Ukukhutshwa kwe-OpenSSH 9.6 kushicilelwe, ukuphunyezwa okuvulekileyo komxhasi kunye neseva yokusebenza usebenzisa i-SSH 2.0 kunye ne-SFTP protocol. Inguqulelo entsha ilungisa imiba emithathu yokhuseleko:
- Ukuba semngciphekweni kwiprotocol ye-SSH (CVE-2023-48795, "Terrapin" attack), evumela ukuba uhlaselo lwe-MITM lubuyisele umva uxhulumaniso ukuze lusebenzise i-algorithms yokuqinisekisa engakhuselekanga kwaye ukhubaze ukukhuselwa kuhlaselo lwe-channel-channel eyenza igalelo ngokutsha ngokuhlalutya ukulibaziseka. phakathi kwezitshixo zebhodi yezitshixo . Indlela yokuhlaselwa ichazwe kwinqaku leendaba ezahlukeneyo.
- Ukuba semngciphekweni kusetyenziso lwe-ssh oluvumela ukutshintshwa kwemiyalelo yeqokobhe enganyanzelekanga ngokukhohlisa ukungena kunye nexabiso lenginginya eliqulathe abalinganiswa abakhethekileyo. Ukuba sesichengeni kungasetyenziswa ukuba umhlaseli ulawula ukungena kunye negama lenginginya ixabiso eligqithiselwe kwi-ssh, i-ProxyCommand kunye ne-LocalCommand imiyalelo, okanye iibhloko ze-"match exec" ezineempawu ze-wildcard ezifana ne-%u kunye ne-%h. Umzekelo, ukungena okungachanekanga kunye nenginginya inokubuyiselwa kwiinkqubo ezisebenzisa iimodyuli ezisezantsi kwiGit, kuba iGit ayikuthinteli ukukhankanya abalinganiswa abakhethekileyo kumamkeli kunye namagama abasebenzisi. Ubuthathaka obufanayo bukwavela kwi-libssh.
- Bekukho ibug kwi-ssh-arhente apho, xa udibanisa i-PKCS#11 izitshixo zabucala, izithintelo zisetyenziswe kuphela kwiqhosha lokuqala elibuyiswe yi-PKCS#11 uphawu. Umba awuchaphazeli izitshixo zabucala eziqhelekileyo, iithokheni zeFIDO, okanye izitshixo ezingathintelwanga.
Olunye utshintsho:
- Kongezwe "%j" endaweni ye-ssh, eyandisa kwigama lenginginya elixelwe ngomyalelo we-ProxyJump.
- ssh yongeze inkxaso yokuseta iChannelTimeout kwicala lomxhasi, engasetyenziselwa ukuphelisa amajelo angasebenziyo.
- Inkxaso eyongeziweyo yokufunda izitshixo zabucala ze-ED25519 kwifomathi ye-PEM PKCS8 ukuya kwi-ssh, sshd, ssh-add kunye ne-ssh-keygen (ngaphambili yayixhaswa kuphela ifomathi ye-OpenSSH).
- Ulwandiso lweprothokholi yongezwe kwi-ssh kunye ne-sshd ukuphinda kuxoxwe ngotyikityo lwedijithali kuqinisekiso lwesitshixo sikawonke-wonke emva kokuba igama lomsebenzisi lifunyenwe. Ngokomzekelo, usebenzisa ulwandiso, ungasebenzisa ngokukhetha ezinye ii-algorithms ngokumalunga nabasebenzisi ngokucacisa i-PubkeyAcceptedAlgorithms kwibhloko ethi "Match user".
- Kongezwe ulwandiso lweprothokholi kwi-ssh-yongeza kunye ne-ssh-arhente ukuseta izatifikethi xa ulayisha i-PKCS#11 izitshixo, ivumela izatifikethi ezinxulumene ne-PKCS#11 izitshixo zabucala ukuba zisetyenziswe kuzo zonke izinto eziluncedo ze-OpenSSH ezixhasa i-ssh-arhente, hayi nje i-ssh.
- Kuphuculwe ukuchongwa kweeflegi zomqokeleli ezingaxhaswanga okanye ezingazinzanga ezifana ne "-fzero-call-used-regs" kwi-clang.
- Ukunqanda amalungelo enkqubo ye-sshd, iinguqulelo ze-OpenSolaris ezixhasa i-getpflags() ujongano zisebenzisa i-PRIV_XPOLICY indlela endaweni ye-PRIV_LIMIT.
umthombo: opennet.ru