Ngaphandle kweleyibhile yenguqulelo, I-OpenSSH 10.1 idibanisa indlela eqalwe ngothotho lwe-10: ukufudukela kwi-post-quantum cryptography, i-QoS yesimanje kunye ne-DSCP, kunye nokuqina kweendawo ezibuthathaka ngokwembali (ii-arhente, izitshixo, iirejistri, kunye nokwahlulahlula ipharamitha). Ngezantsi uya kufumana uphononongo olunzulu lwazo zonke iimpawu ezintsha (ngomxholo apho wongeza ixabiso), kunye nezikhokelo ezisebenzayo zokuzamkela ngaphandle kokumangalisa.
Oku kulandelayo luhlu kunye ne Yintoni entsha kolu guqulelo, ikwafumaneka kwi amanqaku asemthethweni.
Khupha amagqabantshintshi kunye noMongo
Ukukhutshwa ngokusemthethweni kwe-OpenSSH 10.1 (2025-10-06) kuqaqambisa iizembe ezintathu: Ukhuseleko lothintelo ngokuchasene ne-quantum cryptography, inethiwekhi ze-DSCP, kunye nokucoca igalelo. Ikwadibanisa utshintsho oluthile olunempembelelo ephezulu yokusebenza: ukusuka kwiindlela zesokethi ye-arhente ukuya iimpawu ezintsha zokuxilonga.
Isikhumbuzo esiphambili seprojekthi: Ukhupho lwexesha elizayo luya kuzihoya iilogi ze-SHA-1 ezisekwe kwi-SSHFPngexesha ssh-keygen -r ngoku yenza iminwe yeminwe ye-SSHFP kuphela nge-SHA-256 ngokuzenzekelayo, ukuvala ucango kwiihashi ezibuthathaka ye-DNSSEC kunye nokuqinisekisa isitshixo sesitshixo.
Isilumkiso se-Cryptography esingeyo-Post-Quantum kunye noKhetho olutsha lweWarnWeakCrypto
I-OpenSSH 10.1 yazisa isilumkiso xa uqhagamshelo luthethathethana ngotshintshiselwano olungundoqo olo ayichasananga nokuhlaselwa kwe-post-quantumInjongo kukugxila kumngcipheko "wevenkile ngoku, ukucima kamva" kwaye ukhawulezise utshintsho kwiindawo ezibuthathaka.
Le ndlela yokuziphatha ilawulwa nge WarnWeakCrypto (ku ssh_config), eyenziwa ngokungagqibekanga. Ukuba ufuduka kancinci okanye ugcina ababuki zindwendwe, Unokukhetha ukukhubaza isilumkiso ngeebhloko zomdlalo. Umzekelo:
Umamkeli womdlalo unsafe.example.com WarnWeakCrypto no
I-Cryptography kunye nemeko yobugcisa: i-PQC, i-hybrids kunye ne-SSHFP
Kwi-10.0, umxhasi utshintshele ekusebenziseni ngokungagqibekanga mlkem768x25519‑sha256, i-algorithm ye-post-quantum ye-hybrid edibanisa ML-KEM (KEM NIST FIPS 203) kunye X25519. Esi sicwangciso se-hybrid siqinisekisa ukuba nokuba i-cryptanalytic impumelelo yayiza kuvela kwicala le-PQ, awuyi kuba mbi ngakumbi kune-ECDH yakudala kuba itshaneli igcina amandla e-X25519.
Nge-10.1, ukongeza kwisilumkiso esichazwe ngasentla, utshintsho luqiniswa: I-OpenSSH iya kuqhubeka nokungayihoyi i-SSHFP nge-SHA‑1 kwixesha elizayo.; isixhobo ssh-keygen sele ikhupha i-SSHFP nge-SHA-256 ngokukhethekileyo. Ngokusebenza, isenzo esicetyiswayo si hlaziya kwaye upapashe iminwe yeminwe ye-SSHFP kwi-SHA-256 kwimikhosi yakho.
Imibuzo ebuzwa qho: Kutheni unyanzelisa ngoku ukuba iikhompyuter ze-quantum azikwazi ukwaphula i-SSH? Kuba abahlaseli banokubamba namhlanje kwaye bakhuphe ikhowudi ngomso. Ukusebenzisa i-post-quantum KEX sele ithomalalisa loo vector. Kwaye ukuba unexhala malunga nolutsha lwe-algorithms ye-PQ, khumbula ukuba indlela ye-hybrid igcina umgangatho wokhuseleko weklasi njengesiseko.
Ukuphuculwa kweNethiwekhi yangoku: DSCP/IPQoS kunye nokuBekwa phambili kweTrafikhi
Olu khululo ludibanisa uhlengahlengiso olunzulu lweQoS. Kuzo zombini umxhasi kunye neseva, Ukungagqibeki kwetrafiki esebenzayo kudidi lwe-EF (Ugqithiso oluKhawuliweyo), enceda ekunciphiseni ukubambezeleka kwi-Wi-Fi kunye nemidiya exineneyo. Ukutshintshela kwitrafikhi engasebenziyo ekusebenziseni i uphawu lwe-DSCP olungagqibekanga lwenkqubo, ngaphandle kokubeka kwindawo yokuqala.
Enyanisweni, zombini ssh(1) kunye ne-sshd(8) zitshintsha ngamandla uphawu olusetyenziswa ngokohlobo lwamajelo akhoyo: ukuba udibaniso olufanayo ludibanisa iqokobhe kunye a sftp, inqanaba lodluliselo olungasebenziyo iya kusebenzisa ixabiso le-non-interactive ngexesha lokusebenza kwaye ibuyele kwi-EF xa kufanelekile. Oku kulawulwa sisitshixo IPQoS en ssh_config y sshd_config.
Kwakhona, Inkxaso ye-IPv4 ToS endala iyarhoxiswa kwi IPQoS ukhetho (lowdelay, throughput, reliability yeka ukuba nesiphumo). Ukuba ubuzisebenzisa, ifudukela kwi-DSCP nomenclature (umzekelo, ef, cs0, af11, njl).
Ukufakwa lukhuni: abasebenzisi, ii-URIs, kunye nokwandiswa
Kwicandelo lokhuseleko, i-10.1 ilungisa imeko efihlakeleyo apho, ukuba wakhe imigca yomyalelo ngedatha yangaphandle kwaye ngexesha elifanayo lisetyenziswa. I-ProxyCommand ene-%r/%u izandiso, umhlaseli unokuchwechwa athethe amazwi eqokobhe. Ukunciphisa oku, ssh(1) ngoku iyabanqanda abalinganiswa bolawulo kwi-CLI-ipasiswe okanye abasebenzisi abondisiweyo, kwaye ivala kwakhona unobumba ongekhoyo kwii-URIs ssh://.
Inqaku lokuhambelana: Indawo yokuqinisekisa ithotyiwe ukunqanda ukophula amatyala asemthethweni. Amagama omsebenzisi oqobo achazwe kwiifayile zoqwalaselo (ngaphandle kwe%) ukwandiswa kukhululiwe, ngesiseko sokuba uqwalaselo lwendawo luthathwa njengelithenjiweyo.
Imiqondiso ephilayo kunye nolwazi: SIGINFO kunye nokubonakala
Elinye icebiso elisebenzayo lokulungisa ingxaki: ssh(1) kunye ne-sshd(8) zizuze abaphathi be-SIGINFO ezirekhoda ubume bamajelo asebenzayo kunye neeseshoni. Kwimveliso, oku iququzelela ukuxilongwa kokuhamba, ukuphindaphinda, ukudlulisa kunye ne-X11 ngaphandle kwesidingo sokuncamathisela i-debugger okanye ukwandisa i-verbosity ngokuhlaselayo.
