Ngemva kwezinyanga ezintathu zentuthuko ukukhululwa , ukuqaliswa okuvulekile kweklayenti kanye neseva yokusebenza phezu kwezivumelwano ze-SSH 2.0 ne-SFTP.
Ukukhishwa okusha kungeza ukuvikeleka ekuhlaselweni kwe-scp okuvumela iseva ukuthi idlulise amanye amagama wefayela kunalawo aceliwe (ngokungafani , ukuhlasela akwenzi kube nokwenzeka ukushintsha uhla lwemibhalo olukhethwe ngumsebenzisi noma imaski yeglobhu). Khumbula ukuthi ku-SCP, iseva inquma ukuthi yimaphi amafayela nezinkomba okufanele zithunyelwe kuklayenti, futhi iklayenti lihlola kuphela ukulunga kwamagama ezinto ezibuyisiwe. Ingqikithi yenkinga ekhonjiwe ukuthi uma ikholi yesistimu ye-utimes ihluleka, khona-ke okuqukethwe kwefayela kuhunyushwa njengemethadatha yefayela.
Lesi sici, lapho uxhumeka kuseva elawulwa umhlaseli, singasetshenziswa ukulondoloza amanye amagama wefayela nokunye okuqukethwe ku-FS yomsebenzisi lapho ukopisha usebenzisa i-scp ekucushweni okuholela ekwahluleleni lapho kushaya izikhathi (isibonelo, lapho ukusetshenziswa kunqatshelwe inqubomgomo ye-SELinux noma isihlungi sekholi yesistimu) . Amathuba okuhlaselwa kwangempela alinganiselwa ukuthi mancane, njengoba ekucushweni okujwayelekile ucingo lwe-utimes aluhluleki. Ngaphezu kwalokho, ukuhlasela akubonakali - uma ubiza i-scp, iphutha lokudlulisa idatha liyaboniswa.
Izinguquko ezijwayelekile:
- Ku-sftp, ukucutshungulwa kwe-agumenti ethi β-1β kumisiwe, okufana ne-ssh ne-scp, eyamukelwe ngaphambilini kodwa yanganakwa;
- Ku-sshd, uma usebenzisa i-IgnoreRhosts, manje kunezinketho ezintathu: "yebo" - unganaki ama-rhosts/hosts, "cha" - hlonipha ama-rhosts, kanye "nama-hosts kuphela" - vumela ".shosts" kodwa khubaza ".rhosts";
- I-Ssh manje isekela ukushintshwa kwe-%TOKEN kuzilungiselelo ze-LocalFoward ne-RemoteForward ezisetshenziselwa ukuqondisa kabusha amasokhethi e-Unix;
- Vumela ukulayisha okhiye basesidlangalaleni efayeleni elingabethelwe ngokhiye oyimfihlo uma lingekho ifayela elihlukile elinokhiye womphakathi;
- Uma i-libcrypto itholakala ohlelweni, i-ssh ne-sshd manje isebenzisa ukuqaliswa kwe-algorithm ye-chacha20 evela kulo mtapo wezincwadi, esikhundleni sokuqaliswa okuphathekayo okwakhelwe ngaphakathi, okusalela ngemuva ekusebenzeni;
- Isebenzise ikhono lokulahla okuqukethwe kohlu kanambambili lezitifiketi ezihoxisiwe lapho kusetshenziswa umyalo βssh-keygen -lQf /pathβ;
- Inguqulo ephathekayo isebenzisa izincazelo zezinhlelo lapho amasignali anenketho SA_RESTART aphazamisa ukusebenza kokukhetha;
- Izinkinga zokwakha ku-HP/UX kanye nezinhlelo ze-AIX sezixazululiwe;
- Izinkinga ezilungisiwe ngokwakha i-seccomp sandbox kwezinye izilungiselelo ze-Linux;
- Ukutholwa kwelabhulali ye-libfido2 okuthuthukisiwe kwaphinde kwaxazulula izinkinga zokwakha ngenketho ethi "--with-security-key-builtin".
Onjiniyela be-OpenSSH baphinde baxwayisa mayelana nokubola okuzayo kwama-algorithms kusetshenziswa ama-SHA-1 hashes ngenxa ukusebenza kahle kokuhlaselwa kokushayisana ngesiqalo esinikeziwe (izindleko zokukhetha ukungqubuzana zilinganiselwa cishe kumadola ayizinkulungwane ezingama-45). Kokunye ukukhishwa okuzayo, bahlela ukukhubaza ngokuzenzakalelayo ikhono lokusebenzisa i-algorithm yesiginesha yedijithali ekhiye womphakathi "ssh-rsa", eshiwo ku-RFC yasekuqaleni yephrothokholi ye-SSH futhi ihlala isabalele ekusebenzeni (ukuhlola ukusetshenziswa. ye-ssh-rsa ezinhlelweni zakho, ungazama ukuxhuma nge-ssh ngenketho ethi β-oHostKeyAlgorithms=-ssh-rsaβ).
Ukuze kusheleleke ukudlulela kuma-algorithms amasha ku-OpenSSH, ekukhishweni okuzayo isilungiselelo se-UpdateHostKeys sizonikwa amandla ngokuzenzakalela, okuzothuthela amakhasimende ngokuzenzakalelayo kuma-algorithms athembeke kakhudlwana. Ama-algorithms anconyiwe okuthutha ahlanganisa i-rsa-sha2-256/512 esekelwe ku-RFC8332 RSA SHA-2 (isekelwa kusukela ku-OpenSSH 7.2 futhi isetshenziswa ngokuzenzakalela), i-ssh-ed25519 (isekelwa kusukela ku-OpenSSH 6.5) kanye ne-ecdsa-sha2-nistp256/384 based ku-RFC521 ECDSA (isekelwa kusukela ku-OpenSSH 5656).
Kusukela ekukhishweni kokugcina, i-"ssh-rsa" kanye ne-"diffie-hellman-group14-sha1" asusiwe ohlwini lwe-CASignatureAlgorithms oluchaza ama-algorithms avunyelwe ukusayina izitifiketi ezintsha ngedijithali, njengoba ukusebenzisa i-SHA-1 ezitifiketini kubangela ingozi eyengeziwe. ngenxa yalokho umhlaseli unesikhathi esingenamkhawulo sokucinga ukungqubuzana kwesitifiketi esikhona, kuyilapho isikhathi sokuhlasela kokhiye bosokhaya sikhawulelwe ukuphela kokuxhumeka (LoginGraceTime).
Source: opennet.ru