Ngemuva kwezinyanga ezine zentuthuko, ukwethulwa kwe- inguqulo entsha ye I-OpenSSH 8.2, okuwukuqalisa kwamakhasimende nokuvula kweseva ukusebenza kwizivumelwano ze-SSH 2.0 ne-SFTP. A izithuthukisi ezibalulekile lapho kwethulwa ngu-OpenSSH 8.2 feu amandla wokusebenzisa ubuqiniso bezinto ezimbili usebenzisa amadivayisi esekela umthetho olandelwayo we-U2F ithuthukiswe ngumbimbi lweFIDO.
I-U2F ivumela ukwenziwa kwamathokheni wehadiwe wezindleko eziphansi ukuqinisekisa ubukhona bomsebenzisi ngokomzimba, ukuxhumana kwakhe nge-USB, i-Bluetooth noma i-NFC. Amadivayisi anjalo akhuthazwa njengendlela yokuqinisekiswa kwezinto ezimbili kumasayithi, asevele ehambisana nazo zonke iziphequluli ezinkulu, futhi akhiqizwa ngabakhiqizi abahlukahlukene, kufaka phakathi iYubico, Feitian, Thetis, neKensington.
Ukusebenzisana namadivayisi aqinisekisa ukuba khona komsebenzisi, I-OpenSSH ingeze izinhlobo ezimbili ezintsha zokhiye "ecdsa-sk" kanye "ed25519-sk", ezisebenzisa i-ECDSA ne-Ed25519 digital signature algorithm ngokuhambisana ne-SHA-256 hash.
Izinqubo zokuxhumana namathokheni zidluliselwe kumtapo wezincwadi ophakathi, elayishwe ngokufana nomtapo wezincwadi wokusekelwa kwe-PKCS # 11 futhi iyisixhumanisi kumtapo wezincwadi we-libfido2, esihlinzeka izindlela zokuxhumana namathokheni nge-USB (FIDO U2F / CTAP 1 kanye nezinqubo ze-FIDO 2.0 / CTAP zisekelwa ezimbili).
Umtapo wolwazi we-libsk-libfido2 ophakathi owenziwe ngabathuthukisi be-OpenSSHfuthi kufaka phakathi i-kernel libfido2, kanye nomshayeli we-HID we-OpenBSD.
Ukuqinisekisa nokwenziwa kokhiye, kufanele ucacise ipharamitha ye- "SecurityKeyProvider" ekucushweni noma usethe ukuguquguquka kwemvelo SSH_SK_PROVIDER, ucacisa indlela eya kumtapo wezincwadi wangaphandle libsk-libfido2.so.
Kungenzeka kwakhiwe ukuvuleka ngokusekelwa okwakhelwe ngaphakathi komtapo wezincwadi ophakathi nendawo futhi kulokhu udinga ukusetha ipharamitha "SecurityKeyProvider = yangaphakathi".
Futhi, ngokuzenzakalela, lapho kwenziwa imisebenzi eyisihluthulelo, kudingeka isiqinisekiso sendawo sokuba khona komsebenzisi ngokomzimba, isibonelo, kuphakanyiswa ukuthinta inzwa ethokheni, okwenza kube nzima ukwenza ukuhlaselwa okukude kumasistimu anethokheni elixhunyiwe .
Ngakolunye uhlangothi, inguqulo entsha ye- I-OpenSSH iphinde yamemezela ukudluliswa okuzayo esigabeni esiphelelwe yisikhathi sama-algorithms asebenzisa i-SHA-1 hashing. ngenxa yokwanda kokusebenza kokuhlaselwa kokushayisana.
Ukwenza lula ushintsho kuma-algorithm amasha ku-OpenSSH ekukhishweni okuzayo, ukusethwa kwe-UpdateHostKeys kuzonikwa amandla ngokuzenzakalela, Ezoshintshela amaklayenti ngokuzenzakalela kuma-algorithm ethembekile.
Ingatholakala futhi ku-OpenSSH 8.2, amandla wokuxhuma usebenzisa i- "ssh-rsa" isasele, kepha le algorithm isusiwe ohlwini lwe-CASignatureAlgorithms, oluchaza ama-algorithms avumelekile ukusayina izitifiketi ezintsha ngamadijithi.
Ngokufanayo, i-algorithm ye-diffie-hellman-group14-sha1 isusiwe kuma-algorithm we-key key exchange.
Kwezinye izinguquko ezigqamile kule nguqulo entsha:
- Umhlahlandlela wokufaka ungezwe ku-sshd_config, evumela okuqukethwe kwamanye amafayela ukuthi kufakwe endaweni yamanje yefayela lokumisa.
- Isiqondisi se-PublishAuthOptions sengeziwe ku-sshd_config, kuhlanganiswa izinketho ezahlukahlukene ezihlobene nokufakazela ubuqiniso kokhiye womphakathi.
- Kungezwe inketho "-O write-attestation = / path" ku-ssh-keygen, evumela ukuthi izitifiketi ezingeziwe ze-FIDO zibhalwe lapho kukhiqizwa okhiye.
- Amandla wokukhipha i-PEM okhiye be-DSA ne-ECDSA engezwe ku-ssh-keygen.
- Kungezwe umsizi omusha we-ssh-sk-executable osetshenziswayo ukuhlukanisa ilabhulali yokufinyelela yamathokheni e-FIDO / U2F.
Ungayifaka kanjani i-OpenSSH 8.2 ku-Linux?
Kulabo abanentshisekelo yokukwazi ukufaka le nguqulo entsha ye-OpenSSH kumasistimu abo, ngoba manje sebengakwenza ukulanda ikhodi yomthombo yalokhu futhi benza ukuhlanganiswa kumakhompyutha abo.
Lokhu kungenxa yokuthi inguqulo entsha ayikakafakwa ezinqolobaneni zokusabalalisa okukhulu kwe-Linux. Ukuthola ikhodi yomthombo ye-OpenSSH 8.2. Ungakwenza lokhu kusuka ku- isixhumanisi esilandelayo (ngesikhathi sokubhala iphakheji ayikatholakali ezibukweni futhi basho ukuthi kungathatha amanye amahora ambalwa)
Uqedile ukulanda, manje sizovula iphakheji ngomyalo olandelayo:
tar -xvf openssh-8.2.tar.gz
Sifaka umkhombandlela owakhiwe:
cd openssh-8.2
Y singahlanganisa imiyalo elandelayo:
./configure --prefix=/opt --sysconfdir=/etc/ssh make make install