No edit summary |
|||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
<!-- Self Contained or System Wide Change Proposal? | <!-- Self Contained or System Wide Change Proposal? | ||
Use this guide to determine to which category your proposed change belongs to. | Use this guide to determine to which category your proposed change belongs to. | ||
| Line 26: | Line 24: | ||
== Summary == | == Summary == | ||
Fedora supports a [https://fedoraproject.org/wiki/Packaging:CryptoPolicies system wide crypto policy] and Kerberos should respect that policy and adjust its crypto-related configuration based on it. | Fedora supports a [https://fedoraproject.org/wiki/Packaging:CryptoPolicies system wide crypto policy] and Kerberos (libkrb5) should respect that policy and adjust its crypto-related configuration based on it. | ||
== Owner == | == Owner == | ||
| Line 56: | Line 54: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1297684 #1297684] | ||
== Detailed Description == | == Detailed Description == | ||
| Line 74: | Line 72: | ||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
The kerberos configuration should be able to include an external part generated by the crypto policies package. This is tracked in [https://bugzilla.redhat.com/show_bug.cgi?id=1225792 bugzilla]. | The libkrb5 (kerberos) configuration should be able to include an external part generated by the crypto policies package. This is tracked in [https://bugzilla.redhat.com/show_bug.cgi?id=1225792 bugzilla]. | ||
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
| Line 133: | Line 131: | ||
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | <!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | ||
* Blocks release? N/A (not a System Wide Change) | * Blocks release? N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
* Blocks product? | * Blocks product? N/A <!-- Applicable for Changes that blocks specific product release/Fedora.next --> | ||
== Documentation == | == Documentation == | ||
| Line 149: | Line 147: | ||
--> | --> | ||
[[Category: | [[Category:ChangeAcceptedF24]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Latest revision as of 08:55, 12 January 2016
Crypto policy support for Kerberos
Summary
Fedora supports a system wide crypto policy and Kerberos (libkrb5) should respect that policy and adjust its crypto-related configuration based on it.
Owner
- Name: Nikos Mavrogiannopoulos
- Email: <nmav@redhat.com>
- Release notes owner:
Current status
Detailed Description
Fedora supports a system wide crypto policy and Kerberos should respect that policy and adjust its crypto-related configuration based on it.
As it is now kerberos' configuration is hard coded and the administrator is responsible for doing any changes to it. In case of software upgrades he's tasked to keep up-to-date the list of ciphers allowed, modify the cryptographic parameters etc. Kerberos following the system-wide crypto policy by default would simplify the tasks of the administrator and reduce errors due to not disabling an insecure cipher or enabling incorrect crypto settings. That way unless the administrator changes the configuration the policies the Kerberos configuration will be kept up to date and will be consistent with the policies followed in other parts of the system.
Benefit to Fedora
An administrator using fedora would have simpler tasks as he would not be required to review configuration settings as recommended by: https://bettercrypto.org/static/applied-crypto-hardening.pdf (for the Kerberos part at least).
Scope
- Proposal owners:
The libkrb5 (kerberos) configuration should be able to include an external part generated by the crypto policies package. This is tracked in bugzilla.
- Other developers: N/A (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
N/A (not a System Wide Change)
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change)
- Blocks product? N/A
Documentation
N/A (not a System Wide Change)