Emva kweenyanga ezintlanu zophuhliso, ukukhutshwa kwe-OpenSSH 8.5 kuzisiwe kunye nayo Abaphuhlisi be-OpenSSH bakhumbula ukuhanjiswa okuzayo kudidi lwee-algorithms eziphelelwe lixesha ezisebenzisa i-SHA-1 hashes, ngenxa yosebenziso olukhulu lokungqubana kunye nesimaphambili esinikiweyo (iindleko zokhetho lwengozi zilinganiswa malunga ne-50 lamawaka eedola).
Kwenye yeenguqulelo ezilandelayo, cwangcisa ukukhubaza ngokungagqibekanga ukubanakho ukusebenzisa isitshixo sasesidlangalaleni sokutyikitya kwedijithali "ssh-rsa", ekhankanywe kwi-RFC yoqobo yenkqubo ye-SSH kwaye isasetyenziswa ngokubanzi ekusebenzeni.
Ukulungelelanisa inguqu kwi-algorithms entsha kwi-OpenSSH 8.5, ubumbeko Uhlaziyo lweeHostKeys lwenziwe ngokungagqibekanga, Intoni ikuvumela ukuba utshintshe abathengi ngokuzenzekelayo kwi-algorithms ethembekileyo.
Olu seto lwenza ukuba ukwandiswa komgaqo olandelwayo "hostkeys@openssh.com", evumela iserver, emva kokudlulisa ubunyani, ukwazisa umxhasi ngazo zonke izitshixo ezikhoyo zokubamba. Umxhasi angabonakalisa la maqhosha kwifayile yabo ~ /.
Ngakolunye uhlangothi, lungisa ubungozi obubangelwa kukukhulula kwakhona indawo yenkumbulo esele ikhululiwe Kwi-ssh-arhente. Ingxaki ibonakele okoko kwaphuma i-OpenSSH 8.2 kwaye inokuthi ixhaphaze ukuba umhlaseli unokufikelela kwisokethi yearhente ye-ssh kwinkqubo yendawo. Ukwenza izinto zibe nzima, yingcambu kuphela kunye nomsebenzisi wokuqala onokufikelela kwisokethi. Eyona meko inokubakho yohlaselo lubhekisa kwakhona kwiarhente kwiakhawunti elawulwa ngumhlaseli, okanye kumamkeli apho umhlaseli anokufikelela kwiingcambu.
Kwakhona, I-sshd yongeze ukhuseleko ngokuchasene nokudlula kweparameter enkulu kakhulu ngegama lomsebenzisi kwinkqubo esezantsi yePAM, ethi ivumela ukuthintela ubungozi kwiimodyuli zenkqubo ye-PAM (IsiQinisekiso sokuQinisekiswa kweModyuli). Umzekelo, utshintsho luthintela i-sshd ekubeni isetyenziswe njenge vector ukuxhaphaza ubungozi bengcambu esanda kuchongwa eSolaris (CVE-2020-14871).
Kwinxalenye yotshintsho olunokuthi lwaphule ukungqinelana kuyakhankanywa ukuba ssh kunye ne-sshd baphinde bayisebenzisa kwakhona indlela yovavanyo yokutshintsha imali enganyangekiyo kuhlaselo olunamandla kwiikhompyuter ye-quantum.
Indlela esetyenzisiweyo isekwe kwi-NTRU Prime algorithm yenzelwe i-post-quantum cryptosystems kunye ne-X25519 elliptic curve key exchange method. Endaweni ye- sntrup4591761x25519-sha512@tinyssh.org, le ndlela ngoku ichongiwe njenge-sntrup761x25519-sha512@openssh.com (sntrup4591761 algorithm ithathelwe indawo sntrup761).
Olunye utshintsho olwahlukileyo:
- Kwi-ssh kunye ne-sshd, uku-odolwa kwentengiso kuxhaswe ii-algorithms zokutyikitya kwedijithali kutshintshiwe. Eyokuqala ngoku ngu-ED25519 endaweni ye-ECDSA.
- Kwi-ssh kunye ne-sshd, useto lwe-TOS / DSCP QoS yeeseshini ezisebenzayo ngoku zisetelwe ngaphambi kokuseka unxibelelwano lwe-TCP.
- I-Ssh kunye ne-sshd ziyekile ukuxhasa i-rijndael-cbc@lysator.liu.se encryption, efanayo ne-aes256-cbc kwaye yayisetyenziswa ngaphambi kwe-RFC-4253.
- I-Ssh, ngokwamkela isitshixo esitsha sokubamba, iqinisekisa ukuba onke amagama ehostele kunye needilesi ze-IP ezinxulumene nesitshixo ziyavezwa.
- Kwi-ssh yezitshixo ze-FIDO, isicelo esiphindiweyo sePIN sinikezelwa kwimeko yokungaphumeleli ekusebenzeni kwesiginitsha yedijithali ngenxa ye-PIN engeyiyo kunye nokungabikho kwesicelo sePIN kumsebenzisi (umzekelo, xa bekungenakwenzeka ukufumana ibhayometri echanekileyo idatha kunye nesixhobo sokufaka iPIN ngesandla).
- I-Sshd yongeza inkxaso kwinkqubo eyongezelelweyo yokufowuna kwi-seccomp-bpf-based based sandboxing mechanism kwiLinux.
Uyifaka njani i-OpenSSH 8.5 kwiLinux?
Kulabo banomdla wokukwazi ukufaka le nguqulo intsha ye-OpenSSH kwiinkqubo zabo, okwangoku bangayenza Ukukhuphela ikhowudi yemvelaphi yoku kunye ukwenza ukudityaniswa kwiikhompyuter zabo.
Kungenxa yokuba ingxelo entsha ayikabandakanywa koovimba beenkqubo eziphambili zeLinux. Ukufumana ikhowudi yemvelaphi, unokwenza ukusuka eli khonkco lilandelayo.
Yenza ukhuphelo, ngoku siza kukhulula ipakethe ngalo myalelo ulandelayo:
I-tar -xvf ivula-8.5.tar.gz
Sifaka isikhombisi esenziwe:
cd ivula-8.5
Y sinokudibanisa kunye le miyalelo ilandelayo:
./configure --prefix = / opt --sysconfdir = / njl / ssh yenza ukufaka