I-ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa kwe-OpenSSH 8.4

Ukukhishwa kwe-OpenSSH 8.4

Ngemva kwezinyanga ezine zentuthuko kwethulwe ukukhululwa kwe-OpenSSH 8.4, iklayenti elivulekile kanye nokuqaliswa kweseva ekusebenzeni kusetshenziswa izivumelwano ze-SSH 2.0 ne-SFTP.

Izinguquko eziyinhloko:

  • Izinguquko zokuphepha:
    • Ku-ssh-ejenti, uma usebenzisa okhiye be-FIDO abangadalelwanga ubuqiniso be-SSH (i-ID yokhiye ayiqali ngeyunithi yezinhlamvu ethi "ssh:"), manje ihlola ukuthi umlayezo uzosayinwa yini kusetshenziswa izindlela ezisetshenziswe kuphrothokholi ye-SSH. Ushintsho ngeke luvumele i-ssh-ejenti ukuthi iqondiswe kabusha kubasingathi berimothi abanokhiye be-FIDO ukuze bavimbe amandla okusebenzisa laba khiye ukuze benze amasiginesha ezicelo zokuqinisekisa iwebhu (isimo esiphambene, lapho isiphequluli singasayina isicelo se-SSH, asifakwa ekuqaleni. ngenxa yokusetshenziswa kwesiqalo esithi “ssh:" kusihlonzi sokhiye).
    • Ukukhiqiza ukhiye womhlali we-ssh-keygen kuhlanganisa usekelo lwesengezo se-credProtect esichazwe esicacisweni se-FIDO 2.1, esihlinzeka ngokuvikeleka okwengeziwe kokhiye ngokudinga iphinikhodi ngaphambi kokwenza noma yikuphi ukusebenza okungase kuphumele ekukhipheni ukhiye womhlali kuthokheni.
  • Izinguquko ezingase ziphule ukusebenzisana:
    • Ukuze usekele i-FIDO/U2F, kunconywa ukusebenzisa ilabhulali ye-libfido2 okungenani inguqulo engu-1.5.0. Amandla okusebenzisa ama-edishini amadala asetshenziswe ngokwengxenye, kodwa kulesi simo, imisebenzi efana nokhiye abahlala, isicelo se-PIN, kanye nokuxhuma amathokheni amaningi ngeke itholakale.
    • Ku-ssh-keygen, idatha yesiqinisekisi edingekayo ukuze kuqinisekiswe amasiginesha edijithali yengezwe kufomethi yolwazi lokuqinisekisa, olulondolozwe ngokuzithandela lapho kukhiqizwa ukhiye we-FIDO.
    • I-API esetshenziswa lapho i-OpenSSH isebenzisana nesendlalelo sokufinyelela amathokheni e-FIDO ishintshiwe.
    • Lapho wakha inguqulo ephathekayo ye-OpenSSH, ukwenza okuzenzakalelayo manje kuyadingeka ukuze kukhiqizwe umbhalo wokumisa kanye namafayela okwakha ahambisana nawo (uma ukwakha kusuka kufayela letiyela lekhodi eshicilelwe, ukulungisa kabusha akudingekile).
  • Usekelo olungeziwe lokhiye be-FIDO abadinga ukuqinisekiswa kwephinikhodi ku-ssh naku-ssh-keygen. Ukuze ukhiqize okhiye ngephinikhodi, inketho "yokuqinisekisa-iyadingeka" yengezwe ku-ssh-keygen. Uma okhiye abanjalo besetshenziswa, ngaphambi kokwenza umsebenzi wokudala isiginesha, umsebenzisi uyatshelwa ukuthi aqinisekise izenzo zakhe ngokufaka i-PIN khodi.
  • Ku-sshd, inketho ethi "qinisekisa-iyadingeka" isetshenziswa kuzilungiselelo ezigunyaziwe_okhiye, okudinga ukusetshenziswa kwamakhono ukuze kuqinisekiswe ubukhona bomsebenzisi phakathi nokusebenza ngethokheni. Izinga le-FIDO linikeza izinketho ezimbalwa zokuqinisekisa okunjalo, kodwa okwamanje i-OpenSSH isekela kuphela ukuqinisekiswa okusekelwe ku-PIN.
  • I-sshd kanye ne-ssh-keygen bangeze usekelo lokuqinisekisa amasiginesha edijithali athobelana nezinga le-FIDO Webauthn, okuvumela okhiye be-FIDO ukuthi basetshenziswe kuziphequluli zewebhu.
  • Ku-ssh kuzilungiselelo ze-CertificateFile,
    ControlPath, IdentityAgent, IdentityFile, LocalForward kanye
    I-RemoteForward ivumela ukushintshwa kwamanani ezinto eziguquguqukayo zemvelo ezicaciswe ngefomethi ethi "${ENV}".

  • I-ssh ne-ssh-ejenti yengeze usekelo lwe-$SSH_ASKPASS_REQUIRE eguquguqukayo yemvelo, engasetshenziswa ukunika amandla noma ukukhubaza ikholi ye-ssh-askpass.
  • Ku-ssh ku-ssh_config kumyalelo we-AddKeysToAgent, amandla okukhawulela isikhathi sokuqinisekisa sokhiye sengeziwe. Ngemuva kokuthi umkhawulo oshiwo usuphelelwe yisikhathi, okhiye basuswa ngokuzenzakalelayo kumenzeli we-ssh.
  • Ku-scp naku-sftp, usebenzisa ifulegi elithi "-A", manje usungakwazi ukuvumela ngokucacile ukuqondisa kabusha ku-scp naku-sftp usebenzisa i-ssh-ejenti (ukuqondisa kabusha kukhutshazwe ngokuzenzakalelayo).
  • Usekelo olungeziwe lokushintshwa kwe-'%k' kuzilungiselelo ze-ssh, ezicacisa igama likakhiye womsingathi. Lesi sici singasetshenziselwa ukusabalalisa okhiye kumafayela ahlukene (isibonelo, “UserKnownHostsFile ~/.ssh/known_hosts.d/%k”).
  • Vumela ukusetshenziswa komsebenzi we-"ssh-add -d -" ukufunda okhiye ku-stdin abazosuswa.
  • Ku-sshd, ukuqala nokuphela kwenqubo yokuthena yokuxhumana kubonakala kulogi, elawulwa kusetshenziswa ipharamitha ye-MaxStartups.

Abathuthukisi be-OpenSSH baphinde bakhumbula ukuhoxiswa okuzayo kwama-algorithms kusetshenziswa i-SHA-1 hashes ngenxa ukukhushulwa ukusebenza kahle kokuhlaselwa kokushayisana ngesiqalo esinikeziwe (izindleko zokukhetha ukungqubuzana zilinganiselwa cishe kumadola ayizinkulungwane ezingama-45). Kokunye ukukhishwa okuzayo, bahlela ukukhubaza ngokuzenzakalelayo ikhono lokusebenzisa i-algorithm yesiginesha yedijithali ekhiye womphakathi "ssh-rsa", eshiwo ku-RFC yasekuqaleni yephrothokholi ye-SSH futhi ihlala isabalele ekusebenzeni (ukuhlola ukusetshenziswa. ye-ssh-rsa ezinhlelweni zakho, ungazama ukuxhuma nge-ssh ngenketho ethi “-oHostKeyAlgorithms=-ssh-rsa”).

Ukuze kusheleleke ukudlulela kuma-algorithms amasha ku-OpenSSH, ukukhishwa okulandelayo kuzonika amandla ukulungiselelwa kwe-UpdateHostKeys ngokuzenzakalela, okuzothuthela amaklayenti ngokuzenzakalelayo kuma-algorithms athembeke kakhudlwana. Ama-algorithms anconyiwe okuthutha ahlanganisa i-rsa-sha2-256/512 esekelwe ku-RFC8332 RSA SHA-2 (isekelwa kusukela ku-OpenSSH 7.2 futhi isetshenziswa ngokuzenzakalela), i-ssh-ed25519 (isekelwa kusukela ku-OpenSSH 6.5) kanye ne-ecdsa-sha2-nistp256/384 based ku-RFC521 ECDSA (isekelwa kusukela ku-OpenSSH 5656).

Source: opennet.ru

Engeza amazwana