15. Sigurnost
![[Savjet]](./stylesheet-images/tip.png) |
Najnovije bilješke izdanja na Internetu |
|---|---|
|
These release notes may be updated. To view the latest release notes for Fedora, visit: |
This section highlights various security items from Fedora.
15.1. Security Enhancements
Fedora continues to improve its many proactive security features.
The glibc package in Fedora 8 had support for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
To switch to SHA-256 or SHA-512 on an installed system, use
authconfig --passalgo=sha256 --update or
authconfig --passalgo=sha512 --update.
Alternatively, use the authconfig-gtk GUI tool
to configure the hashing method. Existing user accounts will not
be affected until their passwords are changed.
SHA-512 is used by default on newly installed systems. Other
algorithms can be configured only for kickstart installations, by
using the --passalgo or
--enablemd5 options for the kickstart
auth command. If your installation does not use
kickstart, use authconfig as described above,
and then change the root user password, and passwords for other
users created after installation.
New options now appear in libuser ,
pam , and shadow-utils to
support these password hashing algorithms. Running
authconfig configures all these options
automatically, so it is not necessary to modify them manually.
New values for the
crypt_styleoption, and the new optionshash_rounds_min, andhash_rounds_max, are now supported in the[defaults]section of/etc/libuser.conf. Refer to thelibuser.conf(5)man page for details.New options,
sha256,sha512, androunds, are now supported by thepam_unixPAM module. Refer to thepam_unix(8)man page for details.New options,
ENCRYPT_METHOD,SHA_CRYPT_MIN_ROUNDS, andSHA_CRYPT_MAX_ROUNDS, are now supported in/etc/login.defs. Refer to thelogin.defs(5)man page for details. Corresponding options were added tochpasswd(8)andnewusers(8).
15.2. Opći podaci
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
15.3. SELinux
The SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references. Some useful links include the following:
New SELinux project pages: http://fedoraproject.org/wiki/SELinux
Troubleshooting tips: http://fedoraproject.org/wiki/SELinux/Troubleshooting
Frequently Asked Questions: http://docs.fedoraproject.org/selinux-faq/
Listing of SELinux commands: http://fedoraproject.org/wiki/SELinux/Commands
Details of confined domains: http://fedoraproject.org/wiki/SELinux/Domains
15.4. Free IPA
Free IPA is a centrally managed identity, policy, and audit installation.
The IPA server installer assumes a relatively clean system, installing and configuring several services:
a Fedora Directory Server instance
KDC
Apache
ntpd
TurboGears
Some effort is made to be able to roll back the changes made but
they are not guaranteed. Similarly the
ipa-client-install tool overwrites PAM
(/etc/pam.conf) and Kerberos
(/etc/krb5.conf) configurations.
IPA does not support other instances of Fedora Directory Server on the same machine at install time, even listening on different ports. In order to install IPA, other instances must be removed. IPA itself can handle this removal.
There is currently no mechanism for migrating existing users into an IPA server.
The server self-configures to be a client of itself. If the Directory Server or KDC fail to start on bootup, boot into single-user mode in order to resolve the issue.
For more information, refer to this feature page: