Emva kweenyanga ezine zophuhliso ukukhulula , umxhasi ovulekileyo kunye nokuphunyezwa kweseva yokusebenza nge-SSH 2.0 kunye ne-SFTP protocol.
Uphuculo oluphambili ekukhutshweni kwe-OpenSSH 8.2 yayikukukwazi ukusebenzisa ukuqinisekiswa kwezinto ezimbini usebenzisa izixhobo ezixhasa umthetho olandelwayo. , iphuhliswe lumanyano . I-U2F ivumela ukudalwa kweethokheni ze-hardware eziphantsi kwexabiso eliphantsi ukuqinisekisa ubukho bomzimba bomsebenzisi, ukusebenzisana nabo nge-USB, iBluetooth okanye i-NFC. Izixhobo ezinjalo zikhuthazwa njengendlela yokuqinisekiswa kwezinto ezimbini kwiiwebhusayithi, sele zixhaswa ngabaphequluli abakhulu kwaye ziveliswa ngabavelisi abahlukeneyo, kuquka iYubico, Feitian, Thetis kunye neKensington.
Ukusebenzisana nezixhobo eziqinisekisa ubukho bomsebenzisi, iintlobo ezintsha eziphambili ze-βecdsa-skβ kunye ne-βed25519-skβ ziye zongezwa kwi-OpenSSH, esebenzisa i-ECDSA kunye ne-Ed25519 digital signature algorithms, kudityaniswe ne-SHA-256 hash. Iinkqubo zokusebenzisana namathokheni zibekwe kwithala leencwadi eliphakathi, elilayishwe ngendlela efanayo kwithala leencwadi lenkxaso yePKCS#11 kwaye lilisonga phezu kwethala leencwadi. , ebonelela ngezixhobo zokunxibelelana kunye namathokheni phezu kwe-USB (FIDO U2F / CCAP 1 kunye neFIDO 2.0 / CCAP 2 protocols zixhaswa). Ithala leencwadi eliphakathi libsk-libfido2 lilungiswe ngabaphuhlisi be-OpenSSH kwi-core libfido2, ngokunjalo ye-OpenBSD.
Ukuqinisekisa kunye nokuvelisa isitshixo, kufuneka ucacise iparameter ye "SecurityKeyProvider" kwizicwangciso okanye usete i-SSH_SK_PROVIDER eguquguqukayo yendawo, ebonisa indlela eya kwilayibrari yangaphandle libsk-libfido2.so (export SSH_SK_PROVIDER=/path/to/libsk-libfido2. ngoko). Kuyenzeka ukuba wakhe i-openssh ngenkxaso eyakhelwe-ngaphakathi yethala leencwadi (--nge-security-key-builtin), kulo mzekelo kufuneka usete "SecurityKeyProvider=internal" ipharamitha.
Okulandelayo kufuneka usebenzise "ssh-keygen -t ecdsa-sk" okanye, ukuba izitshixo sele zenziwe kwaye ziqwalaselwe, qhagamshela kumncedisi usebenzisa "ssh". Xa uqhuba i-ssh-keygen, isibini sesitshixo esivelisiweyo siya kugcinwa kwi "~/.ssh/id_ecdsa_sk" kwaye ingasetyenziswa ngokufanayo kwamanye amaqhosha.
Isitshixo sikawonke-wonke (id_ecdsa_sk.pub) kufuneka sikhutshelwe kwiseva kwifayile egunyaziwe_yezitshixo. Kwicala lomncedisi, kuphela utyikityo lwedijithali luqinisekisiwe, kwaye intsebenziswano kunye namathokheni yenziwa kwicala lomxhasi (akuyomfuneko ukuba ufake i-libsk-libfido2 kumncedisi, kodwa umncedisi kufuneka axhase i-"ecdsa-sk" uhlobo lwesitshixo) . Isitshixo esiveliswayo sabucala (id_ecdsa_sk) sisibambo esibalulekileyo, esenza isitshixo sokwenyani kuphela ngokudityaniswa nolandelelwano oluyimfihlo olugcinwe kwicala lophawu lwe-U2F. Ukuba isitshixo se-id_ecdsa_sk siwela ezandleni zomhlaseli, ukudlula ukuqinisekiswa kuya kufuneka kwakhona ukuba afumane ukufikelela kwithokheni ye-hardware, ngaphandle kokuba isitshixo sangasese esigcinwe kwifayile ye-id_ecdsa_sk ayinamsebenzi.
Ukongeza, ngokungagqibekanga, xa usenza nayiphi na imisebenzi ngezitshixo (zombini ngexesha lesizukulwana nangexesha lokuqinisekisa), isiqinisekiso sendawo sobukho bomsebenzisi siyafuneka, umzekelo, kucetywa ukuba uchukumise inzwa kwithokheni, eyenza kube nzima ukwenza uhlaselo olukude kwiinkqubo ezinophawu oluxhunyiwe. Njengomnye umgca wokukhusela, igama lokugqitha lingachazwa ngexesha lesigaba sokuqalisa se-ssh-keygen ukufikelela kwifayile engundoqo.
Inguqulelo entsha ye-OpenSSH ikwabhengeze ukuyekiswa okuzayo kwe-algorithms kusetyenziswa i-SHA-1 hashes ngenxa ukusebenza kohlaselo longquzulwano ngesimaphambili esinikiweyo (ixabiso lokukhetha ungquzulwano liqikelelwa malunga ne-45 lamawaka eedola). Kwesinye sezikhupho ezizayo, baceba ukukhubaza ngokungagqibekanga amandla okusebenzisa isitshixo sesitshixo sedijithali se-algorithm "ssh-rsa", ekhankanywe kwi-RFC yasekuqaleni ye-SSH protocol kwaye ihlala ixhaphakile ekusebenzeni (ukuvavanya ukusetyenziswa. ye-ssh-rsa kwiinkqubo zakho, ungazama ukudibanisa nge-ssh ngokhetho "-oHostKeyAlgorithms=-ssh-rsa").
Ukugudisa utshintsho kwii-algorithms ezintsha kwi-OpenSSH, ekukhutshweni kwexesha elizayo i-UpdateHostKeys useto luya kwenziwa ngokuzenzakalelayo, oluya kufuduka ngokuzenzekelayo abathengi kwii-algorithms ezithembekileyo. Ii-algorithms ezicetyiswayo zokufuduka ziquka i-rsa-sha2-256/512 esekwe kwi-RFC8332 RSA SHA-2 (ixhaswe ukususela kwi-OpenSSH 7.2 kwaye isetyenziswe ngokungagqibekanga), ssh-ed25519 (ixhaswe ukususela kwi-OpenSSH 6.5) kunye ne-ecdsa-sha2-nistp256/384 esekelwe kwi-ecdsa-sha521-nistp5656/5.7 kwi-RFCXNUMX ECDSA (ixhaswe ukususela kwi-OpenSSH XNUMX).
Kwi-OpenSSH 8.2, ukukwazi ukudibanisa usebenzisa "ssh-rsa" kusekho, kodwa le algorithm isusiwe kuluhlu lwe-CASignatureAlgorithms, oluchaza i-algorithms evunyelwe ukusayina izatifikethi ezitsha ngedijithali. Ngokufanayo, i-diffie-hellman-group14-sha1 algorithm isusiwe kwi-algorithms yokutshintshiselana kwezitshixo ezisisiseko ezixhaswayo. Kuqatshelwe ukuba ukusetyenziswa kwe-SHA-1 kwizatifikethi kunxulunyaniswa nomngcipheko owongezelelekileyo, kuba umhlaseli enexesha elingasikelwanga mda lokukhangela ungqubano lwesatifikethi esele sikhona, ngelixa ixesha lokuhlaselwa kwezitshixo zenginginya likhawulelwe kukuphuma koqhagamshelo (LoginGraceTime). ).
Ukuqhuba i-ssh-keygen ngoku kuyagqibeka kwi-algorithm ye-rsa-sha2-512, exhaswa ukususela kwi-OpenSSH 7.2, enokudala imiba yokuhambelana xa uzama ukucubungula izatifikethi ezisayinwe kwi-OpenSSH 8.2 kwiinkqubo ezisebenzisa ukukhutshwa kwe-OpenSSH endala (ukusebenza malunga nomba xa Nini ukuvelisa utyikityo, ungacacisa ngokucacileyo "ssh-keygen -t ssh-rsa" okanye usebenzise i-ecdsa-sha2-nistp256/384/521 algorithms, exhaswayo ukususela kwi-OpenSSH 5.7).
Olunye utshintsho:
- Umyalelo oqukayo wongezwe kwi-sshd_config, ekuvumela ukuba ubandakanye imixholo yezinye iifayile kwindawo yangoku yefayile yoqwalaselo (iimaski zeglobhu zingasetyenziswa xa uchaza igama lefayile);
- Inketho ethi "akukho-touch-efunekayo" yongezwe kwi-ssh-keygen, ekhubaza isidingo sokuqinisekisa ngokomzimba ukufikelela kwithokheni xa uvelisa isitshixo;
- Umyalelo wePubkeyAuthOptions wongezwe kwi-sshd_config, edibanisa iinketho ezahlukeneyo ezinxulumene nokuqinisekiswa kwesitshixo sikawonke-wonke. Okwangoku, kuphela iflegi ethi "akukho-touch-efunekayo" exhaswayo ukutsiba iitshekhi zobukho bomzimba ukwenzela uqinisekiso lwethokheni. Ngokulinganisa, inketho ethi "akukho-touch-efunekayo" yongezwe kwifayile egunyaziwe_yezitshixo;
- Kongezwe "-O write-attestation =/path" ukhetho kwi-ssh-keygen ukuvumela izatifikethi zobungqina ezongezelelweyo zeFIDO ukuba zibhalwe xa uvelisa izitshixo. I-OpenSSH ayikasebenzisi ezi zatifikethi, kodwa zingasetyenziswa kamva ukuqinisekisa ukuba isitshixo sibekwe kwivenkile ethembekileyo yehardware;
- Kuseto lwe-ssh kunye ne-sshd, ngoku kunokwenzeka ukuseta imo yokubeka phambili i-traffic ngomyalelo we-IPQoS. (UMzamo ophantsi we-Per-Hop Behaviour);
- Kwi-ssh, xa ubeka ixabiso "AddKeysToAgent=ewe", ukuba isitshixo asiqulathanga indawo yokuphawula, iya kudityaniswa kwi-ssh-arhente ebonisa indlela eya kwisitshixo njengezimvo. IN
ssh-keygen kunye ne-ssh-arhente nazo ngoku zisebenzisa iilebhile ze-PKCS#11 kunye nesihloko se-X.509 igama endaweni yendlela yethala leencwadi njengezimvo kwisitshixo; - Ukongeza ukukwazi ukuthumela ngaphandle i-PEM kwi-DSA kunye nezitshixo ze-ECDSA kwi-ssh-keygen;
- Kongezwe into entsha ephunyeziweyo, i-ssh-sk-helper, esetyenziselwa ukwahlula ilayibrari yofikelelo yophawu lweFIDO/U2F;
- Ukongezwa "-nge-zlib" ukhetho lokwakha kwi-ssh kunye ne-sshd yokuhlanganiswa nenkxaso yelayibrari ye-zlib;
- Ngokuhambelana nemfuno ye-RFC4253, isilumkiso malunga nokuthintela ukufikelela ngenxa yokugqithisa imingcele ye-MaxStartups inikwe kwibhena eboniswe ngexesha loqhagamshelwano. Ukwenza lula ukuxilongwa, i-header yenkqubo ye-sshd, ebonakalayo xa usebenzisa i-ps utility, ngoku ibonisa inani loqhagamshelo oluqinisekisiweyo lwangoku kunye nobume bomda we-MaxStartups;
- Kwi-ssh kunye ne-ssh-arhente, xa ufowunela inkqubo yokubonisa isimemo kwisikrini, esichazwe nge- $SSH_ASKPASS, iflegi enohlobo lwesimemo ngoku igqithiselwa: "qinisekisa" - i-dialog yokuqinisekisa (ewe/hayi), "akukho β - umyalezo wolwazi, βayinantoβ β isicelo segama lokugqitha;
- Kongezwe i-digital signatures operation entsha ethi "find-principals" kwi-ssh-keygen ukukhangela ifayile evunyelweyo yokusayina kumsebenzisi onxulumene nesiginitsha yedijithali echaziweyo;
- Uphuculo lwenkxaso yenkqubo ye-sshd yokwahlulwa kwiLinux usebenzisa i-seccomp mechanism: ukukhubaza iminxeba yenkqubo ye-IPC, ivumela clock_gettime64(), clock_nanosleep_time64 kunye clock_nanosleep ().
umthombo: opennet.ru