From Fedora Project Wiki

(→‎Security: added SSSD)
Line 19: Line 19:
=== SHA-2 support ===
=== SHA-2 support ===


TBD: application-specific notes about SHA-2 will go here. See [[Features/StrongerHashes#Release_Notes]] and [[Hash_algorithm_migration_status#Configuration]].
Fedora now uses the SHA-256 digest algorithm for data verification and authentication in more places than before, migrating from the weaker SHA-1 and MD5 algorithms. Where possible, the migration was transparent; in other places the default configuration was changed or manual configuration is necessary to use the stronger algorithms.

Revision as of 18:45, 2 April 2009

Security

This section highlights various security items from Fedora.

Fingerprint Readers

Fingerprint readers are now better integrated with Fedora 11. Gnome users can easily setup fingerprint authentication using gnome-about-me, and will allow the ability to login from both gdm and gnome-screensaver.

DNSSEC

DNSSEC (DNS SECurity) is mechanism which provides integrity and authenticity of DNS data.

System Security Services Daemon

The SSSD is intended to provide several key feature enhancements to Fedora. The first being the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users.

The LDAP features will also add support for connection pooling. All communication to the ldap server will happen over a single persistent connection, reducing the overhead of opening a new socket for each request. The SSSD will also add support for multiple LDAP/NIS domains. It will be possible to connect to two or more LDAP/NIS servers acting as separate user namespaces.

SHA-2 support

Fedora now uses the SHA-256 digest algorithm for data verification and authentication in more places than before, migrating from the weaker SHA-1 and MD5 algorithms. Where possible, the migration was transparent; in other places the default configuration was changed or manual configuration is necessary to use the stronger algorithms.