Ngokuhamba nemigca efanayo yokungafihli, xa ukuqinisekiswa kwesatifikethi kusilela, sshd ngoku iloga ulwazi olwaneleyo ukuchonga isatifikethi (kwaye kwakutheni ukuze yaliwe). Ukuba usebenza nge-PKI kunye nezatifikethi zomsebenzisi / zomkhosi, olu phuculo iwanciphisa kakhulu amaxesha esisombululo.
ssh-arhente kunye nezitshixo: iisokethi, ucoceko, kunye ne-PKCS#11
Ukuthintela ufikelelo olunqamlezileyo kwimo engqongileyo ngokunyuswa okuthintelweyo kwe /tmp, iisokethi zearhente (kunye nezo zidluliselwe phambili sshd) Ndiyazi susa kwi/tmp ukuya ~/.ssh/agent. Ngoko ke, inkqubo enemvume ezilinganiselweyo ivuliwe /tmp ayisekho ngengozi ilifa ukukwazi ukusayina nezitshixo zakho ukusuka arhente.
Olu tshintsho lunenye into ephuma kuyo: ngaphambi kokuba i-OS icoce iziseko eziphelelwe lixesha, ngoku ssh-arhente ibandakanya ukucoca kwayo ukusuka kwiziseko ezindala. Ukongeza, iarhente yongeza iiflegi ezintsha: -U y -u ukulawula ucoceko ekuqaleni, -uu ukungahoyi igama lomninimzi ekucoceni, kunye -T ukunyanzela indawo yembali kwi /tmp ukuba uyayifuna ngenene.
Kwinqwelomoya engundoqo, umxhasi kunye ne-arhente I-ED25519 ibanjwe kwi-PKCS#11 iithokheni zixhaswa ngokuUkuba uthembele kwii-HSM okanye izitshixo ze-cryptographic, uya kufumana ukuguquguquka ngaphandle kokuncama amandla.
ssh-yongeza kunye nezatifikethi: ukuphela kwexesha lokuzicoca
Xa usongeza izatifikethi kwi-arhente, Ukuphelelwa kwayo ngoku kumiselwe ixesha lobabalo lwemizuzu emi-5Umbono ulula: vumela ukuthengiselana ukuba kugqitywe emgceni kwaye emva koko, cima isatifikethi somenzeli ngokuzenzekelayo. Ukuba ukuhamba kwakho kufuna ulawulo olupheleleyo, ssh‑add -N khubaza le ndlela yokuziphatha.
I-RefuseConnection: i-client-side controlled disconnection
Kukho iimeko apho unomdla wokulahla uxhulumaniso kumxhasi ngokwawo ngomyalezo ocacileyo (umzekelo, ukuqondisa ngokutsha okusebenzayo okanye izaziso zokurhoxisa). I-OpenSSH 10.1 yongeza YalaUnxibelelwano a ssh_config: ukuba udibene ngelixa kusenziwa icandelo elishushu, umxhasi uphelisa ngempazamo kwaye ibonisa okubhaliweyo osichazileyo.
Umgangatho wekhowudi kunye nokhuseleko oluphilayo
Iqela liyaqhubeka nokucoca i-codebase. 10.1 izintlu ukuvuza kwememori kulungisiwe, ukuphuculwa kwe-atomia xa kubhalwa known_hosts ngokubakho okuphezulu kunye nabaninzi iimeko zobuhlanga zisonjululwe kwiinkqubo ezifana MaxStartups okanye iiseshini ze-X11.
Inqaku lokucoca i-crypto: inkxaso ye-XMSS isusiwe (uvavanyo kwaye aluzange luzenzekele). Ukulungiselela umhlaba iinkqubo zesiginitsha ze-post-quantum abaqolileyo ngakumbi abaya kuza kwiinguqulelo ezizayo.
Ukuphatheka kunye ne-ecosystem: PAM, FreeBSD, macOS, Android...
Utshintsho lokuphatheka luchaphazela imida emininzi: iitshekhi ezongezelelweyo kwindawo PAM (njengokuqinisekisa ukuba umsebenzisi akatshintshi ngexesha lenkqubo), ukuphuculwa kokudibanisa kunye FreeBSD (ukuhanjiswa kwe-tun kunye nokuhambelana), Mac (ukufumanisa okuqinileyo kwemisebenzi kunye nezihloko) kunye Android (yila i-passwd enemihlaba engeyo-null).
Izihloko zokuhambelana nazo zongezwa kumaqonga ngaphandle kwamathala eencwadi asemgangathweni, ukunciphisa inani #ifdef sachithwa. Ekugqibeleni, ziyasulungekiswa iipolisi zebhokisi yesanti kwiLinux ukugquma iisyscalls njenge futex_time64 kwi-32-bit, kwaye inkxaso yongezwa kuyo AWS-LC njengenye indlela ye-OpenSSL/LibreSSL.
I-QoS esenzweni: Imizekelo eSebenzayo kunye ne-IPQoS yokufuduka
Ukuba usebenzise iziteketiso zeToS endala (lowdelay, throughput...), ngoku abayi kuhoywa kwaye uyakubona umyalezo osusa iimpazamo ucebisa iDSCP. Ukufuduka okuqhelekileyo kuya kuba kukusuka IPQoS lowdelay a IPQoS ef kwiiseshoni zokunxibelelana; ukuba wenza kwakhona enzima SFTP, ungakwazi chaza iinkangeleko ngomdlalo en ssh_config/sshd_config ukwahlula itrafikhi.
Khumbula ukuba injini ikhetha ngokuzenzekelayo kunye nohlaziyo Iphawula ngexesha lokwenyani ngokusekelwe kumajelo avulekileyo, ngoko ke uninzi lomsebenzi sele lwenzelwe wena yi-OpenSSH.
Ukufakela i-OpenSSH 10.1 kwi-Linux (umthombo)
Ngelixa unikezelo ludibanisa inguqulelo, ungaqokelela kumthombo osemthethweni. Khuphela itarball kwizibuko zeprojekthi, vula unzip, kwaye uqokelele:
I-tar -xvf ivula-10.1.tar.gz
Ngenisa uvimba weefayili kwaye qwalasela izimaphambili kunye neendlela zoqwalaselo ukuba uyayifuna. Umzekelo:
cd openssh-10.1 ./configure --prefix=/opt --sysconfdir=/etc/ssh
Qokelela kwaye ufake njengesiqhelo (kuxhomekeke kwiimvume, mhlawumbi nge superuser):
enza
make install
Vula i-OpenSSH kwiWindows ngePowerShell
Kwiimekobume zeWindows zangoku (Iseva 2019/Windows 10 1809+), Ungafakela umxhasi we-OpenSSH kunye neseva njengeempawu zenkqubo.. Jonga amandla kunye nobume:
Fumana-WindowsCapability-Online | Apho-Igama Lento-njenge'OpenSSH*'
Faka amacandelo njengoko ufuna:
Yongeza-i-WindowsCapability -Online -Igama OpenSSH.Client~~~~0.0.1.0 Yongeza-iWindowsCapability -Online -Igama OpenSSH.Server~~~~0.0.1.0
Qala kwaye uvule inkonzo yeseva ye-SSH, kwaye ujonge umthetho ongaphakathi kwi-firewall:
Qala-Inkonzo ye-sshd Seta-Inkonzo-Igama elithi sshd -StartupType 'Automatic' Fumana-NetFirewallRule -Igama 'OpenSSH-Server-In-TCP' -ErrorAction Silently Continue
Ukuqhagamshela kwenye Windows okanye i-Linux host, sebenzisa umxhasi oqhelekileyo: ssh dominio\usuario@servidor. Ekufikeni kokuqala, Yamkela iminwe yesandla kwaye ungqinisise ngephasiwedi yakho.
