I-OpenSSH 10.3 ngoku iyafumaneka Ingenisa indibaniselwano yeepatches zokhuseleko, utshintsho lokuziphatha, kunye nezakhono ezintsha ezichaphazela abalawuli beenkqubo kunye nabaphuhlisi. Nangona uninzi lweempawu ezintsha zingobuchwephesha, ezininzi zinokubangela ukungaphumeleli konxibelelwano kubathengi abadala okanye kwiiseva ukuba uqwalaselo alujongwanga ngononophelo.
Kwiindawo ezingqongileyo zeenkampani, apho i-OpenSSH iyinxalenye ephambili kwiiseva zeLinux, iinkqubo ze-BSD, kunye nezixhobo zenethiwekhi, olu hlaziyo lubaluleke kakhulu. Inguqulelo 10.3 ilungisa ubuthathaka, ilungisa ukuqinisekiswa kwesatifikethi, kwaye itshintsha indlela iindlela ezithile zokumisela eziphathwa ngayo, ngoko ke kuyacetyiswa ukuba uyivavanye kwiindawo zangaphambi kokuveliswa ngaphambi kokuba isetyenziselwe ngobuninzi.
Ukuhambelana okwaphukileyo nokuphunyezwa okungaphindi kwenziwe kwakhona
Enye yezona nguqu zibalulekileyo kwi-OpenSSH 10.3 kukususwa kwekhowudi ye "Ukuhambelana kwebug" kunye nokuphunyezwa okungaxhasi ukuphinda kwenziwe kwakhonaUkuza kuthi ga ngoku, le projekthi igcine uthotho lohlengahlengiso lwangaphakathi oluyivumele ukuba iqhubeke nokunxibelelana nabathengi be-SSH abadala okanye abangekho semgangathweni okanye iiseva ezingenalo olu buchule bokuphinda baxoxe ngezitshixo ngexesha leseshoni.
Ukususela kolu hlobo ukuya phambili, ukuba Umxhasi okanye iseva ye-SSH ayixhasi ukuphinda i-rekeyUnxibelelwano ne-OpenSSH 10.3 luya kusilela xa uzama ukuseka unxibelelwano okanye ngexesha leseshoni. Oku kunokuchaphazela iziseko ezisasebenzisa isoftware endala, izixhobo ezifakwe ngaphakathi, okanye izisombululo ezizimeleyo ezisebenzisa iprotocol ye-SSH ngokupheleleyo.
Abaphathi beenkqubo kwimibutho kufuneka Izixhobo kunye neenkonzo ze-SSH ze-inventory Ukujonga ukuba zonke izinto ziyayixhasa na into yokutshintsha ikhompyutha ngaphambi kokuba iphuculwe. Kwiindawo apho kugcinwa khona izixhobo ezindala okanye isoftware eyenzelwe wena, kusenokufuneka ukuba kuphuculwe ezo zinto okanye kuhlulwe kuzo ngamacandelo apho i-OpenSSH 10.3 ingasetyenziswa khona.
Lungisa i-bug ye-command injection ngegama lomsebenzisi
Kumthengi I-SSH ilungisa ubuthathaka bokuqinisekisa Oku kuvumele, phantsi kweemeko ezithile, ukuba oonobumba abakhethekileyo beqokobhe abakhoyo kwigama lomsebenzisi bakhuliswe ngaphambi kokuba kuhlolwe ukhuseleko. Ingxaki ivela xa kusetyenziswa amagama abasebenzisi alawulwa ngumntu wesithathu kunye noqwalaselo oluphambili oluneethokheni zokutshintsha.
Ngokukodwa, ubuthathaka obuchaphazelekileyo buquka ithokheni %u ngaphakathi kweebhloko zokulinganisa kwifayile ye-ssh_config. Kwimeko enjalo, umhlaseli onokukwazi ukuphembelela igama lomsebenzisi elidluliselwe kumyalelo we-ssh unokusebenzisa imiyalelo engacwangciswanga kwigobolondo, esebenzisa ithuba lokwandiswa kwe-metacharacter.
Inguqulelo entsha ilungisa ulungelelwaniso lokuqinisekisa kwezi parameters zibe thintela ukwanda okuyingozi amagama abasebenzisi anobungozi. Nangona kunjalo, abaphuhlisi basikhumbuza ukuba ukutyhila iingxoxo zomgca womyalelo we-SSH kwi-input engathembekanga kuseyindlela embi yoyilo, ingakumbi kwizikripthi okanye kwizixhobo ezizenzekelayo ezisetyenziswa kwiindawo ezinkulu.
