Emva kweenyanga ezintlanu zophuhliso, ukukhutshwa kwe-OpenSSH 8.5, ukuphunyezwa okuvulekileyo komxhasi kunye neseva yokusebenza ngaphezulu kwe-SSH 2.0 kunye ne-SFTP protocol, ibonisiwe.
Abaphuhlisi be-OpenSSH basikhumbuza ngokupheliswa okuzayo kwe-algorithms kusetyenziswa i-SHA-1 hashes ngenxa yokwanda kokusebenza kohlaselo longquzulwano kunye nesimaphambili esinikiweyo (ixabiso lokukhetha ungquzulwano liqikelelwa malunga ne-50 yeedola lamawaka). Kolunye lokukhutshwa okuzayo, baceba ukukhubaza ngokungagqibekanga amandla okusebenzisa i-algorithm yesitshixo sotyikityo lwedijithali "ssh-rsa", ekhankanywe kwi-RFC yasekuqaleni ye-SSH protocol kwaye ihlala ixhaphakile ekusebenzeni.
Ukuvavanya ukusetyenziswa kwe-ssh-rsa kwiinkqubo zakho, ungazama ukudibanisa nge-ssh kunye "-oHostKeyAlgorithms=-ssh-rsa" ukhetho. Ngelo xesha, ukukhubaza "ssh-rsa" iisignesha zedijithali ngokungagqibekanga akuthethi ukulahlwa ngokupheleleyo kokusetyenziswa kwezitshixo ze-RSA, ekubeni ukongeza kwi-SHA-1, i-protocol ye-SSH ivumela ukusetyenziswa kwezinye i-algorithms yokubala i-hash. Ngokukodwa, ukongeza kwi "ssh-rsa", kuya kuhlala kunokwenzeka ukusebenzisa "i-rsa-sha2-256" (RSA / SHA256) kunye ne "rsa-sha2-512" (RSA / SHA512) iinyanda.
Ukugudisa utshintsho kwii-algorithms ezintsha, i-OpenSSH 8.5 ine-UpdateHostKeys isethingi eyenziwe ngokuzenzekelayo, evumela abathengi ukuba batshintshe ngokuzenzekelayo kwii-algorithms ezithembekileyo. Usebenzisa olu cwangciso, ulwandiso olukhethekileyo lweprothokholi luvuliwe "[imeyile ikhuselwe]", ivumela umncedisi, emva kokuqinisekiswa, ukwazisa umxhasi malunga nawo onke amaqhosha akhoyo akhoyo. Umxhasi angabonisa ezi zitshixo kwifayile yayo ~/.ssh/known_hosts, evumela ukuba izitshixo zenginginya zihlaziywe kwaye ikwenza kube lula ukutshintsha izitshixo kumncedisi.
Ukusetyenziswa kwe-UpdateHostKeys kukhawulelwe ngamagqabantshintshi amaninzi anokususwa kwixesha elizayo: isitshixo kufuneka sibhekiswe kwi-UserKnownHostsFile kwaye ingasetyenziswa kwi-GlobalKnownHostsFile; isitshixo kufuneka sibekho phantsi kwegama elinye kuphela; isiqinisekiso sesitshixo somkhosi akufuneki sisetyenziswe; kwezaziwa_iinginginya iimaski ngegama lenginginya akufuneki zisetyenziswe; iVerifyHostKeyDNS isicwangciso kufuneka ivaliwe; UmsebenzisiKnownHostsFile iparamitha kufuneka isebenze.
Ii-algorithms ezicetyiswayo zokufuduka ziquka i-rsa-sha2-256/512 esekwe kwi-RFC8332 RSA SHA-2 (ixhaswe ukususela kwi-OpenSSH 7.2 kwaye isetyenziswe ngokungagqibekanga), ssh-ed25519 (ixhaswe ukususela kwi-OpenSSH 6.5) kunye ne-ecdsa-sha2-nistp256/384 esekelwe kwi-ecdsa-sha521-nistp5656/5.7 kwi-RFCXNUMX ECDSA (ixhaswe ukususela kwi-OpenSSH XNUMX).
Olunye utshintsho:
- Utshintsho lokhuseleko:
- Ukuba sesichengeni okubangelwa kukukhulula kwakhona indawo yememori esele ikhululwe (i-double-free) ilungisiwe kwi-ssh-agent. Umcimbi ubukhona ukususela ekukhutshweni kwe-OpenSSH 8.2 kwaye inokuthi isetyenziswe ukuba umhlaseli unokufikelela kwi-ssh-agent socket kwinkqubo yendawo. Yintoni eyenza ukuxhaphaza kube nzima kukuba yingcambu kuphela kunye nomsebenzisi wokuqala onokufikelela kwisokethi. Esona siganeko sinokwenzeka sohlaselo kukuba i-arhente iphinda iqondiswe kwi-akhawunti elawulwa ngumhlaseli, okanye kumamkeli apho umhlaseli anofikelelo lweengcambu.
- I-sshd yongeze ukhuseleko ekugqithiseni iiparamitha ezinkulu kakhulu ngegama lomsebenzisi kwindlela esezantsi ye-PAM, ekuvumela ukuba uthintele ubuthathaka kwi-PAM (i-Pluggable Authentication Module) iimodyuli zenkqubo. Umzekelo, utshintsho lunqanda i-sshd ekubeni isetyenziswe njenge-vector ukuxhaphaza ubungozi obutsha bengcambu eSolaris (CVE-2020-14871).
- Utshintsho olunokwaphula ukuhambelana:
- Kwi-ssh kunye ne-sshd, indlela yokutshintshiselana yesitshixo yokuvavanya iphinde yayilwa ngokutsha ekwaziyo ukuxhathisa ukuqikelela kwikhompyuter ye-quantum. Iikhompyuter ze-quantum zikhawuleza kakhulu ekusombululeni ingxaki yokubola inani lendalo kwizinto eziphambili, eziphantsi kwe-algorithms ye-asymmetric encryption yanamhlanje kwaye ayinakusonjululwa ngempumelelo kwiiprosesa zeklasiki. Indlela esetyenziswayo isekelwe kwi-algorithm ye-NTRU Prime, ephuhliswe kwi-post-quantum cryptosystems, kunye ne-X25519 elliptic curve key exchange method. Ngaphandle kwe [imeyile ikhuselwe] indlela ngoku ichongiwe njenge [imeyile ikhuselwe] (i-sntrup4591761 algorithm ithathelwe indawo yi-sntrup761).
- Kwi-ssh kunye ne-sshd, ulandelelwano apho i-algorithms yesignesha yedijithali exhaswayo ibhengezwe itshintshiwe. I-ED25519 ngoku inikezelwa kuqala endaweni ye-ECDSA.
- Kwi-ssh kunye ne-sshd, ukuseta umgangatho we-TOS/DSCP weenkonzo zeeparamitha zeeseshoni ezisebenzisanayo ngoku zenziwa ngaphambi kokuseka uxhulumaniso lwe-TCP.
- Inkxaso ye-cipher iyekisiwe kwi-ssh kunye ne-sshd [imeyile ikhuselwe], efana ne-aes256-cbc kwaye yasetyenziswa ngaphambi kokuba i-RFC-4253 yamkelwe.
- Ngokungagqibekanga, iparamitha ye-CheckHostIP ikhutshaziwe, inzuzo yayo ayinanto, kodwa ukusetyenziswa kwayo kudibanisa kakhulu ukujikeleza okubalulekileyo kwimikhosi emva kokulinganisa umthwalo.
- I-PerSourceMaxStartups kunye ne-PerSourceNetBlockSize izicwangciso zongezwe kwi-sshd ukunciphisa ubunzulu bokusungula abaphangi ngokusekelwe kwidilesi yomxhasi. Ezi parameters zikuvumela ukuba ulawule ngokugqibeleleyo umda ekusungulweni kwenkqubo, xa kuthelekiswa nesicwangciso ngokubanzi seMaxStartups.
- Isethingi entsha ye-LogVerbose yongezwe kwi-ssh kunye ne-sshd, ekuvumela ukuba uphakamise ngamandla inqanaba leenkcukacha zokulungiswa kweempazamo ezilahlwe kwilogi, kunye nokukwazi ukucoca ngeetemplates, imisebenzi kunye neefayile.
- Kwi-ssh, xa wamkela iqhosha elitsha lomamkeli, onke amagama abamkeli kunye needilesi ze-IP ezinxulumene nesitshixo ziyaboniswa.
- ssh ivumela i-UserKnownHostsFile=akukho nanye inketho yokuvala ukusetyenziswa kwefayile eyaziwayo yenginginya xa uchonga izitshixo zomamkeli.
- Isetingi ye- KnownHostsCommand yongezwe kwi-ssh_config ye-ssh, ikuvumela ukuba ufumane idata eyaziwayo yehosts kwimveliso yomyalelo ochaziweyo.
- Yongeza iPermitRemoteOpen ukhetho kwi-ssh_config ye-ssh ukuvumela ukuba uthintele indawo ekuyiwa kuyo xa usebenzisa iRemoteForward ukhetho ngeSOCKS.
- Kwi-ssh yezitshixo ze-FIDO, isicelo se-PIN esiphinda-phindwayo siyanikezelwa kwimeko yokungaphumeleli kotyikityo lwedijithali ngenxa ye-PIN engachanekanga kunye nomsebenzisi engakhange axelelwe i-PIN (umzekelo, xa idatha yebhayometriki echanekileyo ingafunyanwa kwaye isixhobo siwe ngasemva kwi-PIN yesandla).
- I-sshd yongeza inkxaso yenkqubo eyongezelelweyo yokufowuna kwi-seccomp-bpf-based based process yokuzahlula indlela kwiLinux.
- I-contrib/ssh-copy-id eluncedo ihlaziyiwe.
umthombo: opennet.ru