I-OpenSSH 8.5 ifika nge-UpdateHostKeys, ukulungiswa nokuningi

Ngemuva kwezinyanga ezinhlanu zentuthuko, kukhishwa i-OpenSSH 8.5 kanye nakho Abathuthukisi be-OpenSSH bakhumbule ukudluliswa okuzayo esigabeni sama-algorithms angasebenzi asebenzisa ama-SHA-1 hashes, ngenxa yokusebenza kahle kokuhlaselwa kokushayisana nesiqalo esinikeziwe (izindleko zokukhetha ukungqubuzana zilinganiselwa kuma-dollar ayizinkulungwane ezingama-50).

Kwenye yezinguqulo ezilandelayo, hlela ukukhubaza ngokuzenzakalela ikhono lokusebenzisa i-algorithm yesiginesha yesiginesha yedijithali yomphakathi "ssh-rsa", okukhulunywe ngayo ku-RFC yoqobo yephrothokholi ye-SSH futhi isasetshenziswa kabanzi ekusebenzeni.

Ukwenza bushelelezi ushintsho kuma-algorithm amasha ku-OpenSSH 8.5, ukumiswa I-UpdateHostKeys inikwe amandla ngokuzenzakalela, ini ikuvumela ukuthi ushintshele amaklayenti kuma-algorithms athembeke ngokwengeziwe.

Lokhu kulungiselelwa kunika amandla isandiso sephrothokholi esikhethekile "hostkeys@openssh.com", esivumela iseva, ngemuva kokudlulisa ubuqiniso, ukwazisa iklayenti ngazo zonke izinkinobho zokubamba ezitholakalayo. Iklayenti lingabonisa lezi zinkinobho kufayela lazo le- ~ / .ssh / known_hosts, elenza lihlele ukubuyekezwa kokhiye bokubamba futhi lenze kube lula ukushintsha okhiye kuseva.

Ngakolunye uhlangothi, lungisa ukuba sengozini okubangelwa ukukhulula kabusha indawo yememori esivele ikhululiwe ku-ssh-ejenti. Inkinga ibilokhu ibonakala kusukela kukhishwa i-OpenSSH 8.2 futhi ingahle isetshenziswe kabi uma umhlaseli ekwazi ukufinyelela kusokhethi yomenzeli we-ssh ohlelweni lwendawo. Ukwenza izinto zibe nzima, izimpande kuphela nomsebenzisi woqobo abakwazi ukufinyelela kusokhethi. Isimo esingenzeka kakhulu sokuhlaselwa siqondisa kabusha umenzeli ku-akhawunti elawulwa ngumhlaseli, noma kumsingathi lapho umhlaseli enezimpande khona.

Futhi, I-sshd ingeze ukuvikelwa ekudlulisweni kwepharamitha enkulu kakhulu enegama lomsebenzisi lohlelo olungaphansi lwe-PAM, okuyi ivumela ukuvimba ukuba sengozini kumamojula wohlelo lwe-PAM (Imodyuli Yokuqinisekisa Yokuxhuma). Isibonelo, ushintsho luvimbela i-sshd ekusetshenzisweni njenge-vector ukusizakala ukuba sengozini kwempande esanda kukhonjwa eSolaris (CVE-2020-14871).

Engxenyeni yezinguquko ezingase zephule ukuhambisana kushiwo ukuthi ssh no-sshd basebenzise kabusha indlela yokuhlola yokhiye wokuhlola engamelana nokuhlaselwa ngamandla ngamabomu kwikhompyutha ye-quantum.

Indlela esetshenzisiwe isuselwa ku-NTRU Prime algorithm yenzelwe ama-cryptosystems we-post-quantum kanye nendlela yokushintshana yokhiye we-X25519 elliptic curve. Esikhundleni sntrup4591761x25519-sha512@tinyssh.org, le ndlela manje ikhonjwe njenge-sntrup761x25519-sha512@openssh.com (sntrup4591761 algorithm ithathelwe indawo yi-sntrup761).

Kwezinye izinguquko ezigqamile:

  • Ku-ssh ne-sshd, ukuhleleka kokukhangisa okusekelwe ama-algorithms wesiginesha edijithali kushintshiwe. Owokuqala manje ngu-ED25519 esikhundleni se-ECDSA.
  • Ku-ssh ne-sshd, izilungiselelo ze-TOS / DSCP QoS zezikhathi zokusebenzisana manje sezisethwe ngaphambi kokusungula ukuxhumana kwe-TCP.
  • I-Ssh ne-sshd ziyekile ukusekela ukubethela kwe-rijndael-cbc@lysator.liu.se, okufana ncamashi ne-aes256-cbc futhi kwasetshenziswa ngaphambi kwe-RFC-4253.
  • I-Ssh, ngokwamukela ukhiye omusha womsingathi, iqinisekisa ukuthi wonke amagama wokusingathwa namakheli e-IP ahlobene nokhiye ayaboniswa.
  • Ku-ssh okhiye be-FIDO, kunikezwa isicelo esiphindwe kabili se-PIN uma kwenzeka ukwehluleka ekusebenzeni kwesiginesha yedijithali ngenxa ye-PIN engalungile nokuntuleka kwesicelo se-PIN kumsebenzisi (ngokwesibonelo, lapho bekungenakwenzeka ukuthola i-biometric efanele idatha nedivayisi kufakwe i-PIN ngesandla).
  • I-Sshd ingeza ukusekelwa kwamakholi wesistimu ongeziwe kunqubo ye-seccomp-bpf-based sandboxing ku-Linux.

Ungayifaka kanjani i-OpenSSH 8.5 ku-Linux?

Kulabo abanentshisekelo yokukwazi ukufaka le nguqulo entsha ye-OpenSSH kumasistimu abo, ngoba manje sebengakwenza ukulanda ikhodi yomthombo yalokhu futhi benza ukuhlanganiswa kumakhompyutha abo.

Lokhu kungenxa yokuthi inguqulo entsha ayikakafakwa ezinqolobaneni zokusabalalisa okukhulu kwe-Linux. Ukuthola ikhodi yomthombo, ungenza kusuka ku- isixhumanisi esilandelayo.

Uqedile ukulanda, manje sizovula iphakheji ngomyalo olandelayo:

tar -xvf kuvulwa-8.5.tar.gz

Sifaka umkhombandlela owakhiwe:

cd kuvulwa-8.5

Y singahlanganisa imiyalo elandelayo:

./configure --prefix = / opt --sysconfdir = / etc / ssh yenza ukufaka

Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe.

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.