Kubathengi be-SSH OpenSSH kunye nePuTTY ( kwiPuTTY kunye kwi-OpenSSH), ekhokelela ekuvuzeni kolwazi kunxibelelwano lwe-algorithm yothethathethwano. Ubuthathaka buvumela umhlaseli okwaziyo ukunqanda i-traffic yomxhasi (umzekelo, xa umsebenzisi eqhagamshela kwindawo yofikelelo engenazingcingo elawulwa ngumhlaseli) ukubona umzamo wokuqala wokudibanisa umxhasi kumamkeli xa umxhasi engekasigcini isitshixo senginginya.
Ukwazi ukuba umxhasi uzama ukudibanisa okokuqala kwaye akakabi naso isitshixo somninimzi kwicala lakhe, umhlaseli unokusasaza uxhulumaniso ngokwalo (MITM) kwaye anike umxhasi isitshixo sakhe somninimzi, apho umxhasi we-SSH uya kuqwalasela uku. Yiba sisitshixo senginginya ekujoliswe kuyo ukuba ayiqinisekisi isitshixo seminwe . Ngaloo ndlela, umhlaseli unokuququzelela i-MITM ngaphandle kokuvusa ukukrokra komsebenzisi kunye neeseshoni zokungahoyi apho icala lomxhasi sele ligcine izitshixo ze-host, umzamo wokutshintsha okuya kubangela isilumkiso malunga nokutshintshwa kwesitshixo sokusingatha. Uhlaselo lusekwe kukungakhathali kwabasebenzisi abangakhangeli ngesandla iminwe yesitshixo somkhosi xa beqala ukudibanisa. Abo bajonga iminwe engundoqo bakhuselekile kuhlaselo olunjalo.
Njengophawu lokumisela umzamo woqhagamshelo lokuqala, utshintsho kuluhlu lwe-algorithms ye-algorithm exhaswayo yomamkeli iyasetyenziswa. Ukuba uxhulumaniso lokuqala lwenzeka, umxhasi uhambisa uluhlu lwe-algorithms engagqibekanga, kwaye ukuba isitshixo somninimzi sele sikwi-cache, ngoko i-algorithm ehambelana nayo ibekwe kwindawo yokuqala (i-algorithms ihlelwe ngendlela yokukhetha).
Ingxaki ibonakala kwi-OpenSSH ikhupha i-5.7 ukuya kwi-8.3 kunye ne-PuTTY 0.68 ukuya kwi-0.73. Ingxaki kumcimbi ngokongeza inketho yokuvala ulwakhiwo oluguqukayo loluhlu lwe-algorithms yokusingatha isitshixo ngokuthanda ukudwelisa ii-algorithms ngokulandelelana rhoqo.
Iprojekthi ye-OpenSSH ayicwangcisi ukutshintsha indlela yokuziphatha komxhasi we-SSH, ekubeni ukuba awuyikhankanyi i-algorithm yesitshixo esikhoyo kwindawo yokuqala, umzamo uya kwenziwa ukusebenzisa i-algorithm engahambelani nesitshixo se-cache kwaye. Isilumkiso malunga nesitshixo esingaziwayo siyakuboniswa. Ezo. ukhetho luvela - mhlawumbi ukuvuza kolwazi (OpenSSH kunye nePuTTY), okanye izilumkiso malunga nokutshintsha isitshixo (i-Dropbear SSH) ukuba isitshixo esigciniweyo asihambelani ne-algorithm yokuqala kuluhlu olungagqibekanga.
Ukubonelela ngokhuseleko, i-OpenSSH inikezela ngeendlela ezizezinye zokuqinisekisa isitshixo somamkeli usebenzisa amangeno e-SSHFP kwi-DNSSEC kunye nezatifikethi zomamkeli (PKI). Unako kwakhona ukukhubaza ukhetho oluguquguqukayo lwe-algorithms ye-hostKeyAlgorithms ukhetho kwaye usebenzise i-UpdateHostKeys ukhetho lokuvumela umxhasi ukuba afumane izitshixo zenginginya ezongezelelweyo emva kokuqinisekiswa.
umthombo: opennet.ru