Utshintsho ekuphathweni kwezatifikethi kunye nemigaqo ephambili
I-OpenSSH 10.3 izisa utshintsho oluninzi olubalulekileyo kwi Ulawulo lwesatifikethi se-SSH kunye "nee-mains" zaso (iimpawu ezinxulunyaniswa nesatifikethi), ezinefuthe elithe ngqo kwindlela ukufikelela okuqinisekiswa ngayo.
Impazamo ekudibaniseni abalinganiswa abaphambili neekhoma
Impazamo ilungisiwe kwi sshd xa uthelekisa ukhetho oluphambili = "" Ingxaki ivele kwiingxelo ezikwii-authorized_keys kunye noluhlu lwee-principal ezifakwe kwisatifikethi. Ukungaphumeleli kwenzeke xa elinye lamagama e-principal kwisatifikethi lalinophawu lwe-comma, nto leyo enokubangela ukufana okungafanelekanga kwiimeko ezithile.
Ukuze le ngxaki ikwazi ukusetyenziswa, kwafuneka kuhlangatyezwane neemeko ezininzi: ukuba igalelo ii-authorized_keys ziquka ezingaphezu kwesinye eziphambiliLe mpazamo ibangele ukuba igunya lesatifikethi likhuphe isatifikethi esinegama elahlukileyo kula magama ahlukaniswe ngamakhoma, kwaye lisebenzise amaqhosha e-CA athenjwa ngumsebenzisi. Ukuhamba kokuqinisekiswa kwesatifikethi okuphambili okusekelwe kwi-TrustedUserCAKeys kunye ne-AuthorizedPrincipalsFile akuchaphazelekanga.
Izatifikethi ezinoluhlu oluphambili olungenanto
Olunye utshintsho kwindlela yokuziphatha lulungisa uyilo lwembali oluyingxaki kwizatifikethiUkuza kuthi ga ngoku, xa isatifikethi esinecandelo leenqununu ezingenanto sasisetyenziswa kunye ne-authorized_keys principals="", sasiphathwa njenge-wildcard, sivumela ukuqinisekiswa njengaye nawuphi na umsebenzisi othembe igunya elifanayo lesatifikethi.
Oku kubangele umngcipheko ongacacanga: i-CA ekhuphe ngempazamo i- isatifikethi esinoluhlu oluphambili olungenanto Ngempazamo yayinika ukufikelela okubanzi kakhulu. Kwi-OpenSSH 10.3, le meko iyatshintsha, kwaye isatifikethi esingenazo iinqununu ngoku sithathwa njengesingahambelaniyo nasiphi na inqununu, nto leyo ethintela le ndlela iyingozi yokuziphatha "ye-wildcard".
Ngaphezu koko, le projekthi udibanise ukuphathwa kwamakhadi e-wildcard kwizatifikethi eziphambiliUkusetyenziswa kwe-wildcards kuvumelekile kwizatifikethi zomsingathi, kodwa kungekhona kwizatifikethi zomsebenzisi. Oku kujolise kwindlela yokuziphatha enokuqikelelwa ngakumbi nenokuphicothwa, into exabiseke kakhulu kuphicotho lokhuseleko lwemibutho yaseYurophu phantsi kweenkqubo ezifana ne-NIS2 okanye i-ENS.
Ukusetyenziswa ngokungqongqo kwee-algorithms ze-ECDSA
Kwicandelo le-cryptographic, i-OpenSSH 10.3 ilungisa ingxaki kwi ukusetyenziswa kwemiyalelo yePubkeyAcceptedAlgorithms kunye neHostbasedAcceptedAlgorithms kwizitshixo ze-ECDSA. De kube le nguqulelo, ukuba igama le-algorithm ye-ECDSA livela nakweyiphi na kwezi ziluhlu, iseva ibiya kwamkela ezinye ii-algorithms ze-ECDSA nokuba azidweliswanga ngokucacileyo.
Ngohlaziyo olutsha, I-sshd ihlonipha ngokuchanekileyo uluhlu lwee-algorithms ezivunyelweyoOku kuvala loo msantsa kwaye kunika ulawulo olucokisekileyo malunga nokuba zeziphi iinguqu ze-ECDSA ezinokusetyenziswa. Oku kuluncedo kubalawuli abafuna ukunciphisa iseti yee-algorithms kwiiprofayili eziqinileyo okanye ukuhambelana neengcebiso zokhuseleko lwesizwe.
