I-ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa kwe-OpenSSH 8.0

Ukukhishwa kwe-OpenSSH 8.0

Ngemva kwezinyanga ezinhlanu zentuthuko kwethulwe ukukhululwa I-OpenSSH 8.0, ukuqaliswa okuvulekile kweklayenti kanye neseva yokusebenza phezu kwezivumelwano ze-SSH 2.0 ne-SFTP.

Izinguquko eziyinhloko:

  • Usekelo lokuhlola lwendlela yokushintshisana engukhiye ekwazi ukumelana nokuhlasela kwe-brute-force kukhompuyutha ye-quantum yengezwe ku-ssh naku-sshd. Amakhompiyutha e-Quantum ashesha kakhulu ekuxazululeni inkinga yokubola inombolo engokwemvelo ibe yizici eziyinhloko, okungaphansi kwe-algorithms yesimanje yokubethela i-asymmetric futhi ayikwazi ukuxazululwa ngempumelelo kumaphrosesa akudala. Indlela ehlongozwayo isekelwe ku-algorithm I-NTRU Prime (umsebenzi we-ntrup4591761), wenzelwe ama-cryptosystems we-post-quantum, kanye nendlela yokushintshanisa ukhiye we-elliptic curve X25519;
  • Ku-sshd, iziqondiso ze-ListenAddress kanye ne-PermitOpen azisasekeli i-syntax ethi "host/port" yefa, eyaqalwa ngo-2001 njengenye indlela yokuthi "host:port" ukuze kube lula ukusebenza nge-IPv6. Ezimweni zesimanjemanje, i-syntax “[::6]:1” isungulelwe i-IPv22, futhi “umsingathi/imbobo” ivamise ukudideka nokukhomba i-subnet (CIDR);
  • ssh, ssh-ejenti kanye ne-ssh-add manje okhiye bokusekela ECDSA kumathokheni e-PKCS#11;
  • Ku-ssh-keygen, usayizi wokhiye ozenzakalelayo we-RSA unyusiwe waba amabhithi angu-3072, ngokuvumelana nezincomo ezintsha ze-NIST;
  • ssh ivumela ukusetshenziswa kwesilungiselelo esithi "PKCS11Provider=none" ukuze kweqe umyalo we-PKCS11Provider ocaciswe kokuthi ssh_config;
  • I-sshd inikeza isibonisi selogi yezimo lapho uxhumano lunqanyulwa lapho kuzanywa ukwenza imiyalo evinjwe umkhawulo othi “ForceCommand=internal-sftp” ku-sshd_config;
  • Ku-ssh, lapho ubonisa isicelo sokuqinisekisa ukwamukelwa kokhiye omusha wokusingathwa, esikhundleni sempendulo ethi “yebo”, isigxivizo somunwe esilungile manje sesiyamukelwa (ngokuphendula isimemo sokuqinisekisa ukuxhumana, umsebenzisi angakopisha i-hash eyireferensi eyamukelwe ngokuhlukile ngebhodi lokunamathisela, ukuze ungayiqhathanisi mathupha);
  • I-ssh-keygen inikeza ukukhushulwa okuzenzakalelayo kwenombolo yesitifiketi uma udala amasignesha edijithali ezitifiketi eziningi kulayini womyalo;
  • Inketho entsha ethi "-J" yengezwe ku-scp naku-sftp, okulingana nokulungiselelwa kwe-ProxyJump;
  • Ku-ssh-ejenti, i-ssh-pkcs11-helper kanye ne-ssh-add, ukucutshungulwa kwenketho yomugqa womyalo "-v" kwengezwe ukuze kwandiswe okuqukethwe kolwazi kokuphumayo (uma kucacisiwe, le nketho idluliselwa ezinqubweni zengane, ngoba isibonelo, uma i-ssh-pkcs11-helper ibizwa nge-ssh-ejenti );
  • Inketho ethi “-T” yengezwe ku-ssh-add ukuze kuhlolwe ukufaneleka kokhiye ku-ssh-ejenti ekwenzeni ukudalwa kwesiginesha yedijithali nemisebenzi yokuqinisekisa;
  • I-sftp-server isebenzisa ukusekelwa kwesandiso sephrothokholi esithi “lsetstat ku-openssh.com”, esengeza usekelo lokusebenza kwe-SSH2_FXP_SETSTAT ye-SFTP, kodwa ngaphandle kokulandela izixhumanisi ezingokomfanekiso;
  • Kwengezwe inketho ethi "-h" ku-sftp ukuze usebenzise imiyalo ye-chown/chgrp/chmod enezicelo ezingasebenzisi izixhumanisi ezingokomfanekiso;
  • I-sshd inikeza ukulungiselelwa kokuhluka kwemvelo kwe-$SSH_CONNECTION kwe-PAM;
  • Ku-sshd, imodi yokufanisa ethi “Match final” yengezwe ku-ssh_config, efana nokuthi “Match canonical”, kodwa ayidingi ukwenziwa kwegama lomethuleli ukuthi lisebenze;
  • Kwengezwe ukusekelwa kwesiqalo esithi '@' ku-sftp ukuze ukhubaze ukuhumusha kokuphuma kwemiyalelo ekhishwe kumodi yenqwaba;
  • Uma uveza okuqukethwe kwesitifiketi usebenzisa umyalo
    "ssh-keygen -Lf /path/certificate" manje ibonisa i-algorithm esetshenziswa i-CA ukuze kuqinisekiswe isitifiketi;

  • Ukusekelwa okuthuthukisiwe kwendawo ye-Cygwin, isibonelo ukuhlinzeka ngokuqhathanisa okungazweli kweqembu namagama abasebenzisi. Inqubo ye-sshd embobeni ye-Cygwin iguqulelwe ku-cygsshd ukuze kugwenywe ukuphazamiseka nembobo ye-OpenSSH ehlinzekwe yi-Microsoft;
  • Kwengezwe ikhono lokwakha ngegatsha lokuhlola le-OpenSSL 3.x;
  • Kuqediwe ukuba sengozini (CVE-2019-6111) ekusetshenzisweni kwensiza ye-scp, evumela amafayela angafanele kuhla lwemibhalo okuqondiwe ukuthi lubhalwe phezu kohlangothi lweklayenti lapho ufinyelela iseva elawulwa umhlaseli. Inkinga iwukuthi lapho usebenzisa i-scp, iseva inquma ukuthi yimaphi amafayela nezinkomba okufanele zithunyelwe kuklayenti, futhi iklayenti lihlola kuphela ukufaneleka kwamagama ezinto ezibuyisiwe. Ukuhlola ohlangothini lweklayenti kukhawulelwe ekuvimbeni kuphela uhambo oludlula uhla lwemibhalo lwamanje (“../”), kodwa akunaki ukudluliselwa kwamafayela anamagama ahlukile kulawo ayecelwe ekuqaleni. Esimeni sokukopisha okuphindaphindiwe (-r), ngaphezu kwamagama wefayela, ungakwazi futhi ukukhohlisa amagama emibhalo engezansi ngendlela efanayo. Isibonelo, uma umsebenzisi ekopisha amafayela kuhla lwemibhalo lwasekhaya, iseva elawulwa umhlaseli ingakhiqiza amafayela anamagama athi .bash_aliases noma .ssh/authorized_keys esikhundleni samafayela aceliwe, futhi azolondolozwa insiza ye-scp kumsebenzisi. uhla lwemibhalo lwasekhaya.

    Ekukhishweni okusha, insiza ye-scp ibuyekeziwe ukuze kuhlolwe ukuxhumana phakathi kwamagama wefayela aceliwe nalawo athunyelwe yiseva, okwenziwa ngasohlangothini lweklayenti. Lokhu kungase kubangele izinkinga ngokucubungula imaski, njengoba izinhlamvu zokunwetshwa kwemaski zingase zicutshungulwe ngendlela ehlukile kuseva naseceleni kweklayenti. Esimeni lapho umehluko onjalo ubangela iklayenti ukuthi liyeke ukwamukela amafayela ku-scp, inketho ethi “-T” yengezwe ukuze kukhubazwe ukuhlola kohlangothi lweklayenti. Ukuze kulungiswe inkinga ngokugcwele, kudingeka ukusetshenzwa kabusha komqondo kwephrothokholi ye-scp, yona ngokwayo esesiphelelwe yisikhathi, ngakho-ke kuyatuswa ukuthi kusetshenziswe izimiso eziyisisekelo zesimanje ezifana ne-sftp ne-rsync esikhundleni salokho.

Source: opennet.ru

Engeza amazwana