Ngemva kwezinyanga eziyisithupha zokuthuthukiswa, ukukhishwa kwe-OpenSSH 8.9, ukuqaliswa okuvulekile kweklayenti kanye neseva yokusebenza phezu kwezivumelwano ze-SSH 2.0 ne-SFTP, kwethulwa. Inguqulo entsha ye-sshd ilungisa ukuba sengozini okungase kuvumele ukufinyelela okungagunyaziwe. Inkinga ibangelwa ukuchichima kwenombolo ephelele kukhodi yokuqinisekisa, kodwa ingasetshenziswa kuphela ngokuhlanganiswa namanye amaphutha anengqondo kukhodi.
Ngendlela yakhona, ubungozi abukwazi ukusetshenziswa uma imodi yokuhlukaniswa kwelungelo inikwe amandla, njengoba ukuvezwa kwayo kuvinjwe ukuhlola okuhlukene okwenziwa ngekhodi yokulandela yokuhlukaniswa kwelungelo. Imodi yokuhlukanisa amalungelo inikwe amandla ngokuzenzakalela kusukela ngo-2002 kusukela ku-OpenSSH 3.2.2, futhi ibiyisibopho kusukela kwakhululwa i-OpenSSH 7.5 eyashicilelwa ngo-2017. Ngaphezu kwalokho, ezinguqulweni eziphathwayo ze-OpenSSH eziqala ngokukhishwa okungu-6.5 (2014), ukuba sengozini kuvinjwe ukuhlanganiswa nokufakwa kwamafulegi okuvikela ukuchichima okuphelele.
Ezinye izinguquko:
- Inguqulo ephathekayo ye-OpenSSH ku-sshd isuse ukusekela komdabu kwamaphasiwedi e-hashing kusetshenziswa i-algorithm ye-MD5 (ivumela ukuxhumanisa nemitapo yolwazi yangaphandle njenge-libxcrypt ukuthi ibuye).
- ssh, sshd, ssh-add kanye ne-ssh-ejenti sebenzisa uhlelo olungaphansi ukuze lukhawulele ukudlulisela kanye nokusetshenziswa kokhiye abangezwe kumenzeli we-ssh. Isistimu engaphansi ikuvumela ukuthi usethe imithetho enquma ukuthi okhiye bangasetshenziswa kanjani futhi kuphi ku-ejenti ye-ssh. Isibonelo, ukwengeza ukhiye ongasetshenziswa kuphela ukuqinisekisa noma yimuphi umsebenzisi oxhuma kumsingathi scylla.example.org, umsebenzisi perseus kumsingathi cetus.example.org, kanye nomsebenzisi medea kumsingathi charybdis.example.org ngokuqondisa kabusha nge-intermediate host scylla.example.org, ungasebenzisa umyalo olandelayo: $ ssh-add -h "[i-imeyili ivikelwe]" \ -h "scylla.example.org" \ -h "scylla.example.org>[i-imeyili ivikelwe]\ ~/.ssh/id_ed25519
- Ku-ssh naku-sshd, i-algorithm ye-hybrid yengezwe ngokuzenzakalelayo kuhlu lwe-KexAlgorithms, olunquma indlela okukhethwa ngayo izindlela zokushintshanisa ezibalulekile.[i-imeyili ivikelwe]"(ECDH/x25519 + NTRU Prime), imelana nokukhethwa kumakhompyutha we-quantum. Ku-OpenSSH 8.9, le ndlela yezingxoxo yengezwe phakathi kwe-ECDH kanye nezindlela ze-DH, kodwa ihlelelwe ukuthi inikwe amandla ngokuzenzakalela ekukhishweni okulandelayo.
- I-ssh-keygen, ssh, kanye ne-ssh-ejenti zithuthukise ukuphathwa kokhiye bethokheni ye-FIDO abasetshenziselwa ukuqinisekiswa kwedivayisi, okuhlanganisa okhiye bokuqinisekisa i-biometric.
- Kwengezwe umyalo othi "ssh-keygen -Y match-principals" ku-ssh-keygen ukuhlola amagama abasebenzisi kufayela lohlu oluvunyelwe.
- I-ssh-add kanye ne-ssh-ejenti inikeza ikhono lokwengeza okhiye be-FIDO abavikelwe yikhodi ye-PIN ku-ejenti ye-ssh (isicelo se-PIN siboniswa ngesikhathi sokufakazela ubuqiniso).
- I-ssh-keygen ivumela ukukhetha kwe-algorithm ye-hashing (sha512 noma sha256) ngesikhathi sokukhiqiza isiginesha.
- Ku-ssh naku-sshd, ukuze kuthuthukiswe ukusebenza, idatha yenethiwekhi ifundwa ngokuqondile ku-buffer yamaphakethe angenayo, kudlule ukugcina kumthamo omaphakathi kusitaki. Ukubekwa okuqondile kwedatha eyamukelwe kusigcinalwazi sesiteshi kusetshenziswa ngendlela efanayo.
- Ku-ssh, isiyalelo sokuqinisekiswa kwe-PubkeyAuthentication sinwebe uhlu lwamapharamitha asekelwayo (yebo|cha|akubophekile|okubophezelekile) ukuze unikeze amandla okukhetha isandiso sephrothokholi esizosetshenziswa.
Ekukhishweni okuzayo, sihlela ukushintsha okuzenzakalelayo kwensiza ye-scp ukuze isebenzise i-SFTP esikhundleni sephrothokholi ye-SCP/RCP yefa. I-SFTP isebenzisa izindlela zokuphatha amagama ezibikezelwe kakhudlwana futhi ayisebenzisi ukucutshungulwa kwegobolondo lamaphethini eglobhu emagameni wefayela ngakolunye uhlangothi lomsingathi, okudala izinkinga zokuphepha. Ikakhulukazi, lapho kusetshenziswa i-SCP ne-RCP, iseva inquma ukuthi yimaphi amafayela nezinkomba okufanele zithunyelwe kuklayenti, futhi iklayenti lihlola kuphela ukunemba kwamagama ezinto ezibuyisiwe, okuthi, lapho kungabikho amasheke afanele ohlangothini lweklayenti, avumele iseva ukudlulisa amanye amagama amafayela ahlukile kulawo aceliwe. Iphrothokholi ye-SFTP ayinazo lezi zinkinga, kodwa ayisekeli ukunwetshwa kwezindlela ezikhethekile njengokuthi β~/β. Ukuze kubhekwane nalo mehluko, kuphakanyiswe isandiso esisha kuphrothokholi ye-SFTP ekukhishweni kwangaphambilini kwe-OpenSSH ekusetshenzisweni kweseva ye-SFTP ukuze kunwetshwe ~/ kanye ~umsebenzisi/ izindlela.
Source: opennet.ru