Emva kweenyanga ezine zophuhliso
Uphuculo oluphambili ekukhutshweni kwe-OpenSSH 8.2 yayikukukwazi ukusebenzisa ukuqinisekiswa kwezinto ezimbini usebenzisa izixhobo ezixhasa umthetho olandelwayo.
Ukusebenzisana nezixhobo eziqinisekisa ubukho bomsebenzisi, iintlobo ezintsha eziphambili ze-βecdsa-skβ kunye ne-βed25519-skβ ziye zongezwa kwi-OpenSSH, esebenzisa i-ECDSA kunye ne-Ed25519 digital signature algorithms, kudityaniswe ne-SHA-256 hash. Iinkqubo zokusebenzisana namathokheni zibekwe kwithala leencwadi eliphakathi, elilayishwe ngendlela efanayo kwithala leencwadi lenkxaso yePKCS#11 kwaye lilisonga phezu kwethala leencwadi.
Ukuqinisekisa kunye nokuvelisa isitshixo, kufuneka ucacise iparameter ye "SecurityKeyProvider" kwizicwangciso okanye usete i-SSH_SK_PROVIDER eguquguqukayo yendawo, ebonisa indlela eya kwilayibrari yangaphandle libsk-libfido2.so (export SSH_SK_PROVIDER=/path/to/libsk-libfido2. ngoko). Kuyenzeka ukuba wakhe i-openssh ngenkxaso eyakhelwe-ngaphakathi yethala leencwadi (--nge-security-key-builtin), kulo mzekelo kufuneka usete "SecurityKeyProvider=internal" ipharamitha.
Okulandelayo kufuneka usebenzise "ssh-keygen -t ecdsa-sk" okanye, ukuba izitshixo sele zenziwe kwaye ziqwalaselwe, qhagamshela kumncedisi usebenzisa "ssh". Xa uqhuba i-ssh-keygen, isibini sesitshixo esivelisiweyo siya kugcinwa kwi "~/.ssh/id_ecdsa_sk" kwaye ingasetyenziswa ngokufanayo kwamanye amaqhosha.
Isitshixo sikawonke-wonke (id_ecdsa_sk.pub) kufuneka sikhutshelwe kwiseva kwifayile egunyaziwe_yezitshixo. Kwicala lomncedisi, kuphela utyikityo lwedijithali luqinisekisiwe, kwaye intsebenziswano kunye namathokheni yenziwa kwicala lomxhasi (akuyomfuneko ukuba ufake i-libsk-libfido2 kumncedisi, kodwa umncedisi kufuneka axhase i-"ecdsa-sk" uhlobo lwesitshixo) . Isitshixo esiveliswayo sabucala (id_ecdsa_sk) sisibambo esibalulekileyo, esenza isitshixo sokwenyani kuphela ngokudityaniswa nolandelelwano oluyimfihlo olugcinwe kwicala lophawu lwe-U2F. Ukuba isitshixo se-id_ecdsa_sk siwela ezandleni zomhlaseli, ukudlula ukuqinisekiswa kuya kufuneka kwakhona ukuba afumane ukufikelela kwithokheni ye-hardware, ngaphandle kokuba isitshixo sangasese esigcinwe kwifayile ye-id_ecdsa_sk ayinamsebenzi.
Ukongeza, ngokungagqibekanga, xa usenza nayiphi na imisebenzi ngezitshixo (zombini ngexesha lesizukulwana nangexesha lokuqinisekisa), isiqinisekiso sendawo sobukho bomsebenzisi siyafuneka, umzekelo, kucetywa ukuba uchukumise inzwa kwithokheni, eyenza kube nzima ukwenza uhlaselo olukude kwiinkqubo ezinophawu oluxhunyiwe. Njengomnye umgca wokukhusela, igama lokugqitha lingachazwa ngexesha lesigaba sokuqalisa se-ssh-keygen ukufikelela kwifayile engundoqo.
Inguqulelo entsha ye-OpenSSH ikwabhengeze ukuyekiswa okuzayo kwe-algorithms kusetyenziswa i-SHA-1 hashes ngenxa
Ukugudisa utshintsho kwii-algorithms ezintsha kwi-OpenSSH, ekukhutshweni kwexesha elizayo i-UpdateHostKeys useto luya kwenziwa ngokuzenzakalelayo, oluya kufuduka ngokuzenzekelayo abathengi kwii-algorithms ezithembekileyo. Ii-algorithms ezicetyiswayo zokufuduka ziquka i-rsa-sha2-256/512 esekwe kwi-RFC8332 RSA SHA-2 (ixhaswe ukususela kwi-OpenSSH 7.2 kwaye isetyenziswe ngokungagqibekanga), ssh-ed25519 (ixhaswe ukususela kwi-OpenSSH 6.5) kunye ne-ecdsa-sha2-nistp256/384 esekelwe kwi-ecdsa-sha521-nistp5656/5.7 kwi-RFCXNUMX ECDSA (ixhaswe ukususela kwi-OpenSSH XNUMX).
Kwi-OpenSSH 8.2, ukukwazi ukudibanisa usebenzisa "ssh-rsa" kusekho, kodwa le algorithm isusiwe kuluhlu lwe-CASignatureAlgorithms, oluchaza i-algorithms evunyelwe ukusayina izatifikethi ezitsha ngedijithali. Ngokufanayo, i-diffie-hellman-group14-sha1 algorithm isusiwe kwi-algorithms yokutshintshiselana kwezitshixo ezisisiseko ezixhaswayo. Kuqatshelwe ukuba ukusetyenziswa kwe-SHA-1 kwizatifikethi kunxulunyaniswa nomngcipheko owongezelelekileyo, kuba umhlaseli enexesha elingasikelwanga mda lokukhangela ungqubano lwesatifikethi esele sikhona, ngelixa ixesha lokuhlaselwa kwezitshixo zenginginya likhawulelwe kukuphuma koqhagamshelo (LoginGraceTime). ).
