OpenSSH 8.5 ya zo tare da UpdateHostKeys, gyara da ƙari

Bayan watanni biyar na cigaba, an gabatar da sakin OpenSSH 8.5 tare da wanne Masu haɓaka OpenSSH sun tuno da canjin mai zuwa zuwa rukunin tsaffin algorithms masu amfani da SHA-1 hashes, saboda mafi girman tasirin hare-haren karo tare da prefix ɗin da aka bayar (an kiyasta farashin zaɓin karo a kusan dala dubu 50).

A cikin ɗayan na gaba, shirya kashe nakasasun ikon amfani da maɓallin jama'a na sa hannu na dijital algorithm "ssh-rsa", wanda aka ambata a cikin ainihin RFC don yarjejeniyar SSH kuma har yanzu ana amfani dashi sosai a aikace.

Don sassauƙa miƙa mulki zuwa sabon algorithms a cikin OpenSSH 8.5, sanyi UpdateHostKeys an kunna shi ta tsohuwa, menene ba ka damar sauya abokan ciniki ta atomatik zuwa ingantattun algorithms.

Wannan saitin yana ba da damar fadada yarjejeniya ta musamman "hostkeys@openssh.com", wanda ke bawa sabar damar, bayan wucewar tantancewa, don sanar da abokin harka dukkan makullan rundunar. Abokin ciniki na iya yin amfani da waɗannan maɓallan a cikin fayil ɗin ~ / .ssh / sani_hosts, wanda ke ba da damar shirya sabunta maɓallin mai watsa shiri kuma ya sauƙaƙe sauya maɓallan akan sabar.

A gefe guda, gyara wata matsala ta sake sakewa yankin da aka riga aka 'yanta shi a cikin ssh-wakili. Matsalar ta fito fili tun bayan fitowar OpenSSH 8.2 kuma yana iya yuwuwar amfani idan maharin ya sami damar shiga sarkar wakilin ssh akan tsarin yankin. Don rikitar da al'amura, tushen kawai da asalin mai amfani suna da damar zuwa soket. Hatsarin da ake ganin ya fi kamari shi ne tura wakili zuwa asusun da maharin ke sarrafawa, ko kuma zuwa wani masaukin da maharin ke da damar shiga.

Har ila yau, sshd ya kara kariya daga wucewar manyan siga tare da sunan mai amfani ga tsarin PAM, wanda yana ba da damar toshe rauni a cikin tsarin tsarin PAM (Module Ingantaccen Module). Misali, canjin ya hana amfani da sshd azaman vector don amfani da wani rauni na tushen rauni da aka gano kwanan nan a cikin Solaris (CVE-2020-14871).

Ga wani ɓangare na canje-canjen da ke iya karya daidaito an ambaci ssh da sshd sun sake yin amfani da hanyar musayar maɓallan maɓallin gwaji wanda ke da tsayayya ga hare-haren ƙarfi a kan kwamfutar jimla.

Hanyar da aka yi amfani da ita ta dogara ne akan NTRU Prime algorithm ci gaba don tsarin bayan-jimla da tsarin Hanyar musayar maɓallin keɓaɓɓen X25519. Maimakon sntrup4591761x25519-sha512@tinyssh.org, yanzu an gano hanyar a matsayin sntrup761x25519-sha512@openssh.com (sntrup4591761 algorithm an sauya shi da sntrup761).

Daga sauran canje-canjen da suka yi fice:

  • A cikin ssh da sshd, an canza tsarin talla na tallata kayan aikin sa hannu na zamani. Na farko yanzu shine ED25519 maimakon ECDSA.
  • A cikin ssh da sshd, an saita saitunan TOS / DSCP QoS don zaman tattaunawa kafin kafa haɗin TCP.
  • Ssh da sshd sun daina tallafawa rijndael-cbc@lysator.liu.se boye-boye, wanda yayi daidai da aes256-cbc kuma anyi amfani dashi kafin RFC-4253.
  • Ssh, ta hanyar karɓar sabon maɓallin mai karɓar baƙi, yana tabbatar da cewa duk sunayen mai masauki da adiresoshin IP waɗanda ke haɗe da maɓallin sun bayyana.
  • A cikin ssh don maɓallan FIDO, ana bayar da buƙatar PIN da aka maimaita idan akwai gazawa a aikin sa hannu na dijital saboda PIN ɗin da ba daidai ba da kuma rashin buƙatar PIN daga mai amfani (alal misali, lokacin da ba zai yiwu a sami madaidaiciyar ƙirar ƙira ba bayanai da na'urar ta sake shigar da PIN ɗin da hannu).
  • Sshd yana ƙara tallafi don ƙarin kiran tsarin zuwa tsarin sandboxing na tushen seccomp-bpf a cikin Linux.

Yadda ake girka OpenSSH 8.5 akan Linux?

Ga waɗanda suke da sha'awar iya shigar da wannan sabon sigar na OpenSSH akan tsarin su, don yanzu zasu iya yi sauke lambar tushe na wannan kuma suna yin tattara abubuwa akan kwamfutocin su.

Wannan shi ne saboda ba a haɗa sabon sigar a cikin ɗakunan manyan abubuwan rarraba Linux ba. Don samun lambar tushe, zaku iya yi daga mahada mai zuwa.

Anyi saukewar, yanzu zamu kwance kunshin tare da umarni mai zuwa:

tar -xvf budewa-8.5.tar.gz

Mun shigar da kundin adireshi:

cd bude-8.5

Y za mu iya tattarawa tare da dokokin nan masu zuwa:

./configure --prefix = / opt --sysconfdir = / sauransu / ssh sanya kafa

Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.