Ukulungiswa kwi-scp xa ukhuphela njengengcambu
Isixhobo i-scp ikwafumana uhlengahlengiso lokhuseleko Xa isetyenziswa kwimo ye-legacy (ukuhambelana kwe-rcp) kwaye isebenza njenge-root. Kwiinguqulelo zangaphambili, xa ukhuphela iifayile ngaphandle kokusebenzisa ukhetho lwe--p, inkqubo ayizange isuse ii-setuid kunye ne-setgid bits kwiifayile ezifunyenweyo.
Le ndlela yokuziphatha, eyizuzwe I-CPR yokuqala yaseBerkeleyOku kunokuba yingozi kwimisebenzi ethile yokukopa, njengoko ifayile edluliselwe ngeemvume ezikhethekileyo inokwenziwa ngamalungelo aphezulu kwinkqubo yendawo ekuyiwa kuyo. I-OpenSSH 10.3 ilungisa le ndlela yokuziphatha ukuze iqinise ukhuseleko kulawulo olukude, into eqhelekileyo kwiiseva zemveliso kumaziko edatha.
Ukuqinisekiswa kweProxyJump okuphuculweyo kunye nolawulo lwe-multiplexing
Ngokuphathelele iindlela zonxibelelwano eziphambili, umthengi uzisa uphuculo kwi I-ProxyJump (ipharamitha ye--J okanye ye--oProxyJump)Ngoku, amaxabiso omsebenzisi kunye nomsingathi adluliselwe ngomgca womyalelo aqinisekiswe ngokungqongqo ukuthintela iivektha zokufaka umyalelo ezinokubakho kwiindlela apho la macandelo anokuchatshazelwa yigalelo elingathembekanga.
Kubalulekile ukugxininisa oku Ukuqinisekiswa kusebenza kuphela koko kufunyenwe ngomgca womyalelo kwaye ayichaphazeli ixabiso elichazwe kwiifayile zoqwalaselo. Nangona kunjalo, ibonelela ngomaleko owongezelelweyo wokhuseleko kwizikripthi, ii-automation, kunye nezixhobo ezisebenzisa iProxyJump ngokuguquguqukayo.
Kwicandelo le-multiplexing yonxibelelwano, ingxaki isonjululwe nge ukuqinisekiswa kweseshoni xa usebenzisa i-ControlMaster ask/autoask kwimo yeproxy usebenzisa "ssh -O proxy". Ngaphambili, izicelo zokuqinisekisa bezingakhange zihlolwe ngokuchanekileyo kolu hlobo lweseshoni ephindaphindwayo.
Ukongeza, imiyalelo emitsha yongezwa ukuze kufunyanwe ulwazi oluneenkcukacha malunga neeseshoni ezisebenzayoUmyalelo othi "ssh -O conninfo" kunye nolandelelwano lwe-escape "~I" zibonisa ulwazi loqhagamshelwano lweeseshoni eziqhubekayo, ngelixa elithi "ssh -O channels" lixela ukuba zeziphi iindlela ezisetyenziswa yinkqubo ye-multiplexer. Ezi mpawu zinokunceda ekusombululeni iingxaki kwiindlela ezinzima zokusasazwa, ezixhaphake kakhulu kwimibutho emikhulu kunye nababoneleli beenkonzo kwi-EU.
Yintoni entsha kwi-ssh-agent, i-ssh-add kunye nolawulo lwezitshixo
I-OpenSSH 10.3 ithatha elinye inyathelo kwi ulungelelwaniso ne-IETF draft draft-ietf-sshm-ssh-agent Ngokuphathelele iarhente ye-SSH, ukuhambelana kongezwe kunye neekhowudi ezintsha ezinikwe yi-IANA zokudlulisela iarhente, ukuze xa iseva ibhengeza inkxaso yaloo magama isebenzisa umyalezo we-EXT_INFO, i-OpenSSH ibeka phambili ukusetyenziswa kwezazisi ezimiselweyo.
Nangona kunjalo, inkxaso ye Ulwandiso lwembali olune-suffix ye-@openssh.comukuqinisekisa ukusebenzisana neziseko ezikhoyo. Icandelo le-ssh-agent likwabandakanya inkxaso yolwandiso "lombuzo" oluchazwe kwidrafti efanayo, okuvumela ukubuzwa okucwangcisiweyo ngakumbi kwezakhono ze-arhente.
Kwicala layo, isixhobo esiluncedo i-ssh-add yongeza ukhetho lwe--Q ukubuza ngezongezo zeprotocol ezixhaswa yiarhente. Olu sebenzi luluncedo ngakumbi kumaqela okhuseleko kunye nemisebenzi ekufuneka ajonge ukuba zeziphi iimpawu ezikhoyo kwiiarhente ezisasazwa kwiinkqubo ezahlukeneyo.
