Emva kweenyanga ezintathu zophuhliso ukukhulula , umxhasi ovulekileyo kunye nokuphunyezwa kweseva yokusebenza nge-SSH 2.0 kunye ne-SFTP protocol.
Ukukhutshwa okutsha kwongeza ukhuseleko kuhlaselo lwe-scp oluvumela umncedisi ukuba adlule amanye amagama efayile kunalawo aceliweyo (ngokuchaseneyo , uhlaselo alwenzi ukuba kwenzeke ukutshintsha uvimba weefayili okhethiweyo ngumsebenzisi okanye imaski yeglobhu). Khumbula ukuba kwi-SCP, umncedisi uthatha isigqibo sokuba zeziphi iifayile kunye nabalawuli abaza kuthumela kumxhasi, kwaye umxhasi uhlola kuphela ukuchaneka kwamagama ezinto ezibuyisiweyo. Undoqo wengxaki echongiweyo kukuba ukuba umnxeba wenkqubo ye-utimes uyasilela, ngoko imixholo yefayile itolikwa njengemetadata yefayile.
Eli nqaku, xa uqhagamshela kumncedisi olawulwa ngumhlaseli, unokusetyenziselwa ukugcina amanye amagama efayile kunye nomnye umxholo kwiFS yomsebenzisi xa ukhuphela usebenzisa i-scp kuqwalaselo olukhokelela kukusilela xa ufowuna amaxesha (umzekelo, xa usetyenziso luthintelwe umgaqo-nkqubo we-SELinux okanye isihluzo sokufowuna senkqubo) . Ukubakho kohlaselo lokwenyani kuqikelelwa ukuba kuncinci, kuba kuqwalaselo oluqhelekileyo umnxeba osetyenziswayo awusileli. Ukongezelela, ukuhlaselwa akubonakali - xa ubiza i-scp, impazamo yokudlulisa idatha ibonisiwe.
Utshintsho ngokubanzi:
- Kwi-sftp, ukuqhutyelwa phambili kwengxabano "-1" kumisiwe, kufana ne-ssh kunye ne-scp, eyamkelwa ngaphambili kodwa ingahoywa;
- Kwi-sshd, xa usebenzisa i-IgnoreRhosts, ngoku kukho iindlela ezintathu zokukhetha: "ewe" - ungayihoyi i-rhosts / i-hosts, "hayi" - ihlonipha i-rhosts / i-hosts, kunye ne-"hosts-only" - vumela ".shosts" kodwa khubaza ".rhosts";
- I-Ssh ngoku ixhasa uguqulelo lwe-%TOKEN kwi-LocalFoward kunye ne-RemoteForward izicwangciso ezisetyenziselwa ukwalathisa iisokethi ze-Unix;
- Vumela ukulayisha izitshixo zikawonke-wonke kwifayile engafihlwanga ngesitshixo sabucala ukuba akukho fayile yahlukileyo ngesitshixo sikawonke-wonke;
- Ukuba i-libcrypto ikhona kwinkqubo, i-ssh kunye ne-sshd ngoku isebenzisa ukuphunyezwa kwe-algorithm ye-chacha20 ukusuka kweli thala leencwadi, endaweni yokuphunyezwa kwe-portable eyakhelweyo, ehamba ngasemva ekusebenzeni;
- Kuphunyezwe ukukwazi ukulahla imixholo yoluhlu lokubini lwezatifikethi ezirhoxisiweyo xa uphumeza umyalelo "ssh-keygen -lQf /path";
- Uguqulelo oluphathekayo lusebenzisa iinkcazelo zeenkqubo apho umqondiso ngokhetho lwe-SA_RESTART luphazamisa ukusebenza kokukhetha;
- Ukusonjululwa kweengxaki ngendibano kwiinkqubo ze-HP/UX kunye ne-AIX;
- Iingxaki ezilungisiweyo ngokwakhiwa kwebhokisi yesanti ye-seccomp kwezinye iimeko zeLinux;
- Ukuphuculwa kokufunyanwa kwethala leencwadi le-libfido2 kwaye kwasonjululwa imiba yokwakha ngo "--nge-security-key-builtin" ukhetho.
Abaphuhlisi be-OpenSSH baphinde balumkisa malunga nokubola okuzayo kwe-algorithms usebenzisa i-SHA-1 hashes ngenxa ukusebenza kohlaselo longquzulwano ngesimaphambili esinikiweyo (ixabiso lokukhetha ungquzulwano liqikelelwa malunga ne-45 lamawaka eedola). Kwesinye sezikhupho ezizayo, baceba ukukhubaza ngokungagqibekanga amandla okusebenzisa isitshixo sesitshixo sedijithali se-algorithm "ssh-rsa", ekhankanywe kwi-RFC yasekuqaleni ye-SSH protocol kwaye ihlala ixhaphakile ekusebenzeni (ukuvavanya ukusetyenziswa. ye-ssh-rsa kwiinkqubo zakho, ungazama ukudibanisa nge-ssh ngokhetho "-oHostKeyAlgorithms=-ssh-rsa").
Ukugudisa utshintsho kwii-algorithms ezintsha kwi-OpenSSH, ekukhutshweni kwexesha elizayo i-UpdateHostKeys useto luya kwenziwa ngokuzenzakalelayo, oluya kufuduka ngokuzenzekelayo abathengi kwii-algorithms ezithembekileyo. Ii-algorithms ezicetyiswayo zokufuduka ziquka i-rsa-sha2-256/512 esekwe kwi-RFC8332 RSA SHA-2 (ixhaswe ukususela kwi-OpenSSH 7.2 kwaye isetyenziswe ngokungagqibekanga), ssh-ed25519 (ixhaswe ukususela kwi-OpenSSH 6.5) kunye ne-ecdsa-sha2-nistp256/384 esekelwe kwi-ecdsa-sha521-nistp5656/5.7 kwi-RFCXNUMX ECDSA (ixhaswe ukususela kwi-OpenSSH XNUMX).
Ukususela ekukhululweni kokugqibela, "ssh-rsa" kunye ne "diffie-hellman-group14-sha1" zisusiwe kuluhlu lwe-CASignatureAlgorithms oluchaza i-algorithms evunyelwe ukusayina izatifikethi ezitsha, kuba ukusebenzisa i-SHA-1 kwizatifikethi kubangela ingozi eyongezelelweyo. ngenxa yokuba umhlaseli unexesha elingasikelwanga mda lokukhangela ungqubano lwesatifikethi esisele sikhona, ngelixa ixesha lohlaselo kwizitshixo zenginginya lithintelwe luqhagamshelo lwexesha lokuphuma (LoginGraceTime).
umthombo: opennet.ru