EFI build of GRUB2 now contains several security-oriented modules
The GRUB EFI build in Fedora 31 contains the
verify GRUB modules. For more details see the Distribution-wide changes section.
Existing system-wide crypto policies can now be customized
crypto-policies package has been enhanced and allows users to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols.
For example, it is now possible to easily modify the existing
DEFAULT policy to disable the
SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies.
To achieve the above-mentioned outcome, add a simple configuration file and execute the
SSH no longer allows root password login
The OpenSSH server no longer allows the
root user to remotely log into Fedora using a password. This change is consistent with the upstream OpenSSH project, which disabled the remote
root password login in the 7.0 release. Previously, the remote
root password login was a common target of attacks.
root user can still remotely log in using a public SSH key.
/etc/ssh/sshd_config configuration file now disables the
PermitRootLogin option. If you upgrade to Fedora 31 on a system where you have made changes to the configuration file, the upgrade process preserves your configuration and creates the new configuration in
If you use the remote
root password login in Kickstart or
cloud-init scripts, Fedora recommends the following alternatives:
Switch to public key authentication.
Create a different administrative user.
You can re-enable
root password login:
In the Fedora installer (Anaconda), enable the Allow root SSH login with password option when setting a password for
On an already installed system, set the
Kerberos cryptography modernization
krb5) removes support for several known-bad encryption types. Hopefully users will see no changes, but to be sure you won’t, we started logging deprecation warnings in
krb5-1.17-3.fc30. For more information on upgrading from deprecated encryption types, see MIT’s DES deprecation guide.
Want to help? Learn how to contribute to Fedora Docs ›