Ukukhishwa kwe-OpenSSH 9.2 kushicilelwe, ukuqaliswa okuvulekile kweklayenti neseva ngokusebenza kusetshenziswa izivumelwano ze-SSH 2.0 ne-SFTP. Inguqulo entsha iqeda ukuba sengozini okuholela ekukhululweni kabili kwememori esigabeni sokuqinisekisa kwangaphambilini. Ukukhishwa kwe-OpenSSH 9.1 kuphela okuthintekile; inkinga ayiveli kuzinguqulo zangaphambili.
Ukuze udale izimo zokubonakaliswa kokuba sengozini, kwanele ukushintsha isibhengezo seklayenti le-SSH siye ku-“SSH-2.0-FuTTYSH_9.1p1” ukuze kusethwe amafulegi okuthi “SSH_BUG_CURVE25519PAD” kanye “SSH_OLD_DHGEX”, okuncike enguqulweni ye-SSH. iklayenti. Ngemva kokusetha lawa mafulegi, inkumbulo yebhafa ye-“options.kex_algorithms” ikhululwa kabili - lapho kusetshenziswa umsebenzi we-do_ssh2_kex(), obiza compat_kex_proposal(), nalapho kwenziwa umsebenzi we-do_authentication2(), obiza i-input_userauth_request(), mm_getpwnamallow ), copy_set_server_options() eduze kochungechunge , assemble_algorithms() kanye ne-kex_assemble_names().
Ukudala ithuba elisebenzayo lokuba sengozini kuthathwa njengento engenakwenzeka, njengoba inqubo yokuxhaphaza iyinkimbinkimbi kakhulu - imitapo yolwazi yesimanje yokwabiwa kwenkumbulo inikeza isivikelo ekukhululweni kabili kwenkumbulo, futhi inqubo yokugunyazwa kwangaphambili lapho iphutha likhona isebenza ngamalungelo ancishisiwe endaweni engayodwa. imvelo sandbox.
Ngokungeziwe ekubeni sengozini okuphawuliwe, ukukhishwa okusha kuphinde kulungise ezinye izinkinga ezimbili zokuphepha:
- Kwenzeke iphutha lapho kucutshungulwa ukulungiselelwa kwe-"PermitRemoteOpen", okubangele ukungqubuzana kokuqala ukuthi kunganakwa uma kuhluka kumanani "noma yikuphi" kanye "none". Inkinga ivela ezinguqulweni ezintsha kune-OpenSSH 8.7 futhi ibangela ukuthi isheke leqiwe lapho kucaciswe imvume eyodwa kuphela.
- Umhlaseli olawula iseva ye-DNS esetshenziselwa ukuxazulula amagama angakwazi ukuzuza ukufakwa esikhundleni kwezinhlamvu ezikhethekile (isibonelo, “*”) kumafayela aziwayo_abaphathi uma izinketho zeCanonicalizeHostname kanye neCanonicalizePermittedCNAMEs zinikwe amandla ekucushweni, futhi isixazululi sesistimu singahloli ukulunga izimpendulo ezivela kuseva ye-DNS. Ukuhlasela kuthathwa njengokungenzeki ngenxa yokuthi amagama abuyisiwe kufanele afane nemibandela ecaciswe ngeCanonicalizePermittedCNAMEs.
Ezinye izinguquko:
- Isilungiselelo se-EnableEscapeCommandline sengezwe ku-ssh_config ukuze i-ssh ilawule ukuthi ukucubungula ohlangothini lweklayenti lokulandelana kokuphunyuka kwe-"~C" okunikeza umugqa womyalo kuvuliwe. Ngokuzenzakalelayo, ukuphatha okuthi "~C" manje kukhutshaziwe ukuze kusetshenziswe ukuhlukaniswa kwebhokisi lesihlabathi okuqinile, okungase kube namandla okuphula amasistimu asebenzisa okuthi "~C" ekudluliseleni imbobo ngesikhathi sokusebenza.
- Umyalelo we-ChannelTimeout wengezwe ku-sshd_config ukuze i-sshd imise ukuphela kwesikhathi sokungasebenzi kwesiteshi (iziteshi lapho kungekho thrafikhi erekhodwayo ngesikhathi esishiwo kumyalelo izovalwa ngokuzenzakalelayo). Ukuphela kwesikhathi okuhlukile kungasethelwa iseshini, i-X11, i-ejenti, nokuqondisa kabusha kwethrafikhi.
- Umyalelo we-UnusedConnectionTimeout wengezwe ku-sshd_config ye-sshd, okukuvumela ukuthi ubeke isikhathi sokuvala ukunqamula ukuxhumana kwamaklayenti obekukade kungenaziteshi ezisebenzayo isikhathi esithile.
- Inketho ethi “-V” yengezwe ku-sshd ukuze kuboniswe inguqulo, efana nenketho efanayo kuklayenti le-ssh.
- Kwengezwe umugqa "Usokhaya" ekukhishweni kwe-"ssh -G", okubonisa inani lempikiswano yegama lomethuleli.
- Inketho ethi "-X" yengezwe ku-scp naku-sftp ukuze kulawulwe imingcele yephrothokholi ye-SFTP njengosayizi webhafa yekhophi kanye nenani lezicelo ezisalindile.
- I-ssh-keyscan ivumela ukuskena kobubanzi obugcwele bamakheli e-CIDR, isibonelo "ssh-keyscan 192.168.0.0/24".
Source: opennet.ru