페도라 27은 기본적으로 sssd-kcm 서비스에서 구현된 커버러스 캐쉬 관리자(KCM)라는 새로운 커버러스 자격 증명 캐쉬 유형을 사용하며, 이는 컨테이너화된 환경에 더 적합하고 일반적인 경우에 더 나은 사용자 경험을 제공합니다. KCM의주요 기능은 다음과 같습니다:
Kerberos credential caches are handled by a userspace deamon with a UNIX socket entry point. That means the UIDs and GIDs of the cache owners are subject to UID namespacing, which is beneficial in containerized environments.
The UNIX socket can be mounted into containers on demand, thus allowing one or more containers to share a single Kerberos credential cache.
The KCM deamon is stateful. While no functionality that benefits from that is implemented in F-27, the deamon will allow automatic refreshes of a user’s Kerberos credentials if needed.
Information about using KCM can be found in
man sssd-kcm and also in
sssd-secrets, because KCM uses sssd-secrets for data storage. Additional
information is contained in the
SSSD Design Page for
krb5-appl-servers packages are considered to
be obsolete and have been removed from Fedora. These packages provided
Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Users
should to move to more modern security tools, such as openssh.
openvpn-server@.service 단위 파일을 사용하는 OpenVPN 구성은 이제 기본 설정으로 VPN 터널을 위해 더
강력한 암호를 사용합니다. 기본 값은 128-비트 키를 사용하는 Blowfish 알고리즘에서 256-비트 키를 사용하는 최신
AES-GCM 알고리즘으로 변경됩니다.
To ensure backwards compatibility, this new default also enables clients
still using the not recommended Blowfish algorithm to connect by utilizing
--ncp-ciphers feature being available in OpenVPN 2.4.
To facilitate an easy migration path away from Blowfish for clients not
supporting AES-GCM, these clients can now add or change the
option in the client configuration to either
without needing to do any other server changes.
Fedora defines system-wide crypto policies, which are followed by cryptographic libraries and tools, including OpenSSH clients. This allows administrators to use different system-wide security levels. With this update, OpenSSH Server adheres to these system-wide crypto policies, too.
This modification adds environment variables that specify enabled
algorithms. The information is passed to the
sshd daemon on the command
line. It is, therefore, necessary to restart the
sshd service for changes
to crypto-policy configuration to take effect.
The SSH-1 protocol is obsolete and no longer considered secure. As such, it is not supported by the default OpenSSH client binaries packaged for Fedora. This changes removes support for the SSH-1 protocol altogether by removing the openssh-clients-ssh1 subpackage.
The libcurl library now uses OpenSSL for TLS and crypto (instead of NSS). TLS certificates and keys stored in the NSS database need to be exported to files for libcurl to be able to load them. See http://pki.fedoraproject.org/wiki/NSS_Database for instructions on how to work with the NSS database.