I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > Ukukhishwa kwe-OpenSSH 8.5

Ukukhishwa kwe-OpenSSH 8.5

Ngemva kwezinyanga ezinhlanu zokuthuthukiswa, ukukhishwa kwe-OpenSSH 8.5, ukuqaliswa okuvulekile kweklayenti kanye neseva yokusebenza phezu kwezivumelwano ze-SSH 2.0 ne-SFTP, kwethulwa.

Onjiniyela be-OpenSSH basikhumbuze ngokuyekiswa okuzayo kwama-algorithms kusetshenziswa i-SHA-1 hashes ngenxa yokwanda kokusebenza kahle kokuhlaselwa kokushayisana ngesiqalo esinikeziwe (izindleko zokukhetha ukungqubuzana zilinganiselwa cishe ku-$50 XNUMX). Kokunye okuzayo, bahlela ukukhubaza ngokuzenzakalela ikhono lokusebenzisa i-algorithm yesiginesha yedijithali yokhiye womphakathi "ssh-rsa", eshiwo ku-RFC yasekuqaleni yephrothokholi ye-SSH futhi isalokhu isabalele ekusebenzeni.

Ukuze uhlole ukusetshenziswa kwe-ssh-rsa kumasistimu akho, ungazama ukuxhuma nge-ssh ngenketho ethi β€œ-oHostKeyAlgorithms=-ssh-rsa”. Ngesikhathi esifanayo, ukukhubaza amasiginesha edijithali "ssh-rsa" ngokuzenzakalelayo akusho ukuyeka ngokuphelele ukusetshenziswa kokhiye be-RSA, njengoba ngaphezu kwe-SHA-1, iphrothokholi ye-SSH ivumela ukusetshenziswa kwamanye ama-algorithms okubala we-hashi. Ikakhulukazi, ngaphezu kwe-"ssh-rsa", kuzohlala kungenzeka ukusebenzisa izinqwaba ze-"rsa-sha2-256" (RSA/SHA256) kanye ne-"rsa-sha2-512" (RSA/SHA512).

Ukuze kusheleleke ukushintshela kuma-algorithms amasha, i-OpenSSH 8.5 inesilungiselelo se-UpdateHostKeys esinikwe amandla ngokuzenzakalela, okuvumela amaklayenti ukuthi ashintshele ngokuzenzakalelayo kuma-algorithms athembeke kakhudlwana. Ngokusebenzisa lesi silungiselelo, isandiso sephrothokholi esikhethekile sinikwe amandla β€œ[i-imeyili ivikelwe]", okuvumela iseva, ngemva kokufakazela ubuqiniso, ukwazisa iklayenti ngabo bonke okhiye bosokhaya abatholakalayo. Iklayenti lingabonisa laba khiye kufayela layo elithi ~/.ssh/known_hosts, elivumela okhiye bomsingathi ukuthi babuyekezwe futhi kwenze kube lula ukushintsha okhiye kuseva.

Ukusetshenziswa kwe-UpdateHostKeys kukhawulelwe izexwayiso ezimbalwa ezingase zisuswe esikhathini esizayo: ukhiye kufanele ukhonjwe ku-UserKnownHostsFile futhi ungasetshenziswa ku-GlobalKnownHostsFile; ukhiye kufanele ube ngaphansi kwegama elilodwa kuphela; isitifiketi sikakhiye wokusingatha akufanele sisetshenziswe; kumaski_abasingathi abaziwayo ngegama lomsingathi akufanele asetshenziswe; isilungiselelo se-VerifyHostKeyDNS kufanele sikhutshazwe; Ipharamitha ye-UserKnownHostsFile kufanele isebenze.

Ama-algorithms anconyiwe okuthutha ahlanganisa i-rsa-sha2-256/512 esekelwe ku-RFC8332 RSA SHA-2 (isekelwa kusukela ku-OpenSSH 7.2 futhi isetshenziswa ngokuzenzakalela), i-ssh-ed25519 (isekelwa kusukela ku-OpenSSH 6.5) kanye ne-ecdsa-sha2-nistp256/384 based ku-RFC521 ECDSA (isekelwa kusukela ku-OpenSSH 5656).

Ezinye izinguquko:

  • Izinguquko zokuphepha:
    • Ukuba sengozini okudalwe ukukhulula kabusha indawo yenkumbulo esivele ikhululiwe (i-double-free) ilungisiwe ku-ejenti ye-ssh. Inkinga ibilokhu ikhona kusukela kwakhululwa i-OpenSSH 8.2 futhi ingase isetshenziswe uma umhlaseli ekwazi ukufinyelela isokhethi ye-ssh-ejenti kusistimu yendawo. Okwenza ukuxhashazwa kube nzima kakhulu ukuthi yimpande kuphela nomsebenzisi wangempela okwazi ukufinyelela isokhethi. Isimo sokuhlasela okungenzeka kakhulu ukuthi umenzeli uqondiswa kabusha ku-akhawunti elawulwa umhlaseli, noma kumsingathi lapho umhlaseli enokufinyelela okuyimpande.
    • I-sshd yengeze ukuvikeleka ekudluliseni amapharamitha amakhulu kakhulu ngegama lomsebenzisi kusistimu engaphansi ye-PAM, ekuvumela ukuthi uvimbele ubungozi kumamojula wesistimu we-PAM (Pluggable Authentication Module). Isibonelo, uguquko luvimba i-sshd ukuthi isetshenziswe njengevekhtha ukuze isebenzise ubungozi bezimpande ezisanda kutholwa e-Solaris (CVE-2020-14871).
  • Izinguquko ezingase ziphule ukusebenzisana:
    • Π’ ssh ΠΈ sshd ΠΏΠ΅Ρ€Π΅Ρ€Π°Π±ΠΎΡ‚Π°Π½ ΡΠΊΡΠΏΠ΅Ρ€ΠΈΠΌΠ΅Π½Ρ‚Π°Π»ΡŒΠ½Ρ‹ΠΉ ΠΌΠ΅Ρ‚ΠΎΠ΄ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡŽΡ‡Π°ΠΌΠΈ, стойкий ΠΊ ΠΏΠΎΠ΄Π±ΠΎΡ€Ρƒ Π½Π° ΠΊΠ²Π°Π½Ρ‚ΠΎΠ²ΠΎΠΌ ΠΊΠΎΠΌΠΏΡŒΡŽΡ‚Π΅Ρ€Π΅. ΠšΠ²Π°Π½Ρ‚ΠΎΠ²Ρ‹Π΅ ΠΊΠΎΠΌΠΏΡŒΡŽΡ‚Π΅Ρ€Ρ‹ ΠΊΠ°Ρ€Π΄ΠΈΠ½Π°Π»ΡŒΠ½ΠΎ быстрСС Ρ€Π΅ΡˆΠ°ΡŽΡ‚ Π·Π°Π΄Π°Ρ‡Ρƒ разлоТСния Π½Π°Ρ‚ΡƒΡ€Π°Π»ΡŒΠ½ΠΎΠ³ΠΎ числа Π½Π° простыС ΠΌΠ½ΠΎΠΆΠΈΡ‚Π΅Π»ΠΈ, которая Π»Π΅ΠΆΠΈΡ‚ Π² основС соврСмСнных асиммСтричных Π°Π»Π³ΠΎΡ€ΠΈΡ‚ΠΌΠΎΠ² ΡˆΠΈΡ„Ρ€ΠΎΠ²Π°Π½ΠΈΡ ΠΈ эффСктивно Π½Π΅ Ρ€Π΅ΡˆΠ°Π΅ΠΌΠ° Π½Π° классичСских процСссорах. Π˜ΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌΡ‹ΠΉ ΠΌΠ΅Ρ‚ΠΎΠ΄ основан Π½Π° Π°Π»Π³ΠΎΡ€ΠΈΡ‚ΠΌΠ΅ NTRU Prime, Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚Π°Π½Π½ΠΎΠΌ для постквантумных криптосистСм, ΠΈ ΠΌΠ΅Ρ‚ΠΎΠ΄Π΅ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΊΠ»ΡŽΡ‡Π°ΠΌΠΈ Π½Π° Π±Π°Π·Π΅ эллиптичСских ΠΊΡ€ΠΈΠ²Ρ‹Ρ… X25519. ВмСсто [i-imeyili ivikelwe] ΠΌΠ΅Ρ‚ΠΎΠ΄ Ρ‚Π΅ΠΏΠ΅Ρ€ΡŒ идСнтифицируСтся ΠΊΠ°ΠΊ [i-imeyili ivikelwe] (i-algorithm ye-sntrup4591761 ithathelwe indawo yi-sntrup761).
    • Ku-ssh naku-sshd, uhlelo okumenyezelwa ngalo ama-algorithms wesiginesha yedijithali lushintshiwe. I-ED25519 manje isinikezwa kuqala esikhundleni se-ECDSA.
    • Ku-ssh naku-sshd, ukusetha ikhwalithi ye-TOS/DSCP yamapharamitha wesevisi kumaseshini asebenzisanayo manje kwenziwa ngaphambi kokusungula uxhumano lwe-TCP.
    • Ukusekelwa kwe-Cipher kunqanyuliwe ku-ssh naku-sshd [i-imeyili ivikelwe], efana ne-aes256-cbc futhi yasetshenziswa ngaphambi kokugunyazwa kwe-RFC-4253.
    • Ngokuzenzakalelayo, ipharamitha ye-CheckHostIP ikhutshaziwe, inzuzo yakhona ayinalutho, kodwa ukusetshenziswa kwayo kwenza kube nzima kakhulu ukuzungezisa okubalulekile kubabungazi abalandela izilinganisi zomthwalo.
  • Izilungiselelo ze-PerSourceMaxStartups kanye ne-PerSourceNetBlockSize zengezwe ku-sshd ukuze kukhawulwe ukuqina kwezibambi zokuqalisa ngokusekelwe ekhelini leklayenti. Le mingcele ikuvumela ukuthi ulawule kahle umkhawulo ekuqalisweni kwenqubo, uma kuqhathaniswa nesilungiselelo esivamile se-MaxStartups.
  • Isilungiselelo esisha se-LogVerbose sengeziwe ku-ssh naku-sshd, okukuvumela ukuthi ukhuphule ngamandla izinga lolwazi lokususa iphutha olulahlwe kulogi, unekhono lokuhlunga ngezifanekiso, imisebenzi namafayela.
  • Ku-ssh, lapho wamukela ukhiye omusha wokusingathwa, wonke amagama omethuleli namakheli e-IP ahlobene nokhiye ayaboniswa.
  • ssh ivumela i-UserKnownHostsFile=ayikho inketho yokukhubaza ukusetshenziswa kwefayela le-known_hosts lapho uhlonza okhiye bosokhaya.
  • Isilungiselelo se-KnowHostsCommand sengezwe ku-ssh_config ye-ssh, okukuvumela ukuthi uthole idatha ye-known_hosts ekuphumeni komyalo oshiwo.
  • Kwengezwe inketho ye-PermitRemoteOpen ku-ssh_config ye-ssh ukukuvumela ukuthi ukhawulele indawo lapho usebenzisa inketho ye-RemoteForward nge-SOCKS.
  • Ku-ssh kokhiye be-FIDO, isicelo se-PIN esiphindiwe sinikezwa uma kwenzeka umsebenzi we-digital wehluleka ngenxa ye-PIN engalungile kanye nomsebenzisi engatshelwanga nge-PIN (isibonelo, lapho idatha elungile ye-biometric ingatholakalanga futhi idivayisi iwele emuva ekufakweni kwe-PIN okwenziwa ngesandla).
  • I-sshd yengeza usekelo lwezingcingo zesistimu ezengeziwe kunqubo yokuhlukanisa i-seccomp-bpf-based ku-Linux.
  • Insiza ye-contrib/ssh-copy-id ibuyekeziwe.

Source: opennet.ru

Engeza amazwana