Zimbalwa izinsuku ezedlule I-Google ivuliwe ngokusebenzisa iposi lebhulogi izindaba ze ukukhishwa kwekhodi yomthombo yephrojekthi ye-HIBA (I-Host Identity Based Authorization), ephakamisa ukusetshenziswa kwendlela eyengeziwe yokugunyaza ukuhlela ukufinyelela komsebenzisi nge-SSH maqondana nababungazi (kubhekwa ukuthi ukufinyelela insiza ethile kuvunyelwe yini uma kufakazelwa ubuqiniso besebenzisa okhiye bomphakathi).
Ukuhlanganiswa ne-OpenSSH inikezwa ngokucacisa umshayeli we-HIBA kusiqondisi se-AuthorizedPripipipCommand ku / etc / ssh / sshd_config. Ikhodi yephrojekthi ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisense le-BSD.
Mayelana ne-HIBA
I-HIBA isebenzisa izindlela ezijwayelekile zokuqinisekisa ezisuselwa kuzitifiketi ze-OpenSSH yokuphathwa okuguqukayo nokuphakathi nendawo kokugunyazwa komsebenzisi maqondana nababungazi, kepha akudingi ushintsho lwezikhathi kumafayili agunyaziwe_akhiye namafayela abagunyaziwe_abasebenzisi ngasohlangothini lwabasingathi lapho ixhunywe khona.
Esikhundleni sokugcina uhlu lokhiye Izimo ezivumelekile zomphakathi nokufinyelela kumafayela agunyaziwe (amaphasiwedi | abasebenzisi), I-HIBA ihlanganisa imininingwane yokubamba umphathi ngqo kwizitifiketi ngokwazo. Ikakhulukazi, kuphakanyisiwe izandiso zezitifiketi zokusingathwa nezitifiketi zabasebenzisi, ezigcina amapharamitha wokusingathwa nemibandela yokunikeza ukufinyelela komsebenzisi.
Ngenkathi i-OpenSSH ihlinzeka ngezindlela eziningi, kusuka kwiphasiwedi elula kuze kusetshenziswe izitifiketi, ngayinye yazo iletha izinselelo.
Ake siqale ngokuchaza umehluko phakathi kokufakazela ubuqiniso nokugunyazwa. Okokuqala kuyindlela yokubonisa ukuthi uyinhlangano othi uyiyona. Lokhu kuvame ukufezwa ngokunikeza iphasiwedi eyimfihlo ehlotshaniswa ne-akhawunti yakho noma ngokusayina inselelo ekhombisa ukuthi unokhiye oyimfihlo ohambelana nokhiye womphakathi. Ukugunyazwa kuyindlela yokunquma ukuthi ibhizinisi linayo yini imvume yokufinyelela isisetshenziswa, esivame ukwenziwa ngemuva kokuqinisekiswa.
Ukuqinisekiswa kwe-host-side kuqalwa ngokubiza umshayeli we-hiba-chk okucaciswe kusiqondisi se-AuthorizedPrincipalsCommand. Lesi siphathi unquma izandiso ezakhiwe kuzitifiketi futhi, ngokususelwa kuzo, yenza isinqumo sokunikeza noma sokuvimba ukufinyelela. Imithetho yokufinyelela ichazwa maphakathi ezingeni lesiphathimandla sesitifiketi (i-CA) futhi ihlanganiswe nezitifiketi ezingeni lesizukulwane sabo.
Ngasohlangothini lwesikhungo sokuqinisekisa, kukhona uhlu olujwayelekile lwezimvume ezitholakalayo (Abasingathi ongaxhuma kubo) nohlu lwabasebenzisi abangasebenzisa lezi zimvume. Ukusetshenziswa kwe-hiba-gen kuhlongozwa ukuthi kuvezwe izitifiketi ezinemininingwane eyakhelwe ngaphakathi yemvume, futhi ukusebenza okudingekayo ukudala igunya lesitifiketi kuthuthelwe kuskripthi se-hiba-ca.sh.
Ngesikhathi sokuxhumeka komsebenzisi, iziqinisekiso ezichazwe kusitifiketi ziqinisekiswa yisiginesha yedijithali yesiphathimandla sesitifiketi, okuyi ivumela konke ukuqinisekisa ukuthi kwenziwe ngokuphelele ohlangothini lwendawo yokubamba lapho kwenziwa khona ukuxhumana, ngaphandle kokuxhumana nezinsizakalo zangaphandle. Uhlu lwezikhiye zomphakathi ze-CA eziqinisekisa izitifiketi ze-SSH lucaciswa ngumyalo we-TrustedUserCAKeys.
I-HIBA ichaza izandiso ezimbili zezitifiketi ze-SSH:
Ubunikazi be-HIBA, obuxhunywe kuzitifiketi zokusingathwa, bubala izakhiwo ezichaza lo msingathi. Zizosetshenziswa njengendlela yokunikeza ukufinyelela.
Isibonelelo se-HIBA, esihlanganiswe nezitifiketi zomsebenzisi, sibala imikhawulo okufanele umphathi wayo ayibambe ukuze anikezwe ukufinyelela.
Ngaphezu kokuxhumanisa okuqondile kwabasebenzisi kubabungaziI-HIBA ikuvumela ukuthi uchaze imithetho yokufinyelela eguquguqukayo. Isibonelo, abasingathi bangahlotshaniswa nolwazi olufana nendawo nohlobo lwensizakalo, nangokuchaza imithetho yokufinyelela yomsebenzisi, vumela ukuxhumana kubo bonke ababungazi ngohlobo oluthile lwenkonzo noma ababungazi endaweni ethile.
Okokugcina uma unesifiso sokwazi okwengeziwe ngakho mayelana nenothi, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.