安全性
PARSEC stack is now available on Fedora
Platform AbstRaction for SECurity (PARSEC) is an open-source initiative that provides a common API for accessing secure credentials stored in hardware in a platform-agnostic way.
PARSEC serves as an abstraction layer that keeps workloads decoupled from physical platform details. This enables cloud-native delivery flows within the data center and in the edge computing sector.
After users install the PARSEC stack on Fedora Workstation edition, the PARSEC daemon will automatically start during the early boot process. On Fedora IoT edition, the stack installation and start of the daemon is done by the OS itself.
From a hardware perspective, the PARSEC daemon can currently use a Trusted Platform Module 2 (TPM2) chip, Hardware Security Module (HSM) device, or systems that have an Arm TrustZone technology enabled.
Strong Crypto Settings - Phase 2
Fedora 33 disables:
-
TLS Protocols versions older than 1.2 version, so TLS versions 1.0 and 1.1 are now disabled by default.
-
SHA hash signatures in TLS, SSH and IKE protocols.
-
Diffie Hellman key exchange with parameter size less that 2048 bits.
As a result Fedora 33 cannot communicate with legacy systems that support all the disabled entities which are outlined above.
If you want to communicate with legacy systems, you may:
-
Set the system wide crypto policy to LEGACY, by using the command below:
---- # update-crypto-policies --set LEGACY
* Or add the snippet below to your ssh config file (~/.ssh/config) + [source,shell]
Host <server-name>
PubkeyAcceptedKeyTypes ssh-rsa
* For Dovecot in RHEL/CentOS up to 7.8 (it is fixed in 7.9) set in /etc/pki/dovecot/dovecot-openssl.cnf: + [source, shell]
[ req ] default_bits = 3072
* The most secure method is to use Elliptic Curve Digital Signature Algorithm (ECDSA) to generate new ssh keys, as the methods above override Fedora 33 new crypto polices rendering your system vulnerable.
Want to help? Learn how to contribute to Fedora Docs ›