No edit summary |
No edit summary |
||
Line 40: | Line 40: | ||
<li>jbd2 has a checksum field and defines MD5 and SHA-1 identifiers, but only implements CRC32. | <li>jbd2 has a checksum field and defines MD5 and SHA-1 identifiers, but only implements CRC32. | ||
<li>nfsd differentiates between different clients using cl_recdir, a MD5 of the client's real client id, and does not handle collisions, but any DoS that can be created by generating collision can be just as easily created by duplicating the real client id directly. | <li>nfsd differentiates between different clients using cl_recdir, a MD5 of the client's real client id, and does not handle collisions, but any DoS that can be created by generating collision can be just as easily created by duplicating the real client id directly. | ||
</ul> | </ul> | ||
|- | |- | ||
Line 726: | Line 721: | ||
<li>Uses SHA-1 to derive encryption and MAC keys from passwords. | <li>Uses SHA-1 to derive encryption and MAC keys from passwords. | ||
<li>Uses HMAC-SHA1 to verify integrity of encrypted pages. | <li>Uses HMAC-SHA1 to verify integrity of encrypted pages. | ||
</ul> | |||
|- | |||
| nss_ldap || NSS library and PAM module for LDAP ||<ul> | |||
<li>Uses MD5 only to generate password salts. | |||
<li>Depending on pam_password, may use DES or MD5 crypt() for modified userPassword (verification is done on server, and OpenLDAP appears to support SHA-2); patch for adding support for SHA-2 to pam_ldap is in #487173. | |||
</ul> | </ul> | ||
|} | |} |
Revision as of 16:45, 24 February 2009
Notes
This page currently tracks the migration status of selected packages to SHA-256 as part of the StrongerHashes feature.
To Do
These packages use or refer to hashes from which we should migrate away. Being on this list does not yet mean the package will have to change: another manual check is necessary. You can see the known hash uses at http://people.redhat.com/mitr/hashes/found-hashes .
Necessary for system integrity
Package | Description | Notes |
---|---|---|
krb5 | The Kerberos network authentication system. |
|
kernel | The Linux kernel |
|
pam | An extensible library which provides authentication for applications | |
pam_ccreds | Pam module to cache login credentials | |
pam_pkcs11 | PKCS #11/NSS PAM login module | |
pam_smb | A Pluggable Authentication Module (PAM) for use with SMB servers. | |
rpm | The RPM package management system | |
yp-tools | NIS (or YP) client programs. | |
yum | RPM installer/updater | |
cryptsetup-luks | A utility for setting up encrypted filesystems | |
db4 | The Berkeley DB database library (version 4) for C | |
e2fsprogs | Utilities for managing the second and third extended (ext2/ext3) filesystems | |
grub | Grand Unified Boot Loader | |
initscripts | The inittab file and the /etc/init.d scripts | |
iptables | Tools for managing Linux kernel packet filtering capabilities | |
mdadm | The mdadm program controls Linux md devices (software RAID arrays) | |
module-init-tools | Kernel module management utilities. | |
policycoreutils | SELinux policy core utilities | |
sysvinit | Programs which control basic system processes | |
udev | A userspace implementation of devfs |
|
gnupg2 | Utility for secure communication and data storage | |
rsyslog | Enhanced system logging and kernel message trapping daemons | |
esc | Enterprise Security Client Smart Card Client | |
gdm | The GNOME Display Manager | |
xorg-x11-server | X.Org X11 X server | |
anaconda | Graphical system installer | |
booty | simple python bootloader config lib | |
cluster | Red Hat Cluster | |
clustermon | Monitoring and management of Red Hat Enterprise Linux Cluster Suite | |
createrepo | Creates a common metadata repository | |
crypto-utils | SSL certificate and key management utilities | |
ecryptfs-utils | The eCryptfs mount helper and support libraries | |
gnome-keyring | Framework for managing passwords and other secrets | |
kexec-tools | The kexec/kdump userspace component. | |
PackageKit | Package management service | |
trousers | TCG's Software Stack v1.2 |
Servers
Package | Description | Notes |
---|---|---|
bind | The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server | |
cups | Common Unix Printing System | |
cvs | A version control system | |
cyrus-sasl | The Cyrus SASL library | |
dhcp | Dynamic host configuration protocol software | |
gnutls | A TLS protocol implementation | |
ipsec-tools | Tools for configuring and using IPSEC | |
libgcrypt | A general-purpose cryptography library | |
m2crypto | Support for using OpenSSL in python scripts | |
nc | Reads and writes data across network connections using TCP or UDP | |
nfs-utils | NFS utilities and supporting clients and daemons for the kernel NFS server | |
nss | Network Security Services | |
openldap | LDAP support libraries | |
openssh | An open source implementation of SSH protocol versions 1 and 2 | |
openssl | A general purpose cryptography library with TLS implementation | |
postfix | Postfix Mail Transport Agent | |
ppp | The PPP (Point-to-Point Protocol) daemon. | |
rsync | A program for synchronizing files over a network | |
stunnel | An SSL-encrypting socket wrapper | |
apr | Apache Portable Runtime library | |
apr-util | Apache Portable Runtime Utility library | |
authd | A RFC 1413 ident protocol daemon | |
axis | A SOAP implementation in Java | |
dovecot | Dovecot Secure imap server | |
exim | The exim mail transfer agent | |
freeipmi | IPMI remote console and system management software | |
freