Ngemva kwezinyanga ezine zokuthuthukiswa, kwethulwa ukukhishwa kwe-OpenSSH 8.7, ukuqaliswa okuvulekile kweklayenti neseva ukuze kusebenze izivumelwano ze-SSH 2.0 ne-SFTP.
Izinguquko eziyinhloko:
- Imodi yokudlulisa idatha yokuhlola yengezwe ku-scp kusetshenziswa iphrothokholi ye-SFTP esikhundleni sephrothokholi evamile ye-SCP/RCP. I-SFTP isebenzisa izindlela zokuphatha amagama ezibikezeleka kakhulu futhi ayisebenzisi ukucutshungulwa kwegobolondo lamaphethini eglobhu ngakolunye uhlangothi lomsingathi, okudala izinkinga zokuphepha. Ukuze unike amandla i-SFTP ku-scp, ifulegi elithi “-s” lihlongozwa, kodwa ngokuzayo lihlelelwe ukushintshela kule nqubo ngokuzenzakalela.
- I-sftp-server isebenzisa izandiso kuphrothokholi ye-SFTP ukuze kwandiswe ~/ and ~user/ paths, okudingekayo ku-scp.
- Insiza ye-scp iguqule indlela yokuziphatha lapho ukopisha amafayela phakathi kwabasingathi ababili abakude (isibonelo, “scp host-a:/path host-b:”), osekwenziwa ngokuzenzakalela ngomsingathi wendawo omaphakathi, njengalapho kucaciswa “ -3” ifulege. Le ndlela ikuvumela ukuthi ugweme ukudlulisa iziqinisekiso ezingadingekile kumsingathi wokuqala kanye nokuchazwa kathathu kwamagama wefayela kugobolondo (kumthombo, indawo oya kuyo kanye nohlangothi lwesistimu yendawo), futhi lapho usebenzisa i-SFTP, ikuvumela ukuthi usebenzise zonke izindlela zokuqinisekisa lapho ufinyelela ukude. abasingathi, futhi hhayi nje izindlela ezingahlanganisi . Inketho ethi "-R" yengeziwe ukuze kubuyiselwe ukuziphatha okudala.
- Kwengezwe ukulungiselelwa kwe-ForkAfterAuthentication ku-ssh ehambisana nefulegi elithi "-f".
- Kwengezwe ukulungiselelwa kwe-StdinNull ku-ssh, okuhambisana nefulegi elithi "-n".
- Isethingi ye-SessionType yengezwe ku-ssh, lapho ungasetha khona amamodi ahambisana namafulegi okuthi “-N” (ayikho iseshini) kanye ne-“-s” (isistimu engaphansi).
- I-ssh-keygen ikuvumela ukuthi ucacise isikhawu sokuqinisekisa esiyinhloko kumafayela angukhiye.
- Kwengezwe ifulegi elithi "-Oprint-pubkey" ku-ssh-keygen ukuze uphrinte ukhiye osesidlangalaleni ogcwele njengengxenye yesiginesha ye-sshsig.
- Ku-ssh naku-sshd, kokubili iklayenti kanye neseva kuhanjiswe ukuze kusetshenziswe isihlazululi sefayela esinemikhawulo eyengeziwe esisebenzisa imithetho efana negobolondo yokusingatha izingcaphuno, izikhala, nezinhlamvu zokubalekela. Umhlahleli omusha futhi akaziba ukucatshangelwa okwenziwe ngaphambilini, njengokweqa ama-agumenti ezinkethweni (isibonelo, umyalelo we-DenyUsers ngeke usashiywa ungenalutho), izingcaphuno ezingavaliwe, kanye nokucacisa izinhlamvu = eziningi.
- Uma usebenzisa amarekhodi e-SSHFP DNS lapho uqinisekisa okhiye, i-ssh manje ihlola wonke amarekhodi afanayo, hhayi lawo aqukethe uhlobo oluthile lwesiginesha yedijithali.
- Ku-ssh-keygen, lapho ukhiqiza ukhiye we-FIDO ngenketho -Ochallenge, isendlalelo esakhelwe ngaphakathi manje sisetshenziselwa i-hashing, kune-libfido2, evumela ukusetshenziswa kokulandelana kwenselele okukhulu noma okuncane kunamabhayithi angu-32.
- Ku-sshd, lapho kucutshungulwa indawo="..." iziqondiso kumafayela okhiye_ogunyaziwe, okufanayo kokuqala manje kwamukelwe futhi kunomkhawulo wamagama aguquguqukayo emvelo angu-1024.
Onjiniyela be-OpenSSH baphinde baxwayisa ngokubola kwama-algorithms kusetshenziswa i-SHA-1 hashes ngenxa yokwanda kokusebenza kahle kokuhlaselwa kokushayisana ngesiqalo esinikeziwe (izindleko zokukhetha ukungqubuzana zilinganiselwa cishe kumadola ayizinkulungwane ezingama-50). Ekukhishweni okulandelayo, sihlela ukukhubaza ngokuzenzakalela ikhono lokusebenzisa i-algorithm yesiginesha yedijithali yokhiye womphakathi "ssh-rsa", eyashiwo ku-RFC yasekuqaleni yephrothokholi ye-SSH futhi isasetshenziswa kabanzi ekusebenzeni.
Ukuze uhlole ukusetshenziswa kwe-ssh-rsa kumasistimu akho, ungazama ukuxhuma nge-ssh ngenketho ethi “-oHostKeyAlgorithms=-ssh-rsa”. Ngesikhathi esifanayo, ukukhubaza amasiginesha edijithali "ssh-rsa" ngokuzenzakalelayo akusho ukuyeka ngokuphelele ukusetshenziswa kokhiye be-RSA, njengoba ngaphezu kwe-SHA-1, iphrothokholi ye-SSH ivumela ukusetshenziswa kwamanye ama-algorithms okubala we-hashi. Ikakhulukazi, ngaphezu kwe-"ssh-rsa", kuzohlala kungenzeka ukusebenzisa izinqwaba ze-"rsa-sha2-256" (RSA/SHA256) kanye ne-"rsa-sha2-512" (RSA/SHA512).
Ukuze kusheleleke ukushintshela kuma-algorithms amasha, i-OpenSSH phambilini ibinokulungiselelwa kwe-UpdateHostKeys enikwe amandla ngokuzenzakalela, okuvumela amaklayenti ukuthi ashintshele ngokuzenzakalelayo kuma-algorithms athembeke kakhudlwana. Ngokusebenzisa lesi silungiselelo, isandiso sephrothokholi esikhethekile sinikwe amandla “[i-imeyili ivikelwe]", okuvumela iseva, ngemva kokufakazela ubuqiniso, ukwazisa iklayenti ngabo bonke okhiye bosokhaya abatholakalayo. Iklayenti lingabonisa laba khiye kufayela layo elithi ~/.ssh/known_hosts, elivumela okhiye bomsingathi ukuthi babuyekezwe futhi kwenze kube lula ukushintsha okhiye kuseva.
Ukusetshenziswa kwe-UpdateHostKeys kukhawulelwe izexwayiso ezimbalwa ezingase zisuswe esikhathini esizayo: ukhiye kufanele ukhonjwe ku-UserKnownHostsFile futhi ungasetshenziswa ku-GlobalKnownHostsFile; ukhiye kufanele ube ngaphansi kwegama elilodwa kuphela; isitifiketi sikakhiye wokusingatha akufanele sisetshenziswe; kumaski_abasingathi abaziwayo ngegama lomsingathi akufanele asetshenziswe; isilungiselelo se-VerifyHostKeyDNS kufanele sikhutshazwe; Ipharamitha ye-UserKnownHostsFile kufanele isebenze.
Ama-algorithms anconyiwe okuthutha ahlanganisa i-rsa-sha2-256/512 esekelwe ku-RFC8332 RSA SHA-2 (isekelwa kusukela ku-OpenSSH 7.2 futhi isetshenziswa ngokuzenzakalela), i-ssh-ed25519 (isekelwa kusukela ku-OpenSSH 6.5) kanye ne-ecdsa-sha2-nistp256/384 based ku-RFC521 ECDSA (isekelwa kusukela ku-OpenSSH 5656).
Source: opennet.ru