Seguridad

Caché de credenciales Kerberos KCM de forma predeterminada

Fedora 27 predetermina a un nuevo tipo de caché de credencial Kerberos llamado Kerberos Cache Manager (KCM), implementado en el servicio sssd-kcm, que se adapta mejor a los entornos de contenedores y también proporciona una mejor experiencia al usuario en casos generales. Las características clave de KCM son:

  • Los cachés de credencial Kerberos son manejados por un demonio en el espacio de usuario con un socket UNIX como punto de entrada. Estos significa que los UIDs y GIDs de los propietarios de la caché están sujetos al espacio de nombres UID, que es beneficioso en entornos de contenedores.

  • El socket UNIX se puede montar en los contenedores bajo demanda, de este modo se permite que uno o más contenedores compartan un único caché de credencial Kerberos.

  • El demonio KCM tiene estado. Si bien no se implementa ninguna funcionalidad que se beneficie de eso en F-27, el demonio permitirá la actualización automática de las credenciales Kerberos de un usuario si es necesario.

Information about using KCM can be found in man sssd-kcm and also in man sssd-secrets, because KCM uses sssd-secrets for data storage. Additional information is contained in the SSSD Design Page for KCM.

krb5-appl Packages Removed

The krb5-appl-clients and krb5-appl-servers packages are considered to be obsolete and have been removed from Fedora. These packages provided Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Users should to move to more modern security tools, such as openssh.

Default cipher in OpenVPN changed to 256-bit AES-GCM

OpenVPN configurations utilizing the newer openvpn-server@.service unit file now use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm using 128-bit keys to the newer AES-GCM algorithm with 256-bit keys.

To ensure backwards compatibility, this new default also enables clients still using the not recommended Blowfish algorithm to connect by utilizing the --ncp-ciphers feature being available in OpenVPN 2.4.

To facilitate an easy migration path away from Blowfish for clients not supporting AES-GCM, these clients can now add or change the --cipher option in the client configuration to either AES-256-CBC or AES-128-CBC without needing to do any other server changes.

OpenSSH Server now follows system-wide crypto policies

Fedora defines system-wide crypto policies, which are followed by cryptographic libraries and tools, including OpenSSH clients. This allows administrators to use different system-wide security levels. With this update, OpenSSH Server adheres to these system-wide crypto policies, too.

This modification adds environment variables that specify enabled algorithms. The information is passed to the sshd daemon on the command line. It is, therefore, necessary to restart the sshd service for changes to crypto-policy configuration to take effect.

SSH-1 support removed from OpenSSH

The SSH-1 protocol is obsolete and no longer considered secure. As such, it is not supported by the default OpenSSH client binaries packaged for Fedora. This changes removes support for the SSH-1 protocol altogether by removing the openssh-clients-ssh1 subpackage.

libcurl switches to using OpenSSL

The libcurl library now uses OpenSSL for TLS and crypto (instead of NSS). TLS certificates and keys stored in the NSS database need to be exported to files for libcurl to be able to load them. See http://pki.fedoraproject.org/wiki/NSS_Database for instructions on how to work with the NSS database.