Ngemva kwezinyanga ezine zentuthuko ukukhululwa , ukuqaliswa okuvulekile kweklayenti kanye neseva yokusebenza phezu kwezivumelwano ze-SSH 2.0 ne-SFTP.
Ukuthuthukiswa okubalulekile ekukhishweni kwe-OpenSSH 8.2 kwaba ikhono lokusebenzisa ukuqinisekiswa kwezinto ezimbili usebenzisa amadivayisi asekela umthetho olandelwayo. , ithuthukiswe umbimbi . I-U2F ivumela ukudalwa kwamathokheni ehadiwe angabizi kakhulu ukuze kuqinisekiswe ubukhona boqobo bomsebenzisi, ukuxhumana nabo nge-USB, i-Bluetooth noma i-NFC. Amadivayisi anjalo akhuthazwa njengendlela yokuqinisekisa izici ezimbili kumawebhusayithi, asevele esekelwa iziphequluli ezinkulu futhi akhiqizwa abakhiqizi abahlukahlukene, kuhlanganise noYubico, Feitian, Thetis noKensington.
Ukuze uhlanganyele namadivayisi aqinisekisa ubukhona bomsebenzisi, izinhlobo ezintsha zokhiye ze-“ecdsa-sk” kanye ne-“ed25519-sk” zengezwe ku-OpenSSH, ezisebenzisa i-ECDSA kanye ne-Ed25519 algorithm yesiginesha yedijithali, kuhlanganiswe ne-SHA-256 hash. Izinqubo zokusebenzisana namathokheni zibekwe kumtapo wolwazi ophakathi nendawo, olayishwa ngendlela efanayo kulabhulali ukuze uthole ukwesekwa kwe-PKCS#11 futhi eyisisonga phezu kwelabhulali. , ehlinzeka ngamathuluzi okuxhumana namathokheni nge-USB (amaphrothokholi e-FIDO U2F/CTAP 1 kanye ne-FIDO 2.0/CTAP 2 ayasekelwa). Umtapo wezincwadi ophakathi we-libsk-libfido2 olungiselelwe abathuthukisi be-OpenSSH ku-core libfido2, kanye ye-OpenBSD.
Ukuze uqinisekise futhi ukhiqize ukhiye, kufanele ucacise ipharamitha ye-“SecurityKeyProvider” kuzilungiselelo noma usethe okuguquguqukayo kwemvelo ye-SSH_SK_PROVIDER, okubonisa indlela eya kulabhulali yangaphandle libsk-libfido2.so (thekelisa SSH_SK_PROVIDER=/path/to/libsk-libfido2. kanjalo). Kungenzeka ukwakha i-openssh ngosekelo olwakhelwe ngaphakathi lomtapo wolwazi (--with-security-key-builtin), kulokhu udinga ukusetha ipharamitha ye-“SecurityKeyProvider=yangaphakathi”.
Okulandelayo udinga ukusebenzisa okuthi “ssh-keygen -t ecdsa-sk” noma, uma okhiye sebevele bedaliwe futhi balungisiwe, xhuma kuseva usebenzisa “ssh”. Uma usebenzisa i-ssh-keygen, ipheya yokhiye okhiqiziwe izolondolozwa kokuthi “~/.ssh/id_ecdsa_sk” futhi ingasetshenziswa ngokufanayo kwabanye okhiye.
Ukhiye osesidlangalaleni (id_ecdsa_sk.pub) kufanele ukopishelwe kuseva kufayela lezikhiye_ezigunyaziwe. Ohlangothini lweseva, isiginesha yedijithali kuphela eqinisekisiwe, futhi ukusebenzisana namathokheni kwenziwa ohlangothini lweklayenti (awudingi ukufaka i-libsk-libfido2 kuseva, kodwa iseva kufanele isekele uhlobo lokhiye lwe-“ecdsa-sk”) . Ukhiye oyimfihlo okhiqiziwe (id_ecdsa_sk) uyisibambo sokhiye, wenza ukhiye wangempela kuphela ngokuhambisana nokulandelana okuyimfihlo okugcinwe ohlangothini lwethokheni ye-U2F. Uma ukhiye we-id_ecdsa_sk uwela ezandleni zomhlaseli, ukuze adlulise ubuqiniso uzodinga futhi ukuthola ukufinyelela kuthokheni yehadiwe, ngaphandle kwalokho ukhiye oyimfihlo ogcinwe kufayela le-id_ecdsa_sk awunamsebenzi.
Ngaphezu kwalokho, ngokuzenzakalelayo, lapho wenza noma yikuphi ukusebenza ngezihluthulelo (kokubili ngesikhathi sokukhiqiza nangesikhathi sokufakazela ubuqiniso), ukuqinisekiswa kwendawo yobukhona bomzimba bomsebenzisi kuyadingeka, isibonelo, kuhlongozwa ukuthinta inzwa kuthokheni, okwenza kube nzima enze ukuhlasela okukude kumasistimu anethokheni exhunyiwe. Njengomunye umugqa wokuzivikela, iphasiwedi ingabuye icaciswe phakathi nesigaba sokuqalisa se-ssh-keygen ukuze ufinyelele ifayela elingukhiye.
Inguqulo entsha ye-OpenSSH iphinde yamemezela ukuhoxiswa okuzayo kwama-algorithms kusetshenziswa i-SHA-1 hashes ngenxa ukusebenza kahle kokuhlaselwa kokushayisana ngesiqalo esinikeziwe (izindleko zokukhetha ukungqubuzana zilinganiselwa cishe kumadola ayizinkulungwane ezingama-45). Kokunye ukukhishwa okuzayo, bahlela ukukhubaza ngokuzenzakalelayo ikhono lokusebenzisa i-algorithm yesiginesha yedijithali ekhiye womphakathi "ssh-rsa", eshiwo ku-RFC yasekuqaleni yephrothokholi ye-SSH futhi ihlala isabalele ekusebenzeni (ukuhlola ukusetshenziswa. ye-ssh-rsa ezinhlelweni zakho, ungazama ukuxhuma nge-ssh ngenketho ethi “-oHostKeyAlgorithms=-ssh-rsa”).
Ukuze kusheleleke ukudlulela kuma-algorithms amasha ku-OpenSSH, ekukhishweni okuzayo isilungiselelo se-UpdateHostKeys sizonikwa amandla ngokuzenzakalela, okuzothuthela amakhasimende ngokuzenzakalelayo kuma-algorithms athembeke kakhudlwana. Ama-algorithms anconyiwe okuthutha ahlanganisa i-rsa-sha2-256/512 esekelwe ku-RFC8332 RSA SHA-2 (isekelwa kusukela ku-OpenSSH 7.2 futhi isetshenziswa ngokuzenzakalela), i-ssh-ed25519 (isekelwa kusukela ku-OpenSSH 6.5) kanye ne-ecdsa-sha2-nistp256/384 based ku-RFC521 ECDSA (isekelwa kusukela ku-OpenSSH 5656).
Ku-OpenSSH 8.2, ikhono lokuxhuma usebenzisa i-“ssh-rsa” lisatholakala, kodwa le-algorithm isusiwe ohlwini lwe-CASignatureAlgorithms, oluchaza ama-algorithms avunyelwe ukusayina izitifiketi ezintsha ngedijithali. Ngokufanayo, i-algorithm ye-diffie-hellman-group14-sha1 isusiwe kuma-algorithms wokushintshanisa ukhiye omisiwe asekelwe. Kuyaphawulwa ukuthi ukusetshenziswa kwe-SHA-1 ezitifiketini kuhlotshaniswa nengcuphe eyengeziwe, njengoba umhlaseli enesikhathi esingenamkhawulo sokucinga ukungqubuzana kwesitifiketi esikhona, kuyilapho isikhathi sokuhlasela kokhiye bosokhaya sikhawulelwe ukuphela kwesikhathi sokuxhumeka (LoginGraceTime ).
Ukusebenzisa i-ssh-keygen manje kuzenzakalela ku-algorithm ye-rsa-sha2-512, esekelwa kusukela ku-OpenSSH 7.2, engase idale izinkinga zokuhambisana lapho izama ukucubungula izitifiketi ezisayinwe nge-OpenSSH 8.2 kumasistimu asebenzisa ukukhishwa kwe-OpenSSH okudala (ukusebenzela udaba lapho Nini ukukhiqiza isiginesha, ungacacisa ngokusobala “ssh-keygen -t ssh-rsa” noma usebenzise ama-algorithms e-ecdsa-sha2-nistp256/384/521, asekelwa kusukela ku-OpenSSH 5.7).
Ezinye izinguquko:
- Umyalelo Wokufaka ungeziwe ku-sshd_config, okuvumela ukuthi ufake okuqukethwe kwamanye amafayela endaweni yamanje yefayela lokucushwa (ama-glob masks angasetshenziswa lapho kucaciswa igama lefayela);
- Inketho ethi "akukho-touch-edingekayo" yengezwe ku-ssh-keygen, ekhubaza isidingo sokuqinisekisa ngokomzimba ukufinyelela ithokheni lapho udala ukhiye;
- Umyalelo we-PubkeyAuthOptions wengezwe ku-sshd_config, ohlanganisa izinketho ezihlukahlukene ezihlobene nokuqinisekisa ukhiye womphakathi. Okwamanje, kuphela ifulegi elithi "akukho-kuthinti-okudingekile" elisekelwayo ukuze kweqe ukuhlola ubukhona bomzimba ukuze kutholakale ubuqiniso bethokheni. Ngokwesifaniso, inketho ethi “akukho-kuthintwa-okudingekile” yengezwe kufayela lezikhiye ezigunyaziwe;
- Kwengezwe inketho ethi "-O write-attestation=/path" ku-ssh-keygen ukuze kuvunyelwe izitifiketi zobufakazi ezengeziwe ze-FIDO ukuthi zibhalwe lapho kukhiqizwa okhiye. I-OpenSSH ayikasebenzisi lezi zitifiketi, kodwa kamuva zingasetshenziswa ukuze kuqinisekiswe ukuthi ukhiye ubekwe esitolo sezingxenyekazi ezithembekile;
- Ezilungiselelweni ze-ssh ne-sshd, manje sekungenzeka ukusetha imodi yokubeka phambili ithrafikhi ngomyalelo we-IPQoS (Umzamo Ophansi Wokuziphatha Kwe-Per-Hop);
- Ku-ssh, lapho usetha inani elithi “AddKeysToAgent=yebo”, uma ukhiye ungenayo indawo yokubeka amazwana, uzongezwa ku-ssh-ejenti ebonisa indlela eya kukhiye njengamazwana. IN
ssh-keygen kanye ne-ssh-ejenti futhi manje zisebenzisa amalebula e-PKCS#11 kanye negama lesihloko le-X.509 esikhundleni sendlela yelabhulali njengamazwana kukhiye; - Kwengezwe ikhono lokuthekelisa i-PEM ye-DSA kanye nokhiye be-ECDSA ku-ssh-keygen;
- Kwengezwe okusha okusebenzisekayo, i-ssh-sk-helper, esetshenziselwa ukuhlukanisa ilabhulali yokufinyelela ithokheni ye-FIDO/U2F;
- Kwengezwe inketho yokwakha ethi “-with-zlib” ku-ssh ne-sshd ukuze ihlanganiswe nokusekelwa komtapo wezincwadi we-zlib;
- Ngokuvumelana nemfuneko ye-RFC4253, isexwayiso mayelana nokuvinjwa kokufinyelela ngenxa yokweqa imikhawulo ye-MaxStartups sinikezwa kusibhengezo esiboniswa phakathi nokuxhumeka. Ukuze kube lula ukuxilonga, unhlokweni wenqubo ye-sshd, obonakalayo uma usebenzisa insiza ye-ps, manje ubonisa inombolo yokuxhumana okuqinisekisiwe okwamanje kanye nesimo somkhawulo we-MaxStartups;
- Ku-ssh ne-ssh-ejenti, lapho ubiza uhlelo ukuze lubonise isimemo esikrinini, esicaciswe nge-$SSH_ASKPASS, ifulegi elinohlobo lwesimemo manje selidluliselwa ngokungeziwe: “qinisekisa” - ibhokisi lokuqinisekisa (yebo/cha), “akekho ” - umyalezo wolwazi, “akunalutho” — isicelo sephasiwedi;
- Kwengezwe umsebenzi omusha wamasiginesha edijithali "thola-othishanhloko" ku-ssh-keygen ukusesha ifayela labasayini abavunyelwe lomsebenzisi elihlotshaniswa nesiginesha yedijithali eshiwo;
- Usekelo oluthuthukisiwe lokuhlukaniswa kwenqubo ye-sshd ku-Linux kusetshenziswa indlela ye-seccomp: ukukhubaza amakholi esistimu ye-IPC, ukuvumela i-clock_gettime64(), clock_nanosleep_time64 kanye ne-clock_nanosleep().
Source: opennet.ru