Isikhokelo sokuSebenza: ukuxilongwa kunye neendlela ezilungileyo
Kwimeko-bume ezinezatifikethi zomsebenzisi/umamkeli, sebenzisa ithuba lokugawulwa kwemithi okuphuculweyo yokukhanyela kwi sshd ukulungisa ingxaki kwii-CAs kunye nezandiso. Ukuba iseshoni iyabambeka okanye ukrokrela ukuphindaphinda, isungula SIGINFO kwinkqubo yokudwelisa amajelo asebenzayo ngaphandle kokunyusa umgangatho welog yehlabathi.
Ukuba uxhomekeke kwiiarhente, khangela apho iziseko zihlala khona ngoku (~/.ssh/agent) kunye vula ukucoca okuzenzekelayo kwimodeli yakho yokuhambisa. Kwizitishi zokusebenzela ekwabelwana ngazo okanye zeNFS, cinga ukusebenzisa iflegi ye-arhente ukuseta igama lomamkeli weehashes endleleni xa kuyimfuneko.
Uninzi lolungiso lwebug olufanelekileyo
Ngo-10.1 zisonjululwe ukuhlehla okuncinci kwi-X11 xa idityaniswe nokunciphisa izinga lentliziyo (ObscureKeystrokeTiming), ityala le Ubalo-mali olulambathayo lweMaxStartups ezinokuthi zikhukula kwiindawo zokubeka, kunye nokubhalwa kwe known_hosts yenziwe ngoku kwimisebenzi yeathom ukuphepha imigca enqamlezileyo ehambelana nemali eninzi.
Ezinye izilungiso ziyaphucuka diagnostics xa ulayisha izitshixo, Ukuphathwa kwemida yobukhulu be-config (ukusuka kwi-256KB ukuya kwi-4MB), imveliso yophicotho kunye neemeko zekona ezingaqhelekanga kwiindawo zangaphambili kunye nolandelelwano lolawulo. Ukongeza, imiyalezo kunye nemveliso evela ssh -G y sshd -T.
Uluhlu lwemfuduko olundululwayo
Olu luhlu olukhawulezayo Ibandakanya imisebenzi ecetyiswa yiprojekthi ngokwayo kunye nezinto ezivela kwiinguqu:
- I-Crypto: jonga eyakho
KexAlgorithmsivumela i-PQ ye-hybrid kwaye yenza i-SSHFP entsha kwi-SHA-256 ngessh-keygen -r. - I-QoS: phuma
IPQoSkumxhasi/umncedisi; ukufudusa iToS yelifa ukuya kwi-DSCP; ukunyusa i-EF kwiiseshoni ezisebenzisanayo. - Iiarhente: ilungisa izikripthi kunye nezinto eziguquguqukayo kwiisokethi eziphantsi
~/.ssh/agent; ixabiso lokucoca ngokuzenzekelayo yi-arhente ngokwayo. - Uqwalaselo olukhulu: Ukuba uvelisa uqwalaselo oluninzi, umda uya kuthi ga kwi-4MB; yisebenzise ngobulumko kwaye ilawula ukuqinisekiswa.
- Abahlalutyi: kuphephe ukwakha imigca yomyalelo kwigalelo elingathenjwa; sebenzisa
configabantu balapha abaneentsingiselo ezicacileyo xa uneziganeko ezingaqhelekanga kumagama abasebenzisi.
Abo balawula izithuthi ezixubeneyo baya kuyivuyela into yokuba 10.1 cofa ukhuseleko apho kubuhlungu khona kancinci (abahlalutyi, ii-arhente, izilumkiso) kwaye ngaxeshanye ukuphucula amava emihla ngemihla (Dynamic QoS, SIGINFO, ukugawulwa kwesatifikethi). Ukuba ubusele ukwi-10.0, utshintsho luthe ngqo; ukuba uvela ku-9.x, thatha ixesha lokushuna i-DSCP, yenza kwakhona i-SSHFP ukuya ku-SHA‑256, kwaye wenze i-hybrid KEXs uzikhusele kwisisongelo se-quantum ngaphandle kokuncama ukusebenza.
