Ngemva kwezinyanga ezine zentuthuko
Izinguquko eziyinhloko:
- Izinguquko zokuphepha:
- Ku-ssh-ejenti, uma usebenzisa okhiye be-FIDO abangadalelwanga ubuqiniso be-SSH (i-ID yokhiye ayiqali ngeyunithi yezinhlamvu ethi "ssh:"), manje ihlola ukuthi umlayezo uzosayinwa yini kusetshenziswa izindlela ezisetshenziswe kuphrothokholi ye-SSH. Ushintsho ngeke luvumele i-ssh-ejenti ukuthi iqondiswe kabusha kubasingathi berimothi abanokhiye be-FIDO ukuze bavimbe amandla okusebenzisa laba khiye ukuze benze amasiginesha ezicelo zokuqinisekisa iwebhu (isimo esiphambene, lapho isiphequluli singasayina isicelo se-SSH, asifakwa ekuqaleni. ngenxa yokusetshenziswa kwesiqalo esithi “ssh:" kusihlonzi sokhiye).
- Ukukhiqiza ukhiye womhlali we-ssh-keygen kuhlanganisa usekelo lwesengezo se-credProtect esichazwe esicacisweni se-FIDO 2.1, esihlinzeka ngokuvikeleka okwengeziwe kokhiye ngokudinga iphinikhodi ngaphambi kokwenza noma yikuphi ukusebenza okungase kuphumele ekukhipheni ukhiye womhlali kuthokheni.
- Izinguquko ezingase ziphule ukusebenzisana:
- Ukuze usekele i-FIDO/U2F, kunconywa ukusebenzisa ilabhulali ye-libfido2 okungenani inguqulo engu-1.5.0. Amandla okusebenzisa ama-edishini amadala asetshenziswe ngokwengxenye, kodwa kulesi simo, imisebenzi efana nokhiye abahlala, isicelo se-PIN, kanye nokuxhuma amathokheni amaningi ngeke itholakale.
- Ku-ssh-keygen, idatha yesiqinisekisi edingekayo ukuze kuqinisekiswe amasiginesha edijithali yengezwe kufomethi yolwazi lokuqinisekisa, olulondolozwe ngokuzithandela lapho kukhiqizwa ukhiye we-FIDO.
- I-API esetshenziswa lapho i-OpenSSH isebenzisana nesendlalelo sokufinyelela amathokheni e-FIDO ishintshiwe.
- Lapho wakha inguqulo ephathekayo ye-OpenSSH, ukwenza okuzenzakalelayo manje kuyadingeka ukuze kukhiqizwe umbhalo wokumisa kanye namafayela okwakha ahambisana nawo (uma ukwakha kusuka kufayela letiyela lekhodi eshicilelwe, ukulungisa kabusha akudingekile).
- Usekelo olungeziwe lokhiye be-FIDO abadinga ukuqinisekiswa kwephinikhodi ku-ssh naku-ssh-keygen. Ukuze ukhiqize okhiye ngephinikhodi, inketho "yokuqinisekisa-iyadingeka" yengezwe ku-ssh-keygen. Uma okhiye abanjalo besetshenziswa, ngaphambi kokwenza umsebenzi wokudala isiginesha, umsebenzisi uyatshelwa ukuthi aqinisekise izenzo zakhe ngokufaka i-PIN khodi.
- Ku-sshd, inketho ethi "qinisekisa-iyadingeka" isetshenziswa kuzilungiselelo ezigunyaziwe_okhiye, okudinga ukusetshenziswa kwamakhono ukuze kuqinisekiswe ubukhona bomsebenzisi phakathi nokusebenza ngethokheni. Izinga le-FIDO linikeza izinketho ezimbalwa zokuqinisekisa okunjalo, kodwa okwamanje i-OpenSSH isekela kuphela ukuqinisekiswa okusekelwe ku-PIN.
- I-sshd kanye ne-ssh-keygen bangeze usekelo lokuqinisekisa amasiginesha edijithali athobelana nezinga le-FIDO Webauthn, okuvumela okhiye be-FIDO ukuthi basetshenziswe kuziphequluli zewebhu.
- Ku-ssh kuzilungiselelo ze-CertificateFile,
ControlPath, IdentityAgent, IdentityFile, LocalForward kanye
I-RemoteForward ivumela ukushintshwa kwamanani ezinto eziguquguqukayo zemvelo ezicaciswe ngefomethi ethi "${ENV}". - I-ssh ne-ssh-ejenti yengeze usekelo lwe-$SSH_ASKPASS_REQUIRE eguquguqukayo yemvelo, engasetshenziswa ukunika amandla noma ukukhubaza ikholi ye-ssh-askpass.
- Ku-ssh ku-ssh_config kumyalelo we-AddKeysToAgent, amandla okukhawulela isikhathi sokuqinisekisa sokhiye sengeziwe. Ngemuva kokuthi umkhawulo oshiwo usuphelelwe yisikhathi, okhiye basuswa ngokuzenzakalelayo kumenzeli we-ssh.
- Ku-scp naku-sftp, usebenzisa ifulegi elithi "-A", manje usungakwazi ukuvumela ngokucacile ukuqondisa kabusha ku-scp naku-sftp usebenzisa i-ssh-ejenti (ukuqondisa kabusha kukhutshazwe ngokuzenzakalelayo).
- Usekelo olungeziwe lokushintshwa kwe-'%k' kuzilungiselelo ze-ssh, ezicacisa igama likakhiye womsingathi. Lesi sici singasetshenziselwa ukusabalalisa okhiye kumafayela ahlukene (isibonelo, “UserKnownHostsFile ~/.ssh/known_hosts.d/%k”).
- Vumela ukusetshenziswa komsebenzi we-"ssh-add -d -" ukufunda okhiye ku-stdin abazosuswa.
- Ku-sshd, ukuqala nokuphela kwenqubo yokuthena yokuxhumana kubonakala kulogi, elawulwa kusetshenziswa ipharamitha ye-MaxStartups.
Abathuthukisi be-OpenSSH baphinde bakhumbula ukuhoxiswa okuzayo kwama-algorithms kusetshenziswa i-SHA-1 hashes ngenxa
Ukuze kusheleleke ukudlulela kuma-algorithms amasha ku-OpenSSH, ukukhishwa okulandelayo kuzonika amandla ukulungiselelwa kwe-UpdateHostKeys ngokuzenzakalela, okuzothuthela amaklayenti ngokuzenzakalelayo kuma-algorithms athembeke kakhudlwana. Ama-algorithms anconyiwe okuthutha ahlanganisa i-rsa-sha2-256/512 esekelwe ku-RFC8332 RSA SHA-2 (isekelwa kusukela ku-OpenSSH 7.2 futhi isetshenziswa ngokuzenzakalela), i-ssh-ed25519 (isekelwa kusukela ku-OpenSSH 6.5) kanye ne-ecdsa-sha2-nistp256/384 based ku-RFC521 ECDSA (isekelwa kusukela ku-OpenSSH 5656).
Source: opennet.ru