Ukukhishwa kwe-OpenSSH 9.8 kushicilelwe, ukuqaliswa okuvulekile kweklayenti neseva ngokusebenza kusetshenziswa izivumelwano ze-SSH 2.0 kanye ne-SFTP. Ngokungeziwe ekulungiseni ukuba sengozini okumenyezelwe ngokwehlukana okubalulekile (CVE-2024-6387), okuvumela ukwenziwa kwekhodi okukude ngamalungelo ezimpande esigabeni sokuqinisekisa kwangaphambilini, inguqulo entsha ilungisa okunye ubungozi obungeyona ingozi futhi iphakamisa izinguquko ezibalulekile ezimbalwa ezihloselwe ukuthuthukisa ukuphepha.
Ukuba sengozini kwesibili kukuvumela ukuthi udlule isivikelo esingezwe ku-OpenSSH 9.5 ngokumelene nokuhlaselwa kwesiteshi esiseceleni okuhlaziya ukubambezeleka phakathi kwama-keystrokes kukhibhodi ukuze udale kabusha okokufaka. Ukuba sengozini kusivumela ukuthi sihlukanise amaphakethe adala umsebenzi wangemuva ngokulingisa okhiye abayinganekwane kusukela kumaphakethe athunyelwe uma okhiye bangempela becindezelwa, okunciphisa ukusebenza kahle kwendlela yokufihla izici zokufakwayo okusebenzisanayo kuthrafikhi nge-ssh. Idatha ye-Keystroke inika amandla ukuhlasela okudala kabusha okokufaka ngokuhlaziya ukubambezeleka phakathi kokuchofoza kokhiye ngenkathi uthayipha, okuncike ekuhlelweni kokhiye kukhibhodi (ngokwesibonelo, impendulo lapho uthayipha uhlamvu “F” ishesha kunalapho uthayipha okuthi “Q” noma “ X”, ngakho ukucindezela kudinga ukunyakaza kweminwe okuncane).
Ngaphezu kwalokho, kuvele ukuthi i-algorithm esetshenzisiwe yokuthumela amaphakethe ngokuchofoza kwangempela nokungamanga kunciphise ukwethembeka kwenye indlela yokuvikela ekuhlaselweni kwesiteshi eseceleni. Selokhu kwakhululwa
I-OpenSSH 2.9.9 isifiso kuthunyelwe amaphakethe aqukethe izinkinobho zokufaka ze-dummy zokufaka i-console kwimodi ye-echo-off, esetshenziswa, isibonelo, lapho kufakwa amaphasiwedi ku-su noma ku-sudo. I-logic entsha yokuthumela amaphakethe e-dummy ivumele ukuhlaziywa kwethrafikhi engasebenzi ukuhlukanisa amaphakethe aqukethe izinkinobho zangempela kwimodi ye-echo-off yokuhlaziywa okuhlukile. Kodwa-ke, ukunemba kolwazi lwesikhathi se-keystroke kunqunyelwe, ngoba ngemva kokuthayipha, amaphakethe awathunyelwa ngokushesha, kodwa ngezikhawu ezihleliwe (20 ms ngokuzenzakalelayo).
Ezinye izinguquko ku-OpenSSH 9.8:
- Esigabeni sokwakha, usekelo lwamasiginesha edijithali olususelwe ku-algorithm ye-DSA lukhutshazwa ngokuzenzakalela. Ukuqaliswa kwe-DSA kuzosuswa kusisekelo sekhodi ekuqaleni kuka-2025. Isizathu sokususwa sibalulwe njengezinga lokuvikela ku-DSA elingahlangabezani nezimfuneko zesimanje. Izindleko zokuqhubeka nokugcina i-algorithm ye-DSA engavikelekile ayifaneleki, futhi ukususwa kwayo kuzokhuthaza ukuhoxiswa kosekelo lwe-DSA kokunye ukusetshenziswa kwe-SSH namalabhulali e-cryptographic.