Kwicandelo lezitshixo, I-ssh-keygen ngoku ibandakanya ukukwazi ukubhala izitshixo ze-ED25519 kwifomathi ye-PKCS8Oku kwenza kube lula ukuhlanganiswa kwayo nezinye izixhobo ze-cryptographic kunye neelayibrari ezisetyenziswa kwiindawo zoshishino kunye nolawulo lukarhulumente.
Isohlwayo semvelaphi kunye nokuphuculwa kokuxilonga kwi-SSHD
Iseva ye-SSH ibandakanya uphuculo olujolise ekunciphiseni ukusetyenziswa gwenxa kunye nokwenza kube lula ukubonwa. Enye yezi kukungeniswa kwe isohlwayo somsebenzisi ongasebenziyo ngaphakathi kwePerSourcePenaltiesolusetyenziswa xa kuzanywa ukungena ngemvume ngamagama abasebenzisi angekhoyo kwinkqubo.
Ngokwesiqhelo, esi sohlwayo sitsha siquka linda imizuzwana emihlanuOku kuhambelana nesohlwayo esikhoyo se-authfail, kodwa abalawuli banokumisela ubude obude ukuba babona uhlaselo lwamandla okanye ukutshutshiswa kwabasebenzisi abaninzi. Ngaphezu koko, ukusombulula ixesha lezohlwayo ngoku kungaphaya kwenqanaba, okuvumela izohlwayo ezingaphantsi komzuzwana omnye kwiimeko zeziganeko ezixhaphakileyo.
Ngaxeshanye, amandla amatsha e-multiplexing achazwe apha ngasentla ("ssh -O conninfo", "ssh -O channels" kunye ne-escape "~I") zibonelela ukubonakala okukhulu kwiinxibelelwano ezisebenzayoOku kunokuba luncedo kakhulu xa kuchongwa iingxaki zokungakhawulezi, ukuvimba, okanye ukusetyenziswa okungaqhelekanga kwemigudu ye-SSH kunye neetshaneli.
Utshintsho olungakumbi kukhuseleko kunye nokuhambelana
I-OpenSSH 10.3 yongeza ngaphakathi sshd ukhetho lweseva GSSAPIDelegateCredentialsOlu seto lulawula ukuba iseva iyazamkela na iziqinisekiso ezinikezelweyo ezinikezelwa yiklayenti. Olu khetho lubonisa umgaqo-nkqubo okhoyo wecala lomthengi kwaye luvumela indlela yokuziphatha ukuba ilungelelaniswe nemigaqo-nkqubo yangaphakathi yombutho ngamnye malunga neKerberos kunye nokunikezelwa kweziqinisekiso ezifanayo.
Ububanzi be Imiyalelo yeRevokedHostKeys kwi-ssh_config kunye neRevokedKeys kwi-sshd_confignto leyo ngoku enokukhomba kwiifayile ezininzi. Oku kwenza kube lula ukulawula uluhlu oluphambili olurhoxisiweyo olwahlulwe ziiprojekthi, amasebe, okanye amanqanaba etrasti—oluluncedo kwiziseko ezinkulu ezinamaqela amaninzi kunye nabathengisi.
Le nguqulelo ikwalungisa iingxaki ezininzi ezisebenzayo: impazamo kwi Ukufakwa kwePIN kwizitshixo ze-PKCS#11 kungeniswe kwiinguqulelo ze-10.1 kunye ne-10.2, ukuphathwa kwesiginesha yesatifikethi se-FIDO/WebAuthn kuphuculwe, i-sshd crash enxulumene nemiyalelo yenkqubo engaphantsi engekhoyo ngaphakathi kweebhloko zeMatch ilungisiwe, kwaye ingxaki yokudideka kwegama lomsebenzisi kwimodyuli ye-PAM ijongiwe kwisebe eliphathwayo.
Ngale nguqulelo, i-OpenSSH 10.3 idibanisa i- iphakheji epheleleyo yotshintsho oluphucula ukhuselekoIlungisa iindlela zokuziphatha zakudala kwaye yandisa amandla olawulo ngaphandle kokulahlekelwa kukuhambelana noninzi lweenkqubo zanamhlanje. Imibutho exhomekeke kwi-SSH yolawulo olukude, ukwenza izinto ngokuzenzekelayo, kunye nokukhusela i-tunneling ingenza kakuhle ukucwangcisa uphuculo, kuqala ihlole iimeko zayo zovavanyo ukuze ibone iingxaki ezinokubakho ngokusetyenziswa kwezinto zakudala, iindlela ezingaqhelekanga, okanye uqwalaselo olwenziwe ngokwezifiso kakhulu.
