-RFCXNUMX ECDSA (ixhaswe ukususela kwi-OpenSSH XNUMX).
Ukususela ekukhululweni kokugqibela, "ssh-rsa" kunye ne "diffie-hellman-group14-sha1" zisusiwe kuluhlu lwe-CASignatureAlgorithms oluchaza i-algorithms evunyelwe ukusayina izatifikethi ezitsha, kuba ukusebenzisa i-SHA-1 kwizatifikethi kubangela ingozi eyongezelelweyo. ngenxa yokuba umhlaseli unexesha elingasikelwanga mda lokukhangela ungqubano lwesatifikethi esisele sikhona, ngelixa ixesha lohlaselo kwizitshixo zenginginya lithintelwe luqhagamshelo lwexesha lokuphuma (LoginGraceTime).
umthombo: opennet.ru