Hash algorithm migration status

To Do
These packages use or refer to hashes from which we should migrate away. Being on this list does not yet mean the package will have to change: another manual check is necessary. You can see the known hash uses at http://people.redhat.com/mitr/hashes/found-hashes.

Configuration
Various packages support SHA-256, but their default configuration does not use it. Note that configuring the packages to use SHA-256 may prevent interoperability with systems that do not use SHA-256.

aide
Add the sha256 or sha512 group to your aide.conf.

krb5
On the KDC, add master_key_type = aes256-cts supported_enctypes = aes256-cts:normal to your realm configuration in kdc.conf.

On all machines add the following to the [libedefaults] section of krb5.conf: default_tgs_enctypes = aes256-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 kdc_req_checksum_type = 12 ap_req_checksum_type = 12 safe_checksum_type = 12

nss_ldap
(After #487173 is applied, add information about pam_password and *rounds* here.)

pam
pam_unix uses DES to encrypt passwords by default. Add the sha256 or the sha512</tt> option to use SHA-2. (This already the default in Fedora.)

openssh
To use a SHA-1 HMAC with ssh</tt> and related programs, define the  option on the command line or in your configuration file.

rpm
To use SHA-256 in file digests, define the following RPM macros: _source_filedigest_algorithm 8 _binary_filedigest_algorithm 8 (or just install redhat-rpm-config</tt>)

To use SHA-256 in PGP signatures, use an RSA key (at least 2048 bits recommended, otherwise the signature would be significantly weaker than the hash), and define the following RPM macro when signing the packages: __gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --digest-algo sha256 --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}

crytpsetup-luks
cryptsetup create</tt> uses RIPEMD160 by default when generating an encryption key. To use SHA-2, use the -h sha256</tt> option.

Done
These packages were already migrated, or the features that need migrating are not essential. The "Notes" column should contain enough information to migrate from SHA-256 to a stronger hash in the future.