Veiligheid
EFI build of GRUB2 now contains several security-oriented modules
The GRUB EFI build in Fedora 31 contains the cryptodisk
, luks
and verify
GRUB modules. For more details see the Distribution-wide changes section.
Existing system-wide crypto policies can now be customized
The crypto-policies
package has been enhanced and allows users to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols.
For example, it is now possible to easily modify the existing DEFAULT
policy to disable the SHA1
support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies.
To achieve the above-mentioned outcome, add a simple configuration file and execute the update-crypto-policies
command.
SSH no longer allows root password login
The OpenSSH server no longer allows the root
user to remotely log into Fedora using a password. This change is consistent with the upstream OpenSSH project, which disabled the remote root
password login in the 7.0 release. Previously, the remote root
password login was a common target of attacks.
The root
user can still remotely log in using a public SSH key.
The /etc/ssh/sshd_config
configuration file now disables the PermitRootLogin
option. If you upgrade to Fedora 31 on a system where you have made changes to the configuration file, the upgrade process preserves your configuration and creates the new configuration in /etc/ssh/sshd_config.rpmnew
.
If you use the remote root
password login in Kickstart or cloud-init
scripts, Fedora recommends the following alternatives:
-
Switch to public key authentication.
-
Create a different administrative user.
You can re-enable root
password login:
-
In the Fedora installer (Anaconda), enable the Allow root SSH login with password option when setting a password for
root
. -
On an already installed system, set the
PermitRootLogin=yes
option in/etc/ssh/sshd_config
.
Kerberos cryptography modernization
Kerberos (krb5
) removes support for several known-bad encryption types. Hopefully users will see no changes, but to be sure you won’t, we started logging deprecation warnings in krb5-1.16.1-25.fc28
/krb5-1.16.1-25.fc29
/krb5-1.17-3.fc30
. For more information on upgrading from deprecated encryption types, see MIT’s DES deprecation guide.
Want to help? Learn how to contribute to Fedora Docs ›