Ngemva kwezinyanga ezinhlanu zokuthuthukiswa, ukukhishwa kwe-OpenSSH 8.5, ukuqaliswa okuvulekile kweklayenti kanye neseva yokusebenza phezu kwezivumelwano ze-SSH 2.0 ne-SFTP, kwethulwa.
Onjiniyela be-OpenSSH basikhumbuze ngokuyekiswa okuzayo kwama-algorithms kusetshenziswa i-SHA-1 hashes ngenxa yokwanda kokusebenza kahle kokuhlaselwa kokushayisana ngesiqalo esinikeziwe (izindleko zokukhetha ukungqubuzana zilinganiselwa cishe ku-$50 XNUMX). Kokunye okuzayo, bahlela ukukhubaza ngokuzenzakalela ikhono lokusebenzisa i-algorithm yesiginesha yedijithali yokhiye womphakathi "ssh-rsa", eshiwo ku-RFC yasekuqaleni yephrothokholi ye-SSH futhi isalokhu isabalele ekusebenzeni.
Ukuze uhlole ukusetshenziswa kwe-ssh-rsa kumasistimu akho, ungazama ukuxhuma nge-ssh ngenketho ethi β-oHostKeyAlgorithms=-ssh-rsaβ. Ngesikhathi esifanayo, ukukhubaza amasiginesha edijithali "ssh-rsa" ngokuzenzakalelayo akusho ukuyeka ngokuphelele ukusetshenziswa kokhiye be-RSA, njengoba ngaphezu kwe-SHA-1, iphrothokholi ye-SSH ivumela ukusetshenziswa kwamanye ama-algorithms okubala we-hashi. Ikakhulukazi, ngaphezu kwe-"ssh-rsa", kuzohlala kungenzeka ukusebenzisa izinqwaba ze-"rsa-sha2-256" (RSA/SHA256) kanye ne-"rsa-sha2-512" (RSA/SHA512).
Ukuze kusheleleke ukushintshela kuma-algorithms amasha, i-OpenSSH 8.5 inesilungiselelo se-UpdateHostKeys esinikwe amandla ngokuzenzakalela, okuvumela amaklayenti ukuthi ashintshele ngokuzenzakalelayo kuma-algorithms athembeke kakhudlwana. Ngokusebenzisa lesi silungiselelo, isandiso sephrothokholi esikhethekile sinikwe amandla β[i-imeyili ivikelwe]", okuvumela iseva, ngemva kokufakazela ubuqiniso, ukwazisa iklayenti ngabo bonke okhiye bosokhaya abatholakalayo. Iklayenti lingabonisa laba khiye kufayela layo elithi ~/.ssh/known_hosts, elivumela okhiye bomsingathi ukuthi babuyekezwe futhi kwenze kube lula ukushintsha okhiye kuseva.
Ukusetshenziswa kwe-UpdateHostKeys kukhawulelwe izexwayiso ezimbalwa ezingase zisuswe esikhathini esizayo: ukhiye kufanele ukhonjwe ku-UserKnownHostsFile futhi ungasetshenziswa ku-GlobalKnownHostsFile; ukhiye kufanele ube ngaphansi kwegama elilodwa kuphela; isitifiketi sikakhiye wokusingatha akufanele sisetshenziswe; kumaski_abasingathi abaziwayo ngegama lomsingathi akufanele asetshenziswe; isilungiselelo se-VerifyHostKeyDNS kufanele sikhutshazwe; Ipharamitha ye-UserKnownHostsFile kufanele isebenze.
Ama-algorithms anconyiwe okuthutha ahlanganisa i-rsa-sha2-256/512 esekelwe ku-RFC8332 RSA SHA-2 (isekelwa kusukela ku-OpenSSH 7.2 futhi isetshenziswa ngokuzenzakalela), i-ssh-ed25519 (isekelwa kusukela ku-OpenSSH 6.5) kanye ne-ecdsa-sha2-nistp256/384 based ku-RFC521 ECDSA (isekelwa kusukela ku-OpenSSH 5656).
Ezinye izinguquko:
- Izinguquko zokuphepha:
- Ukuba sengozini okudalwe ukukhulula kabusha indawo yenkumbulo esivele ikhululiwe (i-double-free) ilungisiwe ku-ejenti ye-ssh. Inkinga ibilokhu ikhona kusukela kwakhululwa i-OpenSSH 8.2 futhi ingase isetshenziswe uma umhlaseli ekwazi ukufinyelela isokhethi ye-ssh-ejenti kusistimu yendawo. Okwenza ukuxhashazwa kube nzima kakhulu ukuthi yimpande kuphela nomsebenzisi wangempela okwazi ukufinyelela isokhethi. Isimo sokuhlasela okungenzeka kakhulu ukuthi umenzeli uqondiswa kabusha ku-akhawunti elawulwa umhlaseli, noma kumsingathi lapho umhlaseli enokufinyelela okuyimpande.
- I-sshd yengeze ukuvikeleka ekudluliseni amapharamitha amakhulu kakhulu ngegama lomsebenzisi kusistimu engaphansi ye-PAM, ekuvumela ukuthi uvimbele ubungozi kumamojula wesistimu we-PAM (Pluggable Authentication Module). Isibonelo, uguquko luvimba i-sshd ukuthi isetshenziswe njengevekhtha ukuze isebenzise ubungozi bezimpande ezisanda kutholwa e-Solaris (CVE-2020-14871).
- Izinguquko ezingase ziphule ukusebenzisana:
- Π ssh ΠΈ sshd ΠΏΠ΅ΡΠ΅ΡΠ°Π±ΠΎΡΠ°Π½ ΡΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠ°Π»ΡΠ½ΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡΡΠ°ΠΌΠΈ, ΡΡΠΎΠΉΠΊΠΈΠΉ ΠΊ ΠΏΠΎΠ΄Π±ΠΎΡΡ Π½Π° ΠΊΠ²Π°Π½ΡΠΎΠ²ΠΎΠΌ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ΅. ΠΠ²Π°Π½ΡΠΎΠ²ΡΠ΅ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΡ ΠΊΠ°ΡΠ΄ΠΈΠ½Π°Π»ΡΠ½ΠΎ Π±ΡΡΡΡΠ΅Π΅ ΡΠ΅ΡΠ°ΡΡ Π·Π°Π΄Π°ΡΡ ΡΠ°Π·Π»ΠΎΠΆΠ΅Π½ΠΈΡ Π½Π°ΡΡΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΡΠΈΡΠ»Π° Π½Π° ΠΏΡΠΎΡΡΡΠ΅ ΠΌΠ½ΠΎΠΆΠΈΡΠ΅Π»ΠΈ, ΠΊΠΎΡΠΎΡΠ°Ρ Π»Π΅ΠΆΠΈΡ Π² ΠΎΡΠ½ΠΎΠ²Π΅ ΡΠΎΠ²ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ Π°ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΠΈ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎ Π½Π΅ ΡΠ΅ΡΠ°Π΅ΠΌΠ° Π½Π° ΠΊΠ»Π°ΡΡΠΈΡΠ΅ΡΠΊΠΈΡ ΠΏΡΠΎΡΠ΅ΡΡΠΎΡΠ°Ρ . ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΡΠ½ΠΎΠ²Π°Π½ Π½Π° Π°Π»Π³ΠΎΡΠΈΡΠΌΠ΅ NTRU Prime, ΡΠ°Π·ΡΠ°Π±ΠΎΡΠ°Π½Π½ΠΎΠΌ Π΄Π»Ρ ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΡΠΌΠ½ΡΡ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ, ΠΈ ΠΌΠ΅ΡΠΎΠ΄Π΅ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡΡΠ°ΠΌΠΈ Π½Π° Π±Π°Π·Π΅ ΡΠ»Π»ΠΈΠΏΡΠΈΡΠ΅ΡΠΊΠΈΡ ΠΊΡΠΈΠ²ΡΡ X25519. ΠΠΌΠ΅ΡΡΠΎ [i-imeyili ivikelwe] ΠΌΠ΅ΡΠΎΠ΄ ΡΠ΅ΠΏΠ΅ΡΡ ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΡΡΡ ΠΊΠ°ΠΊ [i-imeyili ivikelwe] (i-algorithm ye-sntrup4591761 ithathelwe indawo yi-sntrup761).
