Emva kweenyanga ezintandathu zophuhliso, ukukhutshwa kwe-OpenSSH 8.9, umxhasi ovulekileyo kunye nokuphunyezwa kweseva yokusebenza ngaphezulu kwe-SSH 2.0 kunye ne-SFTP protocol, yaboniswa. Uguqulelo olutsha lwe-sshd lulungisa ubuthathaka obunokuvumela ufikelelo olungagunyaziswanga. Umba ubangelwa kukuphuphuma kwenani elipheleleyo kwikhowudi yoqinisekiso, kodwa ingasetyenziswa kuphela ngokudibanisa nezinye iimpazamo ezisengqiqweni kwikhowudi.
Kwimeko yalo yangoku, ubuthathaka abunakusetyenziswa xa imo yokwahlulwa kwelungelo yenziwe, ekubeni ukubonakaliswa kwayo kuvaliwe ngokuhlolwa okuhlukeneyo okwenziwa kwikhowudi yokulandelela ukwahlula ilungelo. Imo yokwahlulwa kwamalungelo yenziwe yasebenza ngokungagqibekanga ukusukela ngo-2002 ukusukela kwi-OpenSSH 3.2.2, kwaye ibisisinyanzelo okoko kwakhutshwa i-OpenSSH 7.5 epapashwe ngo-2017. Ukongeza, kwiinguqulelo eziphathwayo ze-OpenSSH eziqala ngokukhululwa kwe-6.5 (2014), ubuthathaka buvalwe ngokudibanisa kunye nokufakwa kweeflegi ezipheleleyo zokukhusela ukuphuphuma.
Olunye utshintsho:
- Uguqulelo oluphathekayo lwe-OpenSSH kwi-sshd lususe inkxaso yemveli yee-passwords ze-hashing usebenzisa i-algorithm ye-MD5 (ivumela ukudibanisa namathala eencwadi angaphandle afana ne-libxcrypt ukubuya).
- ssh, sshd, ssh-yongeza, kunye ne-ssh-arhente ziphumeza inkqubo esezantsi yokuthintela ugqithiso nokusetyenziswa kwezitshixo ezongeziweyo kwi-arhente ye-ssh. Inkqubo esezantsi ikuvumela ukuba umisele imithetho emisela ukuba izitshixo zingasetyenziswa njani kwaye phi kwi-ssh-arhente. Umzekelo, ukongeza isitshixo esinokusetyenziswa kuphela ukuqinisekisa nawuphi na umsebenzisi oqhagamshela kumamkeli scylla.example.org, umsebenzisi perseus kumamkeli cetus.example.org, kunye nomsebenzisi medea kumamkeli charybdis.example.org nokwalathiswa ngokutsha ngenginginya ephakathi scylla.example.org, ungasebenzisa lo myalelo ulandelayo: $ ssh-add -h "[imeyile ikhuselwe]» \ -h «scylla.example.org» \ -h «scylla.example.org>[imeyile ikhuselwe]» \ ~/.ssh/id_ed25519
- Kwi-ssh kunye ne-sshd, i-algorithm ye-hybridi yongezwa ngokungagqibekanga kuluhlu lwe-KexAlgorithms, olumisela umyalelo apho iindlela zokutshintshiselana eziphambili zikhethiweyo.[imeyile ikhuselwe]"(ECDH/x25519 + NTRU Prime), ukumelana nokukhethwa kwiikhompyuter zequantum. Kwi-OpenSSH 8.9, le ndlela yokuxoxisana yongezwa phakathi kwe-ECDH kunye neendlela ze-DH, kodwa icwangciswe ukuba yenziwe ngokuzenzekelayo ekukhululweni okulandelayo.
- I-ssh-keygen, i-ssh, kunye ne-ssh-arhente baye baphucula ukuphathwa kwezitshixo ze-token ze-FIDO ezisetyenziselwa ukuqinisekiswa kwesixhobo, kubandakanywa nezitshixo zokuqinisekiswa kwe-biometric.
- Kongezwe "ssh-keygen -Y match-principals" umyalelo kwi-ssh-keygen ukujonga amagama omsebenzisi kwifayile evumelekileyo.
- I-ssh-yongeza kunye ne-ssh-arhente zinika isakhono sokongeza izitshixo ze-FIDO ezikhuselwe yikhowudi ye-PIN kwi-arhente ye-ssh (isicelo se-PIN siboniswa ngexesha lokuqinisekisa).
- I-ssh-keygen ivumela ukhetho lwe-algorithm ye-hashing (sha512 okanye i-sha256) ngexesha lokuvelisa utyikityo.
- Kwi-ssh kunye ne-sshd, ukuphucula ukusebenza, idatha yenethiwekhi ifundwa ngokuthe ngqo kwi-buffer yeepakethi ezingenayo, ngokudlula i-intermediate buffering kwi-stack. Ukubekwa ngokuthe ngqo kwedatha efunyenweyo kwisithinteli setshaneli kuphunyezwa ngendlela efanayo.
- Kwi-ssh, umyalelo woQinisekiso wePubkey wandise uluhlu lweparameters ezixhasiweyo (ewe|hayi|unbound|inginginya-ibotshelelwe) ukunika ukukwazi ukukhetha ulwandiso lomthetho olusetyenziswayo.
Ekukhutshweni kwexesha elizayo, siceba ukutshintsha i-default ye-scp utility ukusebenzisa i-SFTP endaweni ye-protocol ye-SCP/RCP yelifa. I-SFTP isebenzisa iindlela zokuphatha amagama aqikelelwayo ngakumbi kwaye ayisebenzisi ukusetyenzwa kweqokobhe leepateni zeglobhu kumagama efayile kwelinye icala lomamkeli, nto leyo edala iingxaki zokhuseleko. Ngokukodwa, xa usebenzisa i-SCP kunye ne-RCP, umncedisi uthatha isigqibo sokuba zeziphi iifayile kunye nabalawuli abaza kuthumela kumxhasi, kwaye umxhasi ujonga kuphela ukuchaneka kwamagama ezinto ezibuyisiweyo, apho, ngokungabikho kokuhlolwa okufanelekileyo kwicala lomxhasi, ivumela umncedisi ukuhambisa amanye amagama efayile ahlukileyo kulawo aceliweyo. Iprotocol yeSFTP ayinazo ezi ngxaki, kodwa ayikuxhasi ukwandiswa kweendlela ezikhethekileyo ezifana ne "~/". Ukulungisa lo mahluko, ukhupho lwangaphambili lwe-OpenSSH lwazisa ulwandiso lweprotocol yeSFTP entsha kwi ~/ kunye ne ~umsebenzisi/ iindlela ekuphunyezweni komncedisi we SFTP.
umthombo: opennet.ru