Ukuqhuba i-ssh-keygen ngoku kuyagqibeka kwi-algorithm ye-rsa-sha2-512, exhaswa ukususela kwi-OpenSSH 7.2, enokudala imiba yokuhambelana xa uzama ukucubungula izatifikethi ezisayinwe kwi-OpenSSH 8.2 kwiinkqubo ezisebenzisa ukukhutshwa kwe-OpenSSH endala (ukusebenza malunga nomba xa Nini ukuvelisa utyikityo, ungacacisa ngokucacileyo "ssh-keygen -t ssh-rsa" okanye usebenzise i-ecdsa-sha2-nistp256/384/521 algorithms, exhaswayo ukususela kwi-OpenSSH 5.7).
Olunye utshintsho:
- Umyalelo oqukayo wongezwe kwi-sshd_config, ekuvumela ukuba ubandakanye imixholo yezinye iifayile kwindawo yangoku yefayile yoqwalaselo (iimaski zeglobhu zingasetyenziswa xa uchaza igama lefayile);
- Inketho ethi "akukho-touch-efunekayo" yongezwe kwi-ssh-keygen, ekhubaza isidingo sokuqinisekisa ngokomzimba ukufikelela kwithokheni xa uvelisa isitshixo;
- Umyalelo wePubkeyAuthOptions wongezwe kwi-sshd_config, edibanisa iinketho ezahlukeneyo ezinxulumene nokuqinisekiswa kwesitshixo sikawonke-wonke. Okwangoku, kuphela iflegi ethi "akukho-touch-efunekayo" exhaswayo ukutsiba iitshekhi zobukho bomzimba ukwenzela uqinisekiso lwethokheni. Ngokulinganisa, inketho ethi "akukho-touch-efunekayo" yongezwe kwifayile egunyaziwe_yezitshixo;
- Kongezwe "-O write-attestation =/path" ukhetho kwi-ssh-keygen ukuvumela izatifikethi zobungqina ezongezelelweyo zeFIDO ukuba zibhalwe xa uvelisa izitshixo. I-OpenSSH ayikasebenzisi ezi zatifikethi, kodwa zingasetyenziswa kamva ukuqinisekisa ukuba isitshixo sibekwe kwivenkile ethembekileyo yehardware;
- Kuseto lwe-ssh kunye ne-sshd, ngoku kunokwenzeka ukuseta imo yokubeka phambili i-traffic ngomyalelo we-IPQoS.
I-LE DSCP (UMzamo ophantsi we-Per-Hop Behaviour); - Kwi-ssh, xa ubeka ixabiso "AddKeysToAgent=ewe", ukuba isitshixo asiqulathanga indawo yokuphawula, iya kudityaniswa kwi-ssh-arhente ebonisa indlela eya kwisitshixo njengezimvo. IN
ssh-keygen kunye ne-ssh-arhente nazo ngoku zisebenzisa iilebhile ze-PKCS#11 kunye nesihloko se-X.509 igama endaweni yendlela yethala leencwadi njengezimvo kwisitshixo; - Ukongeza ukukwazi ukuthumela ngaphandle i-PEM kwi-DSA kunye nezitshixo ze-ECDSA kwi-ssh-keygen;
- Kongezwe into entsha ephunyeziweyo, i-ssh-sk-helper, esetyenziselwa ukwahlula ilayibrari yofikelelo yophawu lweFIDO/U2F;
- Ukongezwa "-nge-zlib" ukhetho lokwakha kwi-ssh kunye ne-sshd yokuhlanganiswa nenkxaso yelayibrari ye-zlib;
- Ngokuhambelana nemfuno ye-RFC4253, isilumkiso malunga nokuthintela ukufikelela ngenxa yokugqithisa imingcele ye-MaxStartups inikwe kwibhena eboniswe ngexesha loqhagamshelwano. Ukwenza lula ukuxilongwa, i-header yenkqubo ye-sshd, ebonakalayo xa usebenzisa i-ps utility, ngoku ibonisa inani loqhagamshelo oluqinisekisiweyo lwangoku kunye nobume bomda we-MaxStartups;
- Kwi-ssh kunye ne-ssh-arhente, xa ufowunela inkqubo yokubonisa isimemo kwisikrini, esichazwe nge- $SSH_ASKPASS, iflegi enohlobo lwesimemo ngoku igqithiselwa: "qinisekisa" - i-dialog yokuqinisekisa (ewe/hayi), "akukho β - umyalezo wolwazi, βayinantoβ β isicelo segama lokugqitha;
- Kongezwe i-digital signatures operation entsha ethi "find-principals" kwi-ssh-keygen ukukhangela ifayile evunyelweyo yokusayina kumsebenzisi onxulumene nesiginitsha yedijithali echaziweyo;
- Uphuculo lwenkxaso yenkqubo ye-sshd yokwahlulwa kwiLinux usebenzisa i-seccomp mechanism: ukukhubaza iminxeba yenkqubo ye-IPC, ivumela clock_gettime64(), clock_nanosleep_time64 kunye clock_nanosleep ().
umthombo: opennet.ru