Güvenlik

The GRUB EFI build in Fedora 31 contains the cryptodisk, luks and verify GRUB modules. For more details see the Distribution-wide changes section.

The crypto-policies package has been enhanced and allows users to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols.

For example, it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies.

To achieve the above-mentioned outcome, add a simple configuration file and execute the update-crypto-policies command.

The OpenSSH server no longer allows the root user to remotely log into Fedora using a password. This change is consistent with the upstream OpenSSH project, which disabled the remote root password login in the 7.0 release. Previously, the remote root password login was a common target of attacks.

The root user can still remotely log in using a public SSH key.

The /etc/ssh/sshd_config configuration file now disables the PermitRootLogin option. If you upgrade to Fedora 31 on a system where you have made changes to the configuration file, the upgrade process preserves your configuration and creates the new configuration in /etc/ssh/sshd_config.rpmnew.

If you use the remote root password login in Kickstart or cloud-init scripts, Fedora recommends the following alternatives:

You can re-enable root password login:

Kerberos (krb5) removes support for several known-bad encryption types. Hopefully users will see no changes, but to be sure you won’t, we started logging deprecation warnings in krb5-1.16.1-25.fc28/krb5-1.16.1-25.fc29/krb5-1.17-3.fc30. For more information on upgrading from deprecated encryption types, see MIT’s DES deprecation guide.