No edit summary |
(→Configuration: Add openssh) |
||
(26 intermediate revisions by 2 users not shown) | |||
Line 12: | Line 12: | ||
! Package !! Description !! Notes | ! Package !! Description !! Notes | ||
|- | |- | ||
| krb5 || The Kerberos network authentication system. || See [[#krb5]] for configuration.< | | krb5 || The Kerberos network authentication system. || <ul> | ||
<li>See [[#krb5]] for configuration. | |||
<li>GSS-API v1 hard-codes MD5, would need v2 (RFC4121). | |||
<li>pkinit hard-codes SHA-1<br>preauth "SAM" hard-codes MD5. | |||
</ul> | |||
(Both are tracked in #490909.) | |||
<hr><ul> | |||
<li>pbkdf2 hard-codes HMAC-SHA1. | |||
</ul> | |||
|- | |- | ||
| | | kernel || The Linux kernel || <ul> | ||
<li>sunrpc auth_gss krb5 uses GSS-API v1, hard-codes DES_MAC_MD5 (GSS-API v2 would be necessary for stronger hashes). | |||
<li>sunrpc auth_gss spkm3 hard-codes HMAC-MD5 (HMAC-SHA1 is not requried by RFC2847). | |||
</ul> | |||
(Both are tracked in #490916.) | |||
<ul> | |||
<li>ecryptfs uses MD5 to generate IVs for block encryption. | |||
<li>ecryptfs supports only MD5 in string-to-key algorithm for PGP private key handling. | |||
</ul> | |||
(Both are tracked in #490918.) | |||
<hr><ul> | |||
<li>sctp cookie used when opening a connection uses a HMAC, kernel is configured to use a MD5 HMAC (#485933). | |||
<li>reiserfs, ext3, ext4 hashed directories use various hashes, collisions are handled. | |||
<li>sctp packet authentication uses a SHA-1 or SHA-256 HMAC. | |||
<li>TCPOPT_MD5SIG (RFC2385) uses MD5 of a packet and a shared key; there's no space for a larger hash in the header, and if changes are made, IPSec can be used instead. | |||
<li>TCP syncookies are generated using a SHA-1 block transform, probably limited more by output size than the hash. | |||
<li>IPSec digest supports SHA-1 and SHA-256 HMAC. | |||
<li>modversions use MD4 to compute MODULE_INFO(srcversion): not intended to use as a cryptographic proof - anyone can simply overwrite the field in the compiled module. | |||
<li>CIFS uses MD4 and MD5 for authentication (NTLM, NTLMv2), MD5 for packet signatures, MD5 in (unimplemented) MacOS symlinks. | |||
<li>PPP MPPE uses SHA-1 (RFC3078, RFC3079). | |||
<li>random.c uses SHA-1 for generating random numbers. | |||
<li>random.c uses MD4 for generating IP IDs, TCP ISNs and similar numbers (based on a periodically changing secret). | |||
<li>drivers/staging/rt28{6,7}0 use MD5 and SHA-1 HMAC in various wireless protocol implementations. | |||
<li>jbd2 has a checksum field and defines MD5 and SHA-1 identifiers, but only implements CRC32. | |||
<li>nfsd differentiates between different clients using cl_recdir, a MD5 of the client's real client id, and does not handle collisions, but any DoS that can be created by generating collision can be just as easily created by duplicating the real client id directly. | |||
</ul> | |||
|- | |- | ||
| | | pam || An extensible library which provides authentication for applications || <ul> | ||
<li>pam_unix uses MD5 to store passwords in opasswd (#487298). | |||
<li>pam_namespace may use MD5 of user name or SELinux context in a directory name (#487302). | |||
</ul><hr><ul> | |||
<li>pam_unix password verification handles MD5 inside the module, uses crypt() for others. | |||
<li>pam_unix uses MD5 to generate a random salt. | |||
<li>pam_timestamp uses SHA-1 HMAC to authenticate timestamp files. | |||
</ul> | |||
|- | |- | ||
| pam_ccreds || Pam module to cache login credentials || Uses SHA1(known data, password) to store passwords (#487306). | |||
| pam_ccreds || Pam module to cache login credentials || | |||
|- | |- | ||
| db4 || The Berkeley DB database library (version 4) for C || | | db4 || The Berkeley DB database library (version 4) for C || | ||
Line 59: | Line 77: | ||
|- | |- | ||
| sysvinit || Programs which control basic system processes || | | sysvinit || Programs which control basic system processes || | ||
|- | |- | ||
| gnupg2 || Utility for secure communication and data storage || | | gnupg2 || Utility for secure communication and data storage || | ||
Line 173: | Line 189: | ||
| openswan || Openswan IPSEC implementation || | | openswan || Openswan IPSEC implementation || | ||
|- | |- | ||
| postgresql || PostgreSQL client programs and libraries || | | postgresql || PostgreSQL client programs and libraries ||<ul><li>MD5 is used to save encrypted passwords (SQL: ALTER USER ... WITH <b>ENCRYPTED</b> PASSWORD ...).<li>MD5 is also used for client autentization.<li>Username is used as the salt for the hash, there are no stronger methods to store password or autenticate.</ul> | ||
|- | |- | ||
| samba || The Samba Suite of programs || | | samba || The Samba Suite of programs || | ||
Line 675: | Line 691: | ||
ap_req_checksum_type = 12 | ap_req_checksum_type = 12 | ||
safe_checksum_type = 12 | safe_checksum_type = 12 | ||
=== nss_ldap === | |||
(After #487173 is applied, add information about pam_password and *rounds* here.) | |||
=== pam === | |||
<tt>pam_unix</tt> uses DES to encrypt passwords by default. Add the <tt>sha256</tt> or the <tt>sha512</tt> option to use SHA-2. (This already the default in Fedora.) | |||
=== openssh === | |||
To use a SHA-1 HMAC with <tt>ssh</tt> and related programs, define the <code>MACs=hmac-sha1</code> option on the command line or in your configuration file. | |||
=== rpm === | |||
To use SHA-256 in file digests, define the following RPM macros: | |||
_source_filedigest_algorithm 8 | |||
_binary_filedigest_algorithm 8 | |||
(or just install <tt>redhat-rpm-config</tt>) | |||
To use SHA-256 in PGP signatures, use an RSA key (at least 2048 bits recommended, otherwise the signature would be significantly weaker than the hash), and define the following RPM macro when signing the packages: | |||
__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --digest-algo sha256 --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename} | |||
=== crytpsetup-luks === | |||
<tt>cryptsetup create</tt> uses RIPEMD160 by default when generating an encryption key. To use SHA-2, use the <tt>-h sha256</tt> option. | |||
== Done == | == Done == | ||
These packages were already migrated. The "Notes" column should contain enough information to migrate from SHA-256 to a stronger hash in the future. | These packages were already migrated, or the features that need migrating are not essential. The "Notes" column should contain enough information to migrate from SHA-256 to a stronger hash in the future. | ||
{| | {| | ||
Line 685: | Line 728: | ||
| amanda || A network-capable tape backup solution || Only uses HMAC-SHA-1 to authenticate to Amazon S3 | | amanda || A network-capable tape backup solution || Only uses HMAC-SHA-1 to authenticate to Amazon S3 | ||
|- | |- | ||
| aide || Intrusion detection environment || See [[#aide]] for configuration.< | | aide || Intrusion detection environment || <ul> | ||
<li>See [[#aide]] for configuration. | |||
<li>Already supports SHA-256 and SHA-512 in the "file" backend, but not the SQL backend (#485250). | |||
</ul> | |||
|- | |||
| coreutils || A set of basic GNU tools commonly used in shell scripts || <ul> | |||
<li><tt>sha256sum</tt> et al are provided. | |||
<li><tt>sort -R</tt> uses MD-5 to generate random (but repeatable) comparison results. | |||
</ul> | |||
|- | |||
| dbus || D-BUS message bus || Only uses SHA-1 for DBUS_COOKIE_SHA1 authentication, which is not used in Fedora (#485277). | |||
|- | |||
| glibc || The GNU libc libraries || <ul> | |||
<li><tt>crypt()</tt> already supports SHA-256 and SHA-512. | |||
<li><tt>localedef</tt> uses MD5 to detect duplicate items when creating <tt>locale.archive</tt> without any collision handling (#485453). | |||
</ul> | |||
|- | |||
| nss_db || An NSS library for the Berkeley DB || The integrated db4:<ul> | |||
<li>Uses SHA-1 to derive encryption and MAC keys from passwords. | |||
<li>Uses HMAC-SHA1 to verify integrity of encrypted pages. | |||
</ul> | |||
|- | |||
| nss_ldap || NSS library and PAM module for LDAP || <ul> | |||
<li>Uses MD5 only to generate password salts. | |||
<li>Depending on pam_password, may use DES or MD5 crypt() for modified userPassword (verification is done on server, and OpenLDAP appears to support SHA-2); patch for adding support for SHA-2 to pam_ldap is in #487173. | |||
</ul> | |||
|- | |||
| pam_pkcs11 || PKCS #11/NSS PAM login module || <ul> | |||
<li>Signs a SHA-1 hash of a random value to verify user's control of a token, SHA-1 used only as a transformation of the random data (the token signs the hash, not the data). | |||
<li>digest_mapper indexes certificates using a digest, using any algorithm supported by the crypto library. | |||
</ul> | |||
|- | |||
| pam_smb || A Pluggable Authentication Module (PAM) for use with SMB servers. || Uses MD4 and DES as part of SMB authentication. | |||
|- | |||
| rpm || The RPM package management system || <ul> | |||
<li>Already supports SHA-256 for RPMTAG_FILEDIGESTS. | |||
<li>Already supports SHA-256 in public key signatures (RSA v3 signatures only). | |||
<li>User interface for file digests often says "md5" (#487597). | |||
<li>Some tags hard-code hash types: <tt>RPMSIGTAG_MD5</tt>, <tt>RPMSIGTAG_SHA1</tt>, <tt>RPMSIGTAG_DSA</tt> (hard-coded SHA-1). | |||
<li>Public key fingerprint computation uses SHA-1. | |||
</ul> | |||
|- | |||
| yum || RPM installer/updater || <ul> | |||
<li>Computes MD5, SHA-1 and SHA-256 hashes of repomd.xml to be verified against metalink data. | |||
<li>Verifies hashes of repodata files, and of downloaded packages, using hashes specified in the repodata. | |||
<li>Uses MD5 and SHA-1 to compute PGP key fingerprints. | |||
<li>Verifies installed files using the hash specified in FILEDIGESTALGO. | |||
</ul> | |||
|- | |||
| udev || A userspace implementation of devfs || <ul> | |||
<li>MD5 is used for generation of UUID of the macitosh file system HFS. | |||
<li>USE_MAKEDEV_CACHE uses MD5 of a makedev.d file to generate a processed version, without any collision checking; could be exploited only by system administrator. | |||
</ul> | |||
|- | |||
| cryptsetup-luks || A utility for setting up encrypted filesystems || <ul> | |||
<li><tt>cryptsetup create</tt> uses ripemd160 by default for key generation from passwords (see [[#cryptsetup-luks]] for configuration). | |||
<li>Uses HMAC_SHA1 in PBKDF2 key derivation. | |||
<li>Uses SHA1 to generate a random value to XOR data with. | |||
</ul> | |||
|- | |||
| yp-tools || NIS (or YP) client programs. || yppasswd replaced SHA-2 hashes with a DES hash (#487607). | |||
|} | |} |
Latest revision as of 15:01, 14 April 2009
Notes
This page currently tracks the migration status of selected packages to SHA-256 as part of the StrongerHashes feature.
To Do
These packages use or refer to hashes from which we should migrate away. Being on this list does not yet mean the package will have to change: another manual check is necessary. You can see the known hash uses at http://people.redhat.com/mitr/hashes/found-hashes .
Necessary for system integrity
Package | Description | Notes |
---|---|---|
krb5 | The Kerberos network authentication system. |
(Both are tracked in #490909.)
|
kernel | The Linux kernel |
(Both are tracked in #490916.)
(Both are tracked in #490918.)
|
pam | An extensible library which provides authentication for applications |
|
pam_ccreds | Pam module to cache login credentials | Uses SHA1(known data, password) to store passwords (#487306). |
db4 | The Berkeley DB database library (version 4) for C | |
e2fsprogs | Utilities for managing the second and third extended (ext2/ext3) filesystems | |
grub | Grand Unified Boot Loader | |
initscripts | The inittab file and the /etc/init.d scripts | |
iptables | Tools for managing Linux kernel packet filtering capabilities | |
mdadm | The mdadm program controls Linux md devices (software RAID arrays) | |
module-init-tools | Kernel module management utilities. | |
policycoreutils | SELinux policy core utilities | |
sysvinit | Programs which control basic system processes | |
gnupg2 | Utility for secure communication and data storage | |
rsyslog | Enhanced system logging and kernel message trapping daemons | |
esc | Enterprise Security Client Smart Card Client | |
gdm | The GNOME Display Manager | |
xorg-x11-server | X.Org X11 X server | |
anaconda | Graphical system installer | |
booty | simple python bootloader config lib | |
cluster | Red Hat Cluster | |
clustermon | Monitoring and management of Red Hat Enterprise Linux Cluster Suite | |
createrepo | Creates a common metadata repository | |
crypto-utils | SSL certificate and key management utilities | |
ecryptfs-utils | The eCryptfs mount helper and support libraries | |
gnome-keyring | Framework for managing passwords and other secrets | |
kexec-tools | The kexec/kdump userspace component. | |
PackageKit | Package management service | |
trousers | TCG's Software Stack v1.2 |
Servers
Package | Description | Notes |
---|---|---|
bind | The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server | |
cups | Common Unix Printing System | |
cvs | A version control system | |
cyrus-sasl | The Cyrus SASL library | |
dhcp | Dynamic host configuration protocol software | |
gnutls | A TLS protocol implementation | |
ipsec-tools | Tools for configuring and using IPSEC | |
libgcrypt | A general-purpose cryptography library | |
m2crypto | Support for using OpenSSL in python scripts | |
nc | Reads and writes data across network connections using TCP or UDP | |
nfs-utils | NFS utilities and supporting clients and daemons for the kernel NFS server | |
nss | Network Security Services | |
openldap | LDAP support libraries | |
openssh | An open source implementation of SSH protocol versions 1 and 2 | |
openssl | A general purpose cryptography library with TLS implementation | |
postfix | Postfix Mail Transport Agent | |
ppp | The PPP (Point-to-Point Protocol) daemon. | |
rsync | A program for synchronizing files over a network | |
stunnel | An SSL-encrypting socket wrapper | |
apr | Apache Portable Runtime library | |
apr-util | Apache Portable Runtime Utility library | |
authd | A RFC 1413 ident protocol daemon | |
axis | A SOAP implementation in Java | |
dovecot | Dovecot Secure imap server | |
exim | The exim mail transfer agent | |
freeipmi | IPMI remote console and system management software | |
freeradius | High-performance and highly configurable free RADIUS server | |
gnome-user-share | Gnome user file sharing | |
htdig | ht://Dig - Web search engine | |
httpd | Apache HTTP Server | |
jetty | The Jetty Webserver and Servlet Container | |
libntlm | NTLM authentication library | |
mailman | Mailing list manager with built in Web access | |
mod_auth_mysql | Basic authentication for the Apache web server using a MySQL database | |
mod_auth_pgsql | Basic authentication for the Apache HTTP Server using a PostgreSQL database | |
ntp | The NTP daemon and utilities | |
openswan | Openswan IPSEC implementation | |
postgresql | PostgreSQL client programs and libraries |
|
samba | The Samba Suite of programs | |
scsi-target-utils | The SCSI target daemon and utility programs | |
sendmail | A widely used Mail Transport Agent (MTA) | |
squid | The Squid proxy caching server | |
squirrelmail | SquirrelMail webmail client | |
struts | Web application framework | |
subversion | Modern Version Control System designed to replace CVS | |
tomcat5 | Apache Servlet/JSP Engine, RI for Servlet 2.4/JSP 2.0 API | |
mod_perl | An embedded Perl interpreter for the Apache HTTP Server | |
mod_python | An embedded Python interpreter for the Apache HTTP Server |
Untrusted data handling
Package | Description | Notes |
---|---|---|
curl | A utility for getting files from remote servers (FTP, HTTP, and others) | |
elinks | A text-mode Web browser | |
ghostscript | A PostScript(TM) interpreter and renderer. | |
lftp | A sophisticated file transfer program | |
mailx | Enhanced implementation of the mailx command | |
net-snmp | A collection of SNMP protocol tools and libraries | |
NetworkManager | Network connection manager and user applications | |
python-urlgrabber | A high-level cross-protocol url-grabber | |
rp-pppoe | A PPP over Ethernet client (for xDSL support). | |
sos | A set of tools to gather troubleshooting information from a system | |
tcpdump | A network traffic monitoring tool | |
telnet | The client program for the telnet remote login protocol. | |
wget | A utility for retrieving files using the HTTP or FTP protocols | |
wpa_supplicant | WPA/WPA2/IEEE 802.1X Supplicant | |
binutils | A GNU collection of binary utilities | |
elfutils | A collection of utilities and DSOs to handle compiled objects | |
fontconfig | Font configuration and customization library | |
gcc | Various compilers (C, C++, Objective-C, Java, ...) | |
glib2 | A library of handy utility functions | |
ksh | The Original ATT Korn Shell | |
man | A set of documentation tools: man, apropos and whatis | |
OpenIPMI | IPMI (Intelligent Platform Management Interface) library and tools | |
perl | Practical Extraction and Report Language | |
perl-Digest-HMAC | Digest-HMAC Perl module | |
perl-Digest-SHA1 | Digest-SHA1 Perl module | |
prelink | An ELF prelinking utility | |
python | An interpreted, interactive, object-oriented programming language | |
python-sqlite2 | DB-API 2.0 interface for SQLite 3.x | |
rhpl | Library of Python code used by installation and configuration tools | |
sqlite | Library that implements an embeddable SQL database engine | |
system-config-network | The GUI of the Network Adminstration Tool | |
util-linux-ng | A collection of basic system utilities | |
cadaver | Command-line WebDAV client | |
clucene | A C++ port of Lucene | |
dirmngr | Client for Managing/Downloading CRLs | |
empathy | Instant Messaging Client for GNOME | |
evolution | Mail and calendar client for GNOME | |
evolution-data-server | Backend data server for Evolution | |
firefox | Mozilla Firefox Web browser | |
flac | An encoder/decoder for the Free Lossless Audio Codec | |
gftp | A multi-threaded FTP client for the X Window System | |
gnome-pilot-conduits | Additional conduits for gnome-pilot | |
gpgme | GnuPG Made Easy - high level crypto API | |
gstreamer-plugins-base | GStreamer streaming media framework base plug-ins | |
gstreamer-plugins-good | GStreamer plug-ins with good code and licensing | |
gvfs | Backends for the gio framework in GLib | |
iscsi-initiator-utils | iSCSI daemon and utility programs | |
jakarta-commons-httpclient | Jakarta Commons HTTPClient implements the client side of HTTP standards | |
jpilot | Jpilot pilot desktop software | |
jsch | Pure Java implementation of SSH2 | |
jss | Java Security Services (JSS) | |
libdvdread | A library for reading DVD video discs based on Ogle code | |
libgadu | A Gadu-gadu protocol compatible communications library | |
libggz | Library for client-server games | |
libgpod | Library to access the contents of an iPod | |
libksba | X.509 library | |
libmsn | Library for connecting to the MSN Messenger service | |
libmusicbrainz | Library for accessing MusicBrainz servers | |
libotr | Off-The-Record Messaging library and toolkit | |
libprelude | The prelude library | |
libsilc | SILC Client Library | |
libsoup | Soup, an HTTP library implementation | |
libssh2 | A library implementing the SSH2 protocol | |
lucene | High-performance, full-featured text search engine | |
mrtg | Multi Router Traffic Grapher | |
mutt | A text mode mail user agent | |
mysql | MySQL client programs and shared libraries | |
neon | An HTTP and WebDAV client library | |
nmap | Network exploration tool and security scanner | |
openoffice.org | OpenOffice.org comprehensive office suite. | |
perl-Net-DNS | DNS resolver modules for Perl | |
perl-Net-SNMP | Object oriented interface to SNMP | |
pidgin | A Gtk+ based multiprotocol instant messaging client | |
pilot-link | File transfer utilities between Linux and PalmPilots | |
poppler | PDF rendering library | |
postgresql-jdbc | JDBC driver for PostgreSQL | |
postgresql-odbc | PostgreSQL ODBC driver | |
pygpgme | Python module for working with OpenPGP messages | |
python-ldap | An object-oriented API to access LDAP directory servers | |
rdesktop | X client for remote desktop into Windows Terminal Server | |
rhythmbox | Music Management Application | |
spamassassin | Spam filter for email which can be invoked from mail delivery agents | |
spambayes | Bayesian anti-spam filter | |
strigi | A desktop search program for KDE | |
thunderbird | Mozilla Thunderbird mail/newsgroup client | |
totem | Movie player for GNOME | |
wavpack | A completely open audiocodec | |
WebKit | Web content engine library | |
wireshark | Network traffic analyzer | |
xine-lib | A multimedia engine | |
xmlsec1 | Library providing support for ""XML Signature"" and ""XML Encryption"" standards | |
xulrunner | XUL Runtime for Gecko Applications |
General
Package | Description | Notes |
---|---|---|
ant | Ant build tool for java | |
arts | aRts (analog realtime synthesizer) - the KDE sound system | |
boost | The Boost C++ Libraries | |
bug-buddy | Crash reporting utility for the GNOME desktop | |
cdrkit | A collection of CD/DVD utilities | |
classpathx-mail | GNU JavaMail(tm) | |
cmake | Cross-platform make system | |
corosync | The Corosync Cluster Engine and Application Programming Interfaces | |
doxygen | A documentation system for C/C++. | |
eclipse | An open, extensible IDE | |
eet | Library for speedy data storage, retrieval, and compression | |
emacs | GNU Emacs text editor | |
exempi | Library for easy parsing of XMP metadata | |
exiv2 | Exif and Iptc metadata manipulation library | |
fftw | Fast Fourier Transform library | |
gdb | A GNU source-level debugger for C, C++, Java and other languages | |
gedit | Text editor for the GNOME desktop | |
geronimo-specs | Geronimo J2EE server J2EE specifications | |
gimp | GNU Image Manipulation Program | |
glibmm24 | C++ interface for GTK2 (a GUI library for X) | |
gnome-desktop | Package containing code shared among gnome-panel, gnome-session, nautilus, etc | |
gnome-doc-utils | Documentation utilities for GNOME | |
gnome-python2 | The sources for the PyGNOME Python extension module | |
gnome-terminal | Terminal emulator for GNOME | |
google-gadgets | Google Gadgets for Linux | |
gutenprint | Printer Drivers Package. | |
hplip | HP Linux Imaging and Printing Project | |
hsqldb | Hsqldb Database Engine | |
ImageMagick | An X application for displaying and manipulating images | |
imsettings | Delivery framework for general Input Method configuration | |
ipmitool | Utility for IPMI control | |
ipv6calc | IPv6 address format change and calculation utility | |
isomd5sum | Utilities for working with md5sum implanted in ISO images | |
jack-audio-connection-kit | The Jack Audio Connection Kit | |
jakarta-commons-codec | Implementations of common encoders and decoders | |
jakarta-commons-net | Internet protocol suite Java library | |
java-1.6.0-openjdk | OpenJDK Runtime Environment | |
javacc | A parser/scanner generator for java | |
k3b | CD/DVD burning application for KDE | |
kdeadmin | K Desktop Environment - Administrative tools | |
kdebase-runtime | K Desktop Environment - Runtime | |
kdebase-workspace | K Desktop Environment - Workspace | |
kdebindings | KDE bindings to non-C++ languages | |
kdegames | K Desktop Environment 4 - Games | |
kdegames3 | K Desktop Environment 3 - Games not ported to KDE 4 | |
kdegraphics | K Desktop Environment - Graphics Applications | |
kdelibs | K Desktop Environment 4 - Libraries | |
kdelibs3 | K Desktop Environment 3 - Libraries | |
kdemultimedia | K Desktop Environment - Multimedia applications | |
kdenetwork | K Desktop Environment - Network Applications | |
kdepim | PIM (Personal Information Manager) applications | |
kdepimlibs | K Desktop Environment 4 - PIM Libraries | |
kdesdk | The KDE Software Development Kit (SDK) | |
kdeutils | K Desktop Environment - Utilities | |
kdewebdev | Web development applications | |
libdiscid | A Library for creating MusicBrainz DiscIDs | |
libfprint | Tool kit for fingerprint scanner | |
libgnomeui | GNOME base GUI library | |
libical | Reference implementation of the iCalendar data type and serialization format | |
liboil | Library of Optimized Inner Loops, CPU optimized functions | |
libwvstreams | WvStreams is a network programming library written in C++ | |
libxslt | Library providing the Gnome XSLT engine | |
mc | User-friendly text console file manager and visual shell | |
mhash | Thread-safe hash algorithms library | |
mx | A collection of Python software tools | |
mx4j | Open source implementation of JMX Java API | |
netbeans-platform8 | NetBeans Platform 8 | |
ntfsprogs | NTFS filesystem libraries and utilities | |
objectweb-asm | A code manipulation tool to implement adaptable systems | |
opal | Open Phone Abstraction Library | |
openhpi | Hardware Platform Interface library and tools | |
pakchois | A wrapper library for PKCS#11 | |
perl-Crypt-DES | Perl DES encryption module | |
perl-libwww-perl | A Perl interface to the World-Wide Web | |
perl-Net-SSLeay | Perl extension for using OpenSSL | |
perl-Tk | Perl Graphical User Interface ToolKit | |
php | PHP scripting language for creating dynamic web sites | |
php-pear | PHP Extension and Application Repository framework | |
ptlib | Portable Tools Library | |
PyQt4 | Python bindings for Qt4 | |
Pyrex | A compiler/language for writing Python extension modules | |
python-docs | Documentation for the Python programming language. | |
python-reportlab | Python PDF generation library | |
python-setuptools | Easily build and distribute Python packages | |
python-virtinst | Python modules and utilities for installing virtual machines | |
PyXML | XML libraries for python | |
qca-ossl | OpenSSL plugin for the Qt Cryptographic Architecture v2 | |
qca2 | Qt Cryptographic Architecture | |
qt | Qt toolkit | |
qt3 | The shared library for the Qt 3 GUI toolkit | |
quagga | Routing daemon | |
redland | RDF Application Framework | |
ricci | Remote Cluster and Storage Management System | |
ruby | An interpreter of object-oriented scripting language | |
sane-backends | Scanner access software | |
scribus | DeskTop Publishing application written in Qt | |
setroubleshoot | Helps troubleshoot SELinux problems | |
stardict | A powerful dictionary platform written in GTK+2 | |
system-config-bind | BIND DNS Configuration Tool | |
system-config-httpd | Apache configuration tool | |
system-config-kickstart | A graphical interface for making kickstart files | |
systemtap | Instrumentation System | |
texlive | Binaries for the TeX formatting system | |
tokyocabinet | A modern implementation of a DBM | |
torque | Tera-scale Open-source Resource and QUEue manager | |
unixODBC | A complete ODBC driver manager for Linux | |
uuid | Universally Unique Identifier library | |
xsane | X Window System front-end for the SANE scanner interface | |
yum-utils | Utilities based around the yum package manager |
Legacy and low-priority
Package | Description | Notes |
---|---|---|
dump | Programs for backing up and restoring ext2/ext3 filesystems | |
xen | Xen is a virtual machine monitor | |
gnupg | A GNU utility for secure communication and data storage | |
beecrypt | An open source cryptography library | |
cyrus-imapd | A high-performance mail server with IMAP, POP3, NNTP and SIEVE support | |
uw-imap | UW Server daemons for IMAP and POP network mail protocols | |
inn | The InterNetNews system, an Usenet news server | |
nss_compat_ossl | Source-level compatibility library for OpenSSL to NSS porting | |
syslinux | Simple kernel loader which boots from a FAT filesystem | |
fetchmail | A remote mail retrieval and forwarding utility | |
w3m | A pager with Web browsing abilities | |
gnome-vfs2 | The GNOME virtual file-system libraries | |
gthumb | Image viewer, editor, organizer | |
slrn | A threaded Internet news reader | |
compat-gcc-34 | Compatibility GNU Compiler Collection | |
compat-db | The Berkeley DB database compatibility library | |
xdelta | A binary file delta generator and an RCS replacement library. | |
isdn4k-utils | Utilities for configuring an ISDN subsystem. | |
sharutils | The GNU shar utilities for packaging and unpackaging shell archives | |
busybox | Statically linked binary providing simplified versions of system commands |
Configuration
Various packages support SHA-256, but their default configuration does not use it. Note that configuring the packages to use SHA-256 may prevent interoperability with systems that do not use SHA-256.
aide
Add the sha256 or sha512 group to your aide.conf.
krb5
On the KDC, add
master_key_type = aes256-cts supported_enctypes = aes256-cts:normal
to your realm configuration in kdc.conf.
On all machines add the following to the [libedefaults] section of krb5.conf:
default_tgs_enctypes = aes256-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 kdc_req_checksum_type = 12 ap_req_checksum_type = 12 safe_checksum_type = 12
nss_ldap
(After #487173 is applied, add information about pam_password and *rounds* here.)
pam
pam_unix uses DES to encrypt passwords by default. Add the sha256 or the sha512 option to use SHA-2. (This already the default in Fedora.)
openssh
To use a SHA-1 HMAC with ssh and related programs, define the MACs=hmac-sha1
option on the command line or in your configuration file.
rpm
To use SHA-256 in file digests, define the following RPM macros:
_source_filedigest_algorithm 8 _binary_filedigest_algorithm 8
(or just install redhat-rpm-config)
To use SHA-256 in PGP signatures, use an RSA key (at least 2048 bits recommended, otherwise the signature would be significantly weaker than the hash), and define the following RPM macro when signing the packages:
__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --digest-algo sha256 --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
crytpsetup-luks
cryptsetup create uses RIPEMD160 by default when generating an encryption key. To use SHA-2, use the -h sha256 option.
Done
These packages were already migrated, or the features that need migrating are not essential. The "Notes" column should contain enough information to migrate from SHA-256 to a stronger hash in the future.
Package | Description | Notes |
---|---|---|
amanda | A network-capable tape backup solution | Only uses HMAC-SHA-1 to authenticate to Amazon S3 |
aide | Intrusion detection environment |
|
coreutils | A set of basic GNU tools commonly used in shell scripts |
|
dbus | D-BUS message bus | Only uses SHA-1 for DBUS_COOKIE_SHA1 authentication, which is not used in Fedora (#485277). |
glibc | The GNU libc libraries |
|
nss_db | An NSS library for the Berkeley DB | The integrated db4:
|
nss_ldap | NSS library and PAM module for LDAP |
|
pam_pkcs11 | PKCS #11/NSS PAM login module |
|
pam_smb | A Pluggable Authentication Module (PAM) for use with SMB servers. | Uses MD4 and DES as part of SMB authentication. |
rpm | The RPM package management system |
|
yum | RPM installer/updater |
|
udev | A userspace implementation of devfs |
|
cryptsetup-luks | A utility for setting up encrypted filesystems |
|
yp-tools | NIS (or YP) client programs. | yppasswd replaced SHA-2 hashes with a DES hash (#487607). |