- Ukuze kuvikelwe kakhulu ezindleleni zokuxhashazwa ezidinga ukuxhumana okuningi ku-sshd, kusetshenziswe imodi entsha yokuvikela futhi yavulwa ngokuzenzakalelayo. Le modi futhi isiza ukuvimba ukuhlaselwa kokuqagela iphasiwedi okuzenzakalelayo, lapho ama-bot ezama ukuqagela iphasiwedi yomsebenzisi ngokuzama inhlanganisela ehlukahlukene evamile. Lokhu kuvikela kusetshenziswa ngokuvimba. Amakheli e-IP, eqopha inani elikhulu lemizamo yokuxhumeka ehlulekile, i-sshd iqapha isimo sokuqedwa kwezinqubo zezingane, ithola izimo lapho ukuqinisekiswa kwehlulekile noma inqubo iqedwe ngendlela engavamile ngenxa yokuphahlazeka. Uma umkhawulo othile udluliwe, uqala ukuvimba izicelo ezivela kuma-IP noma ama-subnet anenkinga. Amapharamitha e-PerSourcePenalties, i-PerSourceNetBlockSize, kanye ne-PerSourcePenaltyExemptList ayatholakala ukuze kulungiselelwe umkhawulo wokuvimba, imaski ye-subnet yokuvimba, kanye nohlu lokukhipha.
- sshd ihlukaniswe yaba amafayela amaningana ahlukene asebenzisekayo. Inqubo ye-sshd-session yabelwe kusuka ku-sshd ukwenza imisebenzi ehlobene nokucutshungulwa kweseshini. Inqubo ye-sshd igcina imisebenzi enesibopho sokwamukela ukuxhumana kwenethiwekhi, ukuhlola izilungiselelo, ukulayisha okhiye bokusingatha, nokuphatha izinqubo zokuqalisa ngokuhambisana nepharamitha ye-MaxStartups. Ngakho, i-sshd esebenzisekayo manje iqukethe ubuncane bokusebenza obudingekayo ukuze wamukele uxhumano lwenethiwekhi entsha futhi uqale i-sshd-session ukuze uphathe iseshini.
- Umbhalo weminye imilayezo yephutha ebhalwe kulogi ushintshile. Ikakhulukazi, inani lemilayezo manje selithunyelwa ngaphansi kwegama lenqubo ye-"sshd-session" kune-"sshd".
- Insiza ye-ssh-keyscan manje ikhipha inguqulo yephrothokholi nolwazi lwegama lomethuleli ekusakazeni okujwayelekile esikhundleni se-STDERR. Ukukhubaza okukhiphayo, inketho ethi “-q” iyaphakanyiswa.
- Nge-ssh, kungenzeka ukukhubaza ukubuyisela emuva kusukela ekusebenziseni isitifiketi sikakhiye wokusingatha ukuya ekusebenziseni okhiye bosokhaya abangenalutho ngomyalelo we-HostkeyAlgorithms.
- Inguqulo ephathekayo ye-sshd ayisasebenzisi inani elithi argv[0] ukuze inqume igama lesevisi ye-PAM. Ukuze usethe igama lesevisi ye-PAM, isiqondiso esisha esithi “PAMServiceName” sengezwe ku-sshd_config, esethwe ukuze sithi “sshd” ngokuzenzakalelayo.
- Inguqulo ephathekayo ye-sshd iqinisekisa ukuthi amafayela akhiqizwe ngokuzenzakalelayo (lungiselela iskripthi, config.h.in, njll.) alondolozwa egatsheni le-Git nokukhishwa (isibonelo, V_9_8), okwenze kwaba nokwenzeka ukuvumelanisa ukwakheka kwetiyela elisayinwe ngedijithali. izinqolobane namagatsha e-Git.
- Inguqulo ephathekayo ye-ssh kanye ne-ssh-ejenti inikeza ukulungiselelwa kwemodi
SSH_ASKPASS phambi kwe-WAYLAND_DISPLAY yemvelo eguquguqukayo, efana nendlela ye-X11 lokhu okwenziwe ngayo phambi kokuhlukahluka kwemvelo ye-DISPLAY. - Inguqulo ephathekayo ye-sshd yengeza usekelo lokuthumela izaziso ku-systemd lapho isokhethi yenethiwekhi yokulalela idaliwe noma iqalwa kabusha, kusetshenziswa ikhodi ezimele engayibizi ilabhulali ye-libsystemd.
Source: opennet.ru
