This section highlights various security items from Fedora.
Fedora continues to improve its many proactive security features .
Support for SHA-256 and SHA-512 passwords
glibc package in Fedora 8 had support for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
To switch to SHA-256 or SHA-512 on an installed system, use
authconfig --passalgo=sha256 --update or
authconfig --passalgo=sha512 --update. Alternatively, use the
authconfig-gtk GUI tool to configure the hashing method. Existing user accounts will not be affected until their passwords are changed.
SHA-512 is used by default on newly installed systems. Other algorithms can be configured only for kickstart installations, by using the
--enablemd5 options for the kickstart
auth command. If your installation does not use kickstart, use
authconfig as described above, and then change the root user password, and passwords for other users created after installation.
New options now appear in
shadow-utils to support these password hashing algorithms. Running
authconfig configures all these options automatically, so it is not necessary to modify them manually.
- New values for the
crypt_styleoption, and the new options
hash_rounds_max, are now supported in the
/etc/libuser.conf. Refer to the
libuser.conf(5)man page for details.
- New options,
rounds, are now supported by the
pam_unixPAM module. Refer to the
pam_unix(8)man page for details.
- New options,
SHA_CRYPT_MAX_ROUNDS, are now supported in
/etc/login.defs. Refer to the
login.defs(5)man page for details. Corresponding options were added to
FORTIFY_SOURCE extended to cover more functions
FORTIFY_SOURCE protection now covers
obstack_vprintf. This improvement is particularly useful for applications that use the
glib2 library, as several of its functions use
Different roles are now available, to allow finer-grained access control:
guest_tdoes not allow running setuid binaries, making network connections, or using a GUI.
xguest_tdisallows network access except for HTTP via a Web browser, and no setuid binaries.
user_tis ideal for office users: prevents becoming root via setuid applications.
staff_tis same as
user_t, except that root access via
unconfined_tprovides full access, the same as when not using SELinux.
As well, browser plug-ins wrapped with
nspluginwrapper, which is the default, now run confined.
Default Firewall Behavior
In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by Anaconda.
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.