ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kwe-OpenSSH 8.5

Ukukhutshwa kwe-OpenSSH 8.5

Emva kweenyanga ezintlanu zophuhliso, ukukhutshwa kwe-OpenSSH 8.5, ukuphunyezwa okuvulekileyo komxhasi kunye neseva yokusebenza ngaphezulu kwe-SSH 2.0 kunye ne-SFTP protocol, ibonisiwe.

Abaphuhlisi be-OpenSSH basikhumbuza ngokupheliswa okuzayo kwe-algorithms kusetyenziswa i-SHA-1 hashes ngenxa yokwanda kokusebenza kohlaselo longquzulwano kunye nesimaphambili esinikiweyo (ixabiso lokukhetha ungquzulwano liqikelelwa malunga ne-50 yeedola lamawaka). Kolunye lokukhutshwa okuzayo, baceba ukukhubaza ngokungagqibekanga amandla okusebenzisa i-algorithm yesitshixo sotyikityo lwedijithali "ssh-rsa", ekhankanywe kwi-RFC yasekuqaleni ye-SSH protocol kwaye ihlala ixhaphakile ekusebenzeni.

Ukuvavanya ukusetyenziswa kwe-ssh-rsa kwiinkqubo zakho, ungazama ukudibanisa nge-ssh kunye "-oHostKeyAlgorithms=-ssh-rsa" ukhetho. Ngelo xesha, ukukhubaza "ssh-rsa" iisignesha zedijithali ngokungagqibekanga akuthethi ukulahlwa ngokupheleleyo kokusetyenziswa kwezitshixo ze-RSA, ekubeni ukongeza kwi-SHA-1, i-protocol ye-SSH ivumela ukusetyenziswa kwezinye i-algorithms yokubala i-hash. Ngokukodwa, ukongeza kwi "ssh-rsa", kuya kuhlala kunokwenzeka ukusebenzisa "i-rsa-sha2-256" (RSA / SHA256) kunye ne "rsa-sha2-512" (RSA / SHA512) iinyanda.

Ukugudisa utshintsho kwii-algorithms ezintsha, i-OpenSSH 8.5 ine-UpdateHostKeys isethingi eyenziwe ngokuzenzekelayo, evumela abathengi ukuba batshintshe ngokuzenzekelayo kwii-algorithms ezithembekileyo. Usebenzisa olu cwangciso, ulwandiso olukhethekileyo lweprothokholi luvuliwe "[imeyile ikhuselwe]", ivumela umncedisi, emva kokuqinisekiswa, ukwazisa umxhasi malunga nawo onke amaqhosha akhoyo akhoyo. Umxhasi angabonisa ezi zitshixo kwifayile yayo ~/.ssh/known_hosts, evumela ukuba izitshixo zenginginya zihlaziywe kwaye ikwenza kube lula ukutshintsha izitshixo kumncedisi.

Ukusetyenziswa kwe-UpdateHostKeys kukhawulelwe ngamagqabantshintshi amaninzi anokususwa kwixesha elizayo: isitshixo kufuneka sibhekiswe kwi-UserKnownHostsFile kwaye ingasetyenziswa kwi-GlobalKnownHostsFile; isitshixo kufuneka sibekho phantsi kwegama elinye kuphela; isiqinisekiso sesitshixo somkhosi akufuneki sisetyenziswe; kwezaziwa_iinginginya iimaski ngegama lenginginya akufuneki zisetyenziswe; iVerifyHostKeyDNS isicwangciso kufuneka ivaliwe; UmsebenzisiKnownHostsFile iparamitha kufuneka isebenze.

Ii-algorithms ezicetyiswayo zokufuduka ziquka i-rsa-sha2-256/512 esekwe kwi-RFC8332 RSA SHA-2 (ixhaswe ukususela kwi-OpenSSH 7.2 kwaye isetyenziswe ngokungagqibekanga), ssh-ed25519 (ixhaswe ukususela kwi-OpenSSH 6.5) kunye ne-ecdsa-sha2-nistp256/384 esekelwe kwi-ecdsa-sha521-nistp5656/5.7 kwi-RFCXNUMX ECDSA (ixhaswe ukususela kwi-OpenSSH XNUMX).

Olunye utshintsho:

  • Utshintsho lokhuseleko:
    • Ukuba sesichengeni okubangelwa kukukhulula kwakhona indawo yememori esele ikhululwe (i-double-free) ilungisiwe kwi-ssh-agent. Umcimbi ubukhona ukususela ekukhutshweni kwe-OpenSSH 8.2 kwaye inokuthi isetyenziswe ukuba umhlaseli unokufikelela kwi-ssh-agent socket kwinkqubo yendawo. Yintoni eyenza ukuxhaphaza kube nzima kukuba yingcambu kuphela kunye nomsebenzisi wokuqala onokufikelela kwisokethi. Esona siganeko sinokwenzeka sohlaselo kukuba i-arhente iphinda iqondiswe kwi-akhawunti elawulwa ngumhlaseli, okanye kumamkeli apho umhlaseli anofikelelo lweengcambu.
    • I-sshd yongeze ukhuseleko ekugqithiseni iiparamitha ezinkulu kakhulu ngegama lomsebenzisi kwindlela esezantsi ye-PAM, ekuvumela ukuba uthintele ubuthathaka kwi-PAM (i-Pluggable Authentication Module) iimodyuli zenkqubo. Umzekelo, utshintsho lunqanda i-sshd ekubeni isetyenziswe njenge-vector ukuxhaphaza ubungozi obutsha bengcambu eSolaris (CVE-2020-14871).
  • Utshintsho olunokwaphula ukuhambelana:
    • Kwi-ssh kunye ne-sshd, indlela yokutshintshiselana yesitshixo yokuvavanya iphinde yayilwa ngokutsha ekwaziyo ukuxhathisa ukuqikelela kwikhompyuter ye-quantum. Iikhompyuter ze-quantum zikhawuleza kakhulu ekusombululeni ingxaki yokubola inani lendalo kwizinto eziphambili, eziphantsi kwe-algorithms ye-asymmetric encryption yanamhlanje kwaye ayinakusonjululwa ngempumelelo kwiiprosesa zeklasiki. Indlela esetyenziswayo isekelwe kwi-algorithm ye-NTRU Prime, ephuhliswe kwi-post-quantum cryptosystems, kunye ne-X25519 elliptic curve key exchange method. Ngaphandle kwe [imeyile ikhuselwe] indlela ngoku ichongiwe njenge [imeyile ikhuselwe] (i-sntrup4591761 algorithm ithathelwe indawo yi-sntrup761).
    • Kwi-ssh kunye ne-sshd, ulandelelwano apho i-algorithms yesignesha yedijithali exhaswayo ibhengezwe itshintshiwe. I-ED25519 ngoku inikezelwa kuqala endaweni ye-ECDSA.
    • Kwi-ssh kunye ne-sshd, ukuseta umgangatho we-TOS/DSCP weenkonzo zeeparamitha zeeseshoni ezisebenzisanayo ngoku zenziwa ngaphambi kokuseka uxhulumaniso lwe-TCP.
    • Inkxaso ye-cipher iyekisiwe kwi-ssh kunye ne-sshd [imeyile ikhuselwe], efana ne-aes256-cbc kwaye yasetyenziswa ngaphambi kokuba i-RFC-4253 yamkelwe.
    • Ngokungagqibekanga, iparamitha ye-CheckHostIP ikhutshaziwe, inzuzo yayo ayinanto, kodwa ukusetyenziswa kwayo kudibanisa kakhulu ukujikeleza okubalulekileyo kwimikhosi emva kokulinganisa umthwalo.
  • I-PerSourceMaxStartups kunye ne-PerSourceNetBlockSize izicwangciso zongezwe kwi-sshd ukunciphisa ubunzulu bokusungula abaphangi ngokusekelwe kwidilesi yomxhasi. Ezi parameters zikuvumela ukuba ulawule ngokugqibeleleyo umda ekusungulweni kwenkqubo, xa kuthelekiswa nesicwangciso ngokubanzi seMaxStartups.
  • Isethingi entsha ye-LogVerbose yongezwe kwi-ssh kunye ne-sshd, ekuvumela ukuba uphakamise ngamandla inqanaba leenkcukacha zokulungiswa kweempazamo ezilahlwe kwilogi, kunye nokukwazi ukucoca ngeetemplates, imisebenzi kunye neefayile.
  • Kwi-ssh, xa wamkela iqhosha elitsha lomamkeli, onke amagama abamkeli kunye needilesi ze-IP ezinxulumene nesitshixo ziyaboniswa.
  • ssh ivumela i-UserKnownHostsFile=akukho nanye inketho yokuvala ukusetyenziswa kwefayile eyaziwayo yenginginya xa uchonga izitshixo zomamkeli.
  • Isetingi ye- KnownHostsCommand yongezwe kwi-ssh_config ye-ssh, ikuvumela ukuba ufumane idata eyaziwayo yehosts kwimveliso yomyalelo ochaziweyo.
  • Yongeza iPermitRemoteOpen ukhetho kwi-ssh_config ye-ssh ukuvumela ukuba uthintele indawo ekuyiwa kuyo xa usebenzisa iRemoteForward ukhetho ngeSOCKS.
  • Kwi-ssh yezitshixo ze-FIDO, isicelo se-PIN esiphinda-phindwayo siyanikezelwa kwimeko yokungaphumeleli kotyikityo lwedijithali ngenxa ye-PIN engachanekanga kunye nomsebenzisi engakhange axelelwe i-PIN (umzekelo, xa idatha yebhayometriki echanekileyo ingafunyanwa kwaye isixhobo siwe ngasemva kwi-PIN yesandla).
  • I-sshd yongeza inkxaso yenkqubo eyongezelelweyo yokufowuna kwi-seccomp-bpf-based based process yokuzahlula indlela kwiLinux.
  • I-contrib/ssh-copy-id eluncedo ihlaziyiwe.

umthombo: opennet.ru

Yongeza izimvo