ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kwe-OpenSSH 8.3 kunye nokulungiswa kobungozi be-scp

Ukukhutshwa kwe-OpenSSH 8.3 kunye nokulungiswa kobungozi be-scp

Emva kweenyanga ezintathu zophuhliso thaca ukukhulula I-OpenSSH 8.3, umxhasi ovulekileyo kunye nokuphunyezwa kweseva yokusebenza nge-SSH 2.0 kunye ne-SFTP protocol.

Ukukhutshwa okutsha kwongeza ukhuseleko kuhlaselo lwe-scp oluvumela umncedisi ukuba adlule amanye amagama efayile kunalawo aceliweyo (ngokuchaseneyo ukuba sesichengeni kwangaphambili, uhlaselo alwenzi ukuba kwenzeke ukutshintsha uvimba weefayili okhethiweyo ngumsebenzisi okanye imaski yeglobhu). Khumbula ukuba kwi-SCP, umncedisi uthatha isigqibo sokuba zeziphi iifayile kunye nabalawuli abaza kuthumela kumxhasi, kwaye umxhasi uhlola kuphela ukuchaneka kwamagama ezinto ezibuyisiweyo. Undoqo wengxaki echongiweyo kukuba ukuba umnxeba wenkqubo ye-utimes uyasilela, ngoko imixholo yefayile itolikwa njengemetadata yefayile.

Eli nqaku, xa uqhagamshela kumncedisi olawulwa ngumhlaseli, unokusetyenziselwa ukugcina amanye amagama efayile kunye nomnye umxholo kwiFS yomsebenzisi xa ukhuphela usebenzisa i-scp kuqwalaselo olukhokelela kukusilela xa ufowuna amaxesha (umzekelo, xa usetyenziso luthintelwe umgaqo-nkqubo we-SELinux okanye isihluzo sokufowuna senkqubo) . Ukubakho kohlaselo lokwenyani kuqikelelwa ukuba kuncinci, kuba kuqwalaselo oluqhelekileyo umnxeba osetyenziswayo awusileli. Ukongezelela, ukuhlaselwa akubonakali - xa ubiza i-scp, impazamo yokudlulisa idatha ibonisiwe.

Utshintsho ngokubanzi:

  • Kwi-sftp, ukuqhutyelwa phambili kwengxabano "-1" kumisiwe, kufana ne-ssh kunye ne-scp, eyamkelwa ngaphambili kodwa ingahoywa;
  • Kwi-sshd, xa usebenzisa i-IgnoreRhosts, ngoku kukho iindlela ezintathu zokukhetha: "ewe" - ungayihoyi i-rhosts / i-hosts, "hayi" - ihlonipha i-rhosts / i-hosts, kunye ne-"hosts-only" - vumela ".shosts" kodwa khubaza ".rhosts";
  • I-Ssh ngoku ixhasa uguqulelo lwe-%TOKEN kwi-LocalFoward kunye ne-RemoteForward izicwangciso ezisetyenziselwa ukwalathisa iisokethi ze-Unix;
  • Vumela ukulayisha izitshixo zikawonke-wonke kwifayile engafihlwanga ngesitshixo sabucala ukuba akukho fayile yahlukileyo ngesitshixo sikawonke-wonke;
  • Ukuba i-libcrypto ikhona kwinkqubo, i-ssh kunye ne-sshd ngoku isebenzisa ukuphunyezwa kwe-algorithm ye-chacha20 ukusuka kweli thala leencwadi, endaweni yokuphunyezwa kwe-portable eyakhelweyo, ehamba ngasemva ekusebenzeni;
  • Kuphunyezwe ukukwazi ukulahla imixholo yoluhlu lokubini lwezatifikethi ezirhoxisiweyo xa uphumeza umyalelo "ssh-keygen -lQf /path";
  • Uguqulelo oluphathekayo lusebenzisa iinkcazelo zeenkqubo apho umqondiso ngokhetho lwe-SA_RESTART luphazamisa ukusebenza kokukhetha;
  • Ukusonjululwa kweengxaki ngendibano kwiinkqubo ze-HP/UX kunye ne-AIX;
  • Iingxaki ezilungisiweyo ngokwakhiwa kwebhokisi yesanti ye-seccomp kwezinye iimeko zeLinux;
  • Ukuphuculwa kokufunyanwa kwethala leencwadi le-libfido2 kwaye kwasonjululwa imiba yokwakha ngo "--nge-security-key-builtin" ukhetho.

Abaphuhlisi be-OpenSSH baphinde balumkisa malunga nokubola okuzayo kwe-algorithms usebenzisa i-SHA-1 hashes ngenxa Nyusa ukusebenza kohlaselo longquzulwano ngesimaphambili esinikiweyo (ixabiso lokukhetha ungquzulwano liqikelelwa malunga ne-45 lamawaka eedola). Kwesinye sezikhupho ezizayo, baceba ukukhubaza ngokungagqibekanga amandla okusebenzisa isitshixo sesitshixo sedijithali se-algorithm "ssh-rsa", ekhankanywe kwi-RFC yasekuqaleni ye-SSH protocol kwaye ihlala ixhaphakile ekusebenzeni (ukuvavanya ukusetyenziswa. ye-ssh-rsa kwiinkqubo zakho, ungazama ukudibanisa nge-ssh ngokhetho "-oHostKeyAlgorithms=-ssh-rsa").

Ukugudisa utshintsho kwii-algorithms ezintsha kwi-OpenSSH, ekukhutshweni kwexesha elizayo i-UpdateHostKeys useto luya kwenziwa ngokuzenzakalelayo, oluya kufuduka ngokuzenzekelayo abathengi kwii-algorithms ezithembekileyo. Ii-algorithms ezicetyiswayo zokufuduka ziquka i-rsa-sha2-256/512 esekwe kwi-RFC8332 RSA SHA-2 (ixhaswe ukususela kwi-OpenSSH 7.2 kwaye isetyenziswe ngokungagqibekanga), ssh-ed25519 (ixhaswe ukususela kwi-OpenSSH 6.5) kunye ne-ecdsa-sha2-nistp256/384 esekelwe kwi-ecdsa-sha521-nistp5656/5.7 kwi-RFCXNUMX ECDSA (ixhaswe ukususela kwi-OpenSSH XNUMX).

Ukususela ekukhululweni kokugqibela, "ssh-rsa" kunye ne "diffie-hellman-group14-sha1" zisusiwe kuluhlu lwe-CASignatureAlgorithms oluchaza i-algorithms evunyelwe ukusayina izatifikethi ezitsha, kuba ukusebenzisa i-SHA-1 kwizatifikethi kubangela ingozi eyongezelelweyo. ngenxa yokuba umhlaseli unexesha elingasikelwanga mda lokukhangela ungqubano lwesatifikethi esisele sikhona, ngelixa ixesha lohlaselo kwizitshixo zenginginya lithintelwe luqhagamshelo lwexesha lokuphuma (LoginGraceTime).

umthombo: opennet.ru

Yongeza izimvo