From Fedora Project Wiki

Revision as of 14:51, 16 December 2015 by Nmav (talk | contribs) (Created page with "{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To re...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.


Crypto policy support for Kerberos

Summary

Fedora supports a system wide crypto policy and Kerberos should respect that policy and adjust its crypto-related configuration based on it.

Owner

Current status

  • Targeted release: Fedora 24
  • Last updated: 2015-12-16
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Fedora supports a system wide crypto policy and Kerberos should respect that policy and adjust its crypto-related configuration based on it.

As it is now kerberos' configuration is hard coded and the administrator is responsible for doing any changes to it. In case of software upgrades he's tasked to keep up-to-date the list of ciphers allowed, modify the cryptographic parameters etc. Kerberos following the system-wide crypto policy by default would simplify the tasks of the administrator and reduce errors due to not disabling an insecure cipher or enabling incorrect crypto settings. That way unless the administrator changes the configuration the policies the Kerberos configuration will be kept up to date and will be consistent with the policies followed in other parts of the system.

Benefit to Fedora

An administrator using fedora would have simpler tasks as he would not be required to review configuration settings as recommended by: https://bettercrypto.org/static/applied-crypto-hardening.pdf (for the Kerberos part at least).



Scope

  • Proposal owners:

The kerberos configuration should be able to include an external part generated by the crypto policies package. This is tracked in bugzilla.

  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

N/A (not a System Wide Change)

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes