ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa kwe-OpenSSH 8.9 nokususwa kokuba sengozini ku-sshd

Ukukhishwa kwe-OpenSSH 8.9 nokususwa kokuba sengozini ku-sshd

Ngemva kwezinyanga eziyisithupha zokuthuthukiswa, ukukhishwa kwe-OpenSSH 8.9, ukuqaliswa okuvulekile kweklayenti kanye neseva yokusebenza phezu kwezivumelwano ze-SSH 2.0 ne-SFTP, kwethulwa. Inguqulo entsha ye-sshd ilungisa ukuba sengozini okungase kuvumele ukufinyelela okungagunyaziwe. Inkinga ibangelwa ukuchichima kwenombolo ephelele kukhodi yokuqinisekisa, kodwa ingasetshenziswa kuphela ngokuhlanganiswa namanye amaphutha anengqondo kukhodi.

Ngendlela yakhona, ubungozi abukwazi ukusetshenziswa uma imodi yokuhlukaniswa kwelungelo inikwe amandla, njengoba ukuvezwa kwayo kuvinjwe ukuhlola okuhlukene okwenziwa ngekhodi yokulandela yokuhlukaniswa kwelungelo. Imodi yokuhlukanisa amalungelo inikwe amandla ngokuzenzakalela kusukela ngo-2002 kusukela ku-OpenSSH 3.2.2, futhi ibiyisibopho kusukela kwakhululwa i-OpenSSH 7.5 eyashicilelwa ngo-2017. Ngaphezu kwalokho, ezinguqulweni eziphathwayo ze-OpenSSH eziqala ngokukhishwa okungu-6.5 (2014), ukuba sengozini kuvinjwe ukuhlanganiswa nokufakwa kwamafulegi okuvikela ukuchichima okuphelele.

Ezinye izinguquko:

  • Inguqulo ephathekayo ye-OpenSSH ku-sshd isuse ukusekela komdabu kwamaphasiwedi e-hashing kusetshenziswa i-algorithm ye-MD5 (ivumela ukuxhumanisa nemitapo yolwazi yangaphandle njenge-libxcrypt ukuthi ibuye).
  • ssh, sshd, ssh-add kanye ne-ssh-ejenti zisebenzisa uhlelo olungaphansi lokukhawulela ukudluliswa nokusetshenziswa kokhiye abangezwe kumenzeli we-ssh. Isistimu engaphansi ikuvumela ukuthi usethe imithetho enquma ukuthi okhiye bangasetshenziswa kanjani futhi kuphi ku-ejenti ye-ssh. Isibonelo, ukwengeza ukhiye ongasetshenziswa kuphela ukuqinisekisa uma noma yimuphi umsebenzisi exhuma kumsingathi scylla.example.org, umsebenzisi perseus kumsingathi cetus.example.org, kanye ne-medea yomsebenzisi kumsingathi charybdis.example.org ngokuqondiswa kabusha ngomsingathi ophakathi scylla.example.org, ungasebenzisa umyalo olandelayo: $ungakwazi ukusebenzisa umyalo olandelayo: "perseus@cetus.example.org" \ -h "scylla.example.org" \ -h "scylla.example.org>medea@charybdis.example.org" \ ~/.ssh/id_ed25519
  • Ku-ssh ne-sshd, i-algorithm ye-hybrid "sntrup761x25519-sha512@openssh.com" (ECDH/x25519 + NTRU Prime), imelana namandla anonya kumakhompyutha we-quantum, yengezwe ngokuzenzakalelayo kuhlu lwe-KexAlgorithms, olunquma ukuhleleka kokukhetha izindlela zokushintshanisa ukhiye. Ku-OpenSSH 8.9, le ndlela yezingxoxo yengezwe phakathi kwe-ECDH kanye nezindlela ze-DH, kodwa ihlelelwe ukuthi isetshenziswe ngokuzenzakalelayo ekukhishweni okulandelayo.
  • I-ssh-keygen, ssh, kanye ne-ssh-ejenti zithuthukise ukuphathwa kokhiye bethokheni ye-FIDO abasetshenziselwa ukuqinisekiswa kwedivayisi, okuhlanganisa okhiye bokuqinisekisa i-biometric.
  • Kwengezwe umyalo othi "ssh-keygen -Y match-principals" ku-ssh-keygen ukuhlola amagama abasebenzisi kufayela lohlu oluvunyelwe.
  • I-ssh-add kanye ne-ssh-ejenti inikeza ikhono lokwengeza okhiye be-FIDO abavikelwe yikhodi ye-PIN ku-ejenti ye-ssh (isicelo se-PIN siboniswa ngesikhathi sokufakazela ubuqiniso).
  • I-ssh-keygen ivumela ukukhetha kwe-algorithm ye-hashing (sha512 noma sha256) ngesikhathi sokukhiqiza isiginesha.
  • Ku-ssh naku-sshd, ukuze kuthuthukiswe ukusebenza, idatha yenethiwekhi ifundwa ngokuqondile ku-buffer yamaphakethe angenayo, kudlule ukugcina kumthamo omaphakathi kusitaki. Ukubekwa okuqondile kwedatha eyamukelwe kusigcinalwazi sesiteshi kusetshenziswa ngendlela efanayo.
  • Ku-ssh, isiyalelo sokuqinisekiswa kwe-PubkeyAuthentication sinwebe uhlu lwamapharamitha asekelwayo (yebo|cha|akubophekile|okubophezelekile) ukuze unikeze amandla okukhetha isandiso sephrothokholi esizosetshenziswa.

Ekukhishweni kwesikhathi esizayo, i-scp utility ihlelwe ukuthi ishintshele ku-SFTP ngokuzenzakalelayo, ithathe indawo yephrothokholi ye-SCP/RCP endala. I-SFTP isebenzisa izindlela zokuphatha amagama ezingalindeleka kakhulu futhi igwema ukuphathwa kwamaphethini e-glob okuvame ukuvikeleka kumagama wamafayela ngegobolondo kwelinye i-host. Ngokukhethekile, uma usebenzisa i-SCP ne-RCP, iseva inquma ukuthi yimaphi amafayela nezinhlu zemibhalo okufanele zithunyelwe kuklayenti, kuyilapho iklayenti lihlola kuphela amagama ezinto ezibuyiselwe ukuthi alungile yini. Lokhu kuvumela ukwephulwa kokuphepha uma ukuhlolwa okufanele kungenziwa ohlangothini lweklayenti. iseva Dlulisa amagama efayela ngaphandle kwalawo aceliwe. Iphrothokholi ye-SFTP ayinazo lezi zinkinga, kodwa ayisekeli ukunwetshwa kwezindlela ezikhethekile ezifana ne-"~/." Ukuze kuxazululwe lo mehluko, kwaphakanyiswa isandiso esisha sephrothokholi ye-SFTP sokwandisa izindlela ze-~/ kanye ne-~user/ ekukhishweni kwangaphambilini kwe-OpenSSH kokuqaliswa kweseva ye-SFTP.

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster