Fedora 27 defaults to a new Kerberos credential cache type called Kerberos Cache Manager (KCM), implemented in the sssd-kcm service, that is better suited for containerized environments and also provides a better user experience in the general case. Key features of KCM include:
Kerberos credential caches are handled by a userspace deamon with a UNIX socket entry point. That means the UIDs and GIDs of the cache owners are subject to UID namespacing, which is beneficial in containerized environments.
The UNIX socket can be mounted into containers on demand, thus allowing one or more containers to share a single Kerberos credential cache.
The KCM deamon is stateful. While no functionality that benefits from that is implemented in F-27, the deamon will allow automatic refreshes of a user’s Kerberos credentials if needed.
Information about using KCM can be found in man sssd-kcm
and also in man sssd-secrets
, because KCM uses sssd-secrets for data storage. Additional information is contained in the SSSD Design Page for KCM.
The krb5-appl-clients
and krb5-appl-servers
packages are considered to be obsolete and have been removed from Fedora. These packages provided Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Users should to move to more modern security tools, such as openssh.
OpenVPN configurations utilizing the newer openvpn-server@.service
unit file now use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm using 128-bit keys to the newer AES-GCM algorithm with 256-bit keys.
To ensure backwards compatibility, this new default also enables clients still using the not recommended Blowfish algorithm to connect by utilizing the --ncp-ciphers
feature being available in OpenVPN 2.4.
To facilitate an easy migration path away from Blowfish for clients not supporting AES-GCM, these clients can now add or change the --cipher
option in the client configuration to either AES-256-CBC
or AES-128-CBC
without needing to do any other server changes.
Fedora defines system-wide crypto policies, which are followed by cryptographic libraries and tools, including OpenSSH clients. This allows administrators to use different system-wide security levels. With this update, OpenSSH Server adheres to these system-wide crypto policies, too.
This modification is implemented using a script, which places configuration generated according to currently defined crypto policies into the OpenSSH Server’s configuration file. The script is executed by systemd when the sshd
service is started. It is, therefore, necessary to restart the sshd
service for changes to crypto-policy configuration to take effect.
The SSH-1 protocol is obsolete and no longer considered secure. As such, it is not supported by the default OpenSSH client binaries packaged for Fedora. This changes removes support for the SHH-1 protocol altogether by removing the openssh-clients-ssh1 subpackage.
The libcurl library now uses OpenSSL for TLS and crypto (instead of NSS). TLS certificates and keys stored in the NSS database need to be exported to files for libcurl to be able to load them. See http://pki.fedoraproject.org/wiki/NSS_Database for instructions on how to work with the NSS database.