I-Google ishicilele ikhodi yomthombo yephrojekthi ye-HIBA (Host Identity Based Authorization), ephakamisa ukusetshenziswa kwendlela yokugunyazwa eyengeziwe yokuhlela ukufinyelela komsebenzisi nge-SSH mayelana nababungazi (ihlola ukuthi ukufinyelela kunsiza ethile kuvunyelwe noma cha uma ifakazela ubuqiniso. usebenzisa okhiye basesidlangalaleni). Ukuhlanganiswa ne-OpenSSH kunikezwa ngokucacisa isibambi se-HIBA ku-AuthorizedPrincipalsCommand isiyalelo ku-/etc/ssh/sshd_config. Ikhodi yephrojekthi ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisensi ye-BSD.
I-HIBA isebenzisa izindlela zokuqinisekisa ezijwayelekile ezisuselwe kuzitifiketi ze-OpenSSH zokuphatha okuvumelana nezimo nokumaphakathi kokugunyazwa komsebenzisi ngokuhlobene nabasingathi, kodwa ayidingi izinguquko zezikhathi ezithile kuma- authorized_keys kanye namafayela abasebenzisi_abagunyaziwe ohlangothini lwabasingathi lapho uxhumano lwenziwa khona. Esikhundleni sokugcina uhlu lokhiye basesidlangalaleni abavumelekile nezimo zokufinyelela kumafayela agunyaziwe_(okhiye|abasebenzisi), i-HIBA ihlanganisa ulwazi olumayelana nokubophezela kosokhaya ngokuqondile kuzitifiketi ngokwazo. Ikakhulukazi, izandiso ziphakanyiselwe izitifiketi zokusingatha kanye nezitifiketi zomsebenzisi, ezigcina imingcele nemibandela yokunikeza ukufinyelela komsebenzisi.
Ukuhlola ohlangothini lomsingathi kuqaliswa ngokushayela isibambi se-hiba-chk esicaciswe kumyalelo we-AuthorizedPrincipalsCommand. Le processor inquma izandiso ezihlanganiswe kuzitifiketi futhi, ngokusekelwe kuzo, zenza isinqumo mayelana nokunikeza noma ukuvimba ukufinyelela. Imithetho yokufinyelela inqunywa phakathi nendawo ezingeni lesiphathimandla sezitifiketi (CA) futhi ihlanganiswa nezitifiketi esigabeni sokukhiqiza kwazo.
Ohlangothini lwesikhungo sokunikeza izitifiketi, uhlu olujwayelekile lwamandla atholakalayo luyagcinwa (ababungazi lapho ukuxhumana kuvunyelwe) kanye nohlu lwabasebenzisi abavunyelwe ukusebenzisa lawa mandla. Ukuze ukhiqize izitifiketi eziqinisekisiwe ezinolwazi oluhlanganisiwe mayelana nemininingwane, kuhlongozwa insiza ye-hiba-gen, futhi umsebenzi odingekayo ukuze udale igunya lokunikeza izitifiketi ufakiwe kusikripthi se-iba-ca.sh.
Lapho umsebenzisi exhuma, igunya elishiwo kusitifiketi liqinisekiswa isiginesha yedijithali yesiphathimandla sokunikeza isitifiketi, evumela ukuthi konke ukuhlola kwenziwe ngokuphelele ohlangothini lomsingathi oqondisiwe lapho uxhumano lwenziwa khona, ngaphandle kokusebenzisa amasevisi angaphandle. Uhlu lokhiye basesidlangalaleni besiphathimandla sokunikeza izitifiketi esiqinisekisa izitifiketi ze-SSH lucaciswa ngomyalelo we-TrustedUserCAKeys.
Ngaphezu kokuxhumanisa abasebenzisi ngokuqondile nabasingathi, i-HIBA ikuvumela ukuthi uchaze imithetho yokufinyelela evumelana nezimo. Isibonelo, ulwazi olufana nendawo kanye nohlobo lwesevisi lungahlotshaniswa nabasingathi, futhi lapho kuchazwa imithetho yokufinyelela komsebenzisi, ukuxhumana kungavunyelwa kubo bonke abasingathi ngohlobo lwesevisi ethile noma kubasingathi endaweni ethile.
Source: opennet.ru