- Ku-ssh naku-sshd, uhlelo okumenyezelwa ngalo ama-algorithms wesiginesha yedijithali lushintshiwe. I-ED25519 manje isinikezwa kuqala esikhundleni se-ECDSA.
- Ku-ssh naku-sshd, ukusetha ikhwalithi ye-TOS/DSCP yamapharamitha wesevisi kumaseshini asebenzisanayo manje kwenziwa ngaphambi kokusungula uxhumano lwe-TCP.
- Ukusekelwa kwe-Cipher kunqanyuliwe ku-ssh naku-sshd [i-imeyili ivikelwe], efana ne-aes256-cbc futhi yasetshenziswa ngaphambi kokugunyazwa kwe-RFC-4253.
- Ngokuzenzakalelayo, ipharamitha ye-CheckHostIP ikhutshaziwe, inzuzo yakhona ayinalutho, kodwa ukusetshenziswa kwayo kwenza kube nzima kakhulu ukuzungezisa okubalulekile kubabungazi abalandela izilinganisi zomthwalo.
- Izilungiselelo ze-PerSourceMaxStartups kanye ne-PerSourceNetBlockSize zengezwe ku-sshd ukuze kukhawulwe ukuqina kwezibambi zokuqalisa ngokusekelwe ekhelini leklayenti. Le mingcele ikuvumela ukuthi ulawule kahle umkhawulo ekuqalisweni kwenqubo, uma kuqhathaniswa nesilungiselelo esivamile se-MaxStartups.
- Isilungiselelo esisha se-LogVerbose sengeziwe ku-ssh naku-sshd, okukuvumela ukuthi ukhuphule ngamandla izinga lolwazi lokususa iphutha olulahlwe kulogi, unekhono lokuhlunga ngezifanekiso, imisebenzi namafayela.
- Ku-ssh, lapho wamukela ukhiye omusha wokusingathwa, wonke amagama omethuleli namakheli e-IP ahlobene nokhiye ayaboniswa.
- ssh ivumela i-UserKnownHostsFile=ayikho inketho yokukhubaza ukusetshenziswa kwefayela le-known_hosts lapho uhlonza okhiye bosokhaya.
- Isilungiselelo se-KnowHostsCommand sengezwe ku-ssh_config ye-ssh, okukuvumela ukuthi uthole idatha ye-known_hosts ekuphumeni komyalo oshiwo.
- Kwengezwe inketho ye-PermitRemoteOpen ku-ssh_config ye-ssh ukukuvumela ukuthi ukhawulele indawo lapho usebenzisa inketho ye-RemoteForward nge-SOCKS.
- Ku-ssh kokhiye be-FIDO, isicelo se-PIN esiphindiwe sinikezwa uma kwenzeka umsebenzi we-digital wehluleka ngenxa ye-PIN engalungile kanye nomsebenzisi engatshelwanga nge-PIN (isibonelo, lapho idatha elungile ye-biometric ingatholakalanga futhi idivayisi iwele emuva ekufakweni kwe-PIN okwenziwa ngesandla).
- I-sshd yengeza usekelo lwezingcingo zesistimu ezengeziwe kunqubo yokuhlukanisa i-seccomp-bpf-based ku-Linux.
- Insiza ye-contrib/ssh-copy-id ibuyekeziwe.
Source: opennet.ru