Ngemuva kwezinyanga ezinhlanu zentuthuko, kukhishwa i-OpenSSH 8.5 kanye nakho Abathuthukisi be-OpenSSH bakhumbule ukudluliswa okuzayo esigabeni sama-algorithms angasebenzi asebenzisa ama-SHA-1 hashes, ngenxa yokusebenza kahle kokuhlaselwa kokushayisana nesiqalo esinikeziwe (izindleko zokukhetha ukungqubuzana zilinganiselwa kuma-dollar ayizinkulungwane ezingama-50).
Kwenye yezinguqulo ezilandelayo, hlela ukukhubaza ngokuzenzakalela ikhono lokusebenzisa i-algorithm yesiginesha yesiginesha yedijithali yomphakathi "ssh-rsa", okukhulunywe ngayo ku-RFC yoqobo yephrothokholi ye-SSH futhi isasetshenziswa kabanzi ekusebenzeni.
Ukwenza bushelelezi ushintsho kuma-algorithm amasha ku-OpenSSH 8.5, ukumiswa I-UpdateHostKeys inikwe amandla ngokuzenzakalela, ini ikuvumela ukuthi ushintshele amaklayenti kuma-algorithms athembeke ngokwengeziwe.
Lokhu kulungiselelwa kunika amandla isandiso sephrothokholi esikhethekile "hostkeys@openssh.com", esivumela iseva, ngemuva kokudlulisa ubuqiniso, ukwazisa iklayenti ngazo zonke izinkinobho zokubamba ezitholakalayo. Iklayenti lingabonisa lezi zinkinobho kufayela lazo le- ~ / .ssh / known_hosts, elenza lihlele ukubuyekezwa kokhiye bokubamba futhi lenze kube lula ukushintsha okhiye kuseva.
Ngakolunye uhlangothi, lungisa ukuba sengozini okubangelwa ukukhulula kabusha indawo yememori esivele ikhululiwe ku-ssh-ejenti. Inkinga ibilokhu ibonakala kusukela kukhishwa i-OpenSSH 8.2 futhi ingahle isetshenziswe kabi uma umhlaseli ekwazi ukufinyelela kusokhethi yomenzeli we-ssh ohlelweni lwendawo. Ukwenza izinto zibe nzima, izimpande kuphela nomsebenzisi woqobo abakwazi ukufinyelela kusokhethi. Isimo esingenzeka kakhulu sokuhlaselwa siqondisa kabusha umenzeli ku-akhawunti elawulwa ngumhlaseli, noma kumsingathi lapho umhlaseli enezimpande khona.
Futhi, I-sshd ingeze ukuvikelwa ekudlulisweni kwepharamitha enkulu kakhulu enegama lomsebenzisi lohlelo olungaphansi lwe-PAM, okuyi ivumela ukuvimba ukuba sengozini kumamojula wohlelo lwe-PAM (Imodyuli Yokuqinisekisa Yokuxhuma). Isibonelo, ushintsho luvimbela i-sshd ekusetshenzisweni njenge-vector ukusizakala ukuba sengozini kwempande esanda kukhonjwa eSolaris (CVE-2020-14871).
Engxenyeni yezinguquko ezingase zephule ukuhambisana kushiwo ukuthi ssh no-sshd basebenzise kabusha indlela yokuhlola yokhiye wokuhlola engamelana nokuhlaselwa ngamandla ngamabomu kwikhompyutha ye-quantum.
Indlela esetshenzisiwe isuselwa ku-NTRU Prime algorithm yenzelwe ama-cryptosystems we-post-quantum kanye nendlela yokushintshana yokhiye we-X25519 elliptic curve. Esikhundleni sntrup4591761x25519-sha512@tinyssh.org, le ndlela manje ikhonjwe njenge-sntrup761x25519-sha512@openssh.com (sntrup4591761 algorithm ithathelwe indawo yi-sntrup761).
Kwezinye izinguquko ezigqamile:
- Ku-ssh ne-sshd, ukuhleleka kokukhangisa okusekelwe ama-algorithms wesiginesha edijithali kushintshiwe. Owokuqala manje ngu-ED25519 esikhundleni se-ECDSA.
- Ku-ssh ne-sshd, izilungiselelo ze-TOS / DSCP QoS zezikhathi zokusebenzisana manje sezisethwe ngaphambi kokusungula ukuxhumana kwe-TCP.
- I-Ssh ne-sshd ziyekile ukusekela ukubethela kwe-rijndael-cbc@lysator.liu.se, okufana ncamashi ne-aes256-cbc futhi kwasetshenziswa ngaphambi kwe-RFC-4253.
- I-Ssh, ngokwamukela ukhiye omusha womsingathi, iqinisekisa ukuthi wonke amagama wokusingathwa namakheli e-IP ahlobene nokhiye ayaboniswa.
- Ku-ssh okhiye be-FIDO, kunikezwa isicelo esiphindwe kabili se-PIN uma kwenzeka ukwehluleka ekusebenzeni kwesiginesha yedijithali ngenxa ye-PIN engalungile nokuntuleka kwesicelo se-PIN kumsebenzisi (ngokwesibonelo, lapho bekungenakwenzeka ukuthola i-biometric efanele idatha nedivayisi kufakwe i-PIN ngesandla).
- I-Sshd ingeza ukusekelwa kwamakholi wesistimu ongeziwe kunqubo ye-seccomp-bpf-based sandboxing ku-Linux.
Ungayifaka kanjani i-OpenSSH 8.5 ku-Linux?
Kulabo abanentshisekelo yokukwazi ukufaka le nguqulo entsha ye-OpenSSH kumasistimu abo, ngoba manje sebengakwenza ukulanda ikhodi yomthombo yalokhu futhi benza ukuhlanganiswa kumakhompyutha abo.
Lokhu kungenxa yokuthi inguqulo entsha ayikakafakwa ezinqolobaneni zokusabalalisa okukhulu kwe-Linux. Ukuthola ikhodi yomthombo, ungenza kusuka ku- isixhumanisi esilandelayo.
Uqedile ukulanda, manje sizovula iphakheji ngomyalo olandelayo:
tar -xvf kuvulwa-8.5.tar.gz
Sifaka umkhombandlela owakhiwe:
cd kuvulwa-8.5
Y singahlanganisa imiyalo elandelayo:
./configure --prefix = / opt --sysconfdir = / etc / ssh yenza ukufaka