| |
@@ -1,11 +1,9 @@
|
| |
-
|
| |
- include::en-US/entities.adoc[]
|
| |
-
|
| |
[[sect-security]]
|
| |
- == Security
|
| |
+ = Security
|
| |
+ include::en-US/entities.adoc[]
|
| |
|
| |
[[sect-security-kerberos-kcm]]
|
| |
- === Kerberos KCM credential cache by default
|
| |
+ == Kerberos KCM credential cache by default
|
| |
Fedora 27 defaults to a new Kerberos credential cache type called Kerberos Cache Manager (KCM), implemented in the sssd-kcm service, that is better suited for containerized environments and also provides a better user experience in the general case. Key features of KCM include:
|
| |
|
| |
* Kerberos credential caches are handled by a userspace deamon with a UNIX socket entry point. That means the UIDs and GIDs of the cache owners are subject to UID namespacing, which is beneficial in containerized environments.
|
| |
@@ -15,12 +13,12 @@
|
| |
Information about using KCM can be found in `man sssd-kcm` and also in `man sssd-secrets`, because KCM uses sssd-secrets for data storage. Additional information is contained in the https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html[SSSD Design Page for KCM].
|
| |
|
| |
[[sect-security-krb5-appl]]
|
| |
- === krb5-appl Packages Removed
|
| |
+ == krb5-appl Packages Removed
|
| |
The `krb5-appl-clients` and `krb5-appl-servers` packages are considered to be obsolete and have been removed from Fedora. These packages provided Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Users should to move to more modern security tools, such as openssh.
|
| |
|
| |
|
| |
[#sect-defauilt-ciopher-in-openvpn-changed-to-256-bit-aes-gcm]
|
| |
- === Default cipher in OpenVPN changed to 256-bit AES-GCM
|
| |
+ == Default cipher in OpenVPN changed to 256-bit AES-GCM
|
| |
|
| |
OpenVPN configurations utilizing the newer `openvpn-server@.service` unit file now use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm using 128-bit keys to the newer AES-GCM algorithm with 256-bit keys.
|
| |
|
| |
@@ -30,7 +28,7 @@
|
| |
|
| |
|
| |
[#sect-openshh-server-now-follows-system-wide-crypto-policies]
|
| |
- === OpenSSH Server now follows system-wide crypto policies
|
| |
+ == OpenSSH Server now follows system-wide crypto policies
|
| |
|
| |
Fedora defines system-wide crypto policies, which are followed by cryptographic libraries and tools, including OpenSSH clients. This allows administrators to use different system-wide security levels. With this update, OpenSSH Server adheres to these system-wide crypto policies, too.
|
| |
|
| |
@@ -38,12 +36,12 @@
|
| |
|
| |
|
| |
[#sect-ssh-1-support-removed-from-openssh]
|
| |
- === SSH-1 support removed from OpenSSH
|
| |
+ == SSH-1 support removed from OpenSSH
|
| |
|
| |
The SSH-1 protocol is obsolete and no longer considered secure. As such, it is not supported by the default OpenSSH client binaries packaged for Fedora. This changes removes support for the SHH-1 protocol altogether by removing the *openssh-clients-ssh1* subpackage.
|
| |
|
| |
|
| |
[#sect-libcurl-switches-to-using-openssl]
|
| |
- === libcurl switches to using OpenSSL
|
| |
+ == libcurl switches to using OpenSSL
|
| |
|
| |
The *libcurl* library now uses OpenSSL for TLS and crypto (instead of NSS). TLS certificates and keys stored in the NSS database need to be exported to files for *libcurl* to be able to load them. See link:http://pki.fedoraproject.org/wiki/NSS_Database[http://pki.fedoraproject.org/wiki/NSS_Database] for instructions on how to work with the NSS database.
|
| |
Combined release note entry to cover Modularity work in Issues #20, #21 and #23.