Security

EFI build of GRUB2 now contains several security-oriented modules

The GRUB EFI build in Fedora 31 contains the cryptodisk, luks and verify GRUB modules. For more details see the Distribution-wide changes section.

Existing system-wide crypto policies can now be customized

The crypto-policies package has been enhanced and allows users to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols.

For example, it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies.

To achieve the above-mentioned outcome, add a simple configuration file and execute the update-crypto-policies command.

SSH no longer allows root password login

The OpenSSH server no longer allows the root user to remotely log into Fedora using a password. This change is consistent with the upstream OpenSSH project, which disabled the remote root password login in the 7.0 release. Previously, the remote root password login was a common target of attacks.

The root user can still remotely log in using a public SSH key.

The /etc/ssh/sshd_config configuration file now disables the PermitRootLogin option. If you upgrade to Fedora 31 on a system where you have made changes to the configuration file, the upgrade process preserves your configuration and creates the new configuration in /etc/ssh/sshd_config.rpmnew.

If you use the remote root password login in Kickstart or cloud-init scripts, Fedora recommends the following alternatives:

  • Switch to public key authentication.

  • Create a different administrative user.

You can re-enable root password login:

  • In the Fedora installer (Anaconda), enable the Allow root SSH login with password option when setting a password for root.

  • On an already installed system, set the PermitRootLogin=yes option in /etc/ssh/sshd_config.

Kerberos cryptography modernization

Kerberos (krb5) removes support for several known-bad encryption types. Hopefully users will see no changes, but to be sure you won’t, we started logging deprecation warnings in krb5-1.16.1-25.fc28/krb5-1.16.1-25.fc29/krb5-1.17-3.fc30. For more information on upgrading from deprecated encryption types, see MIT’s DES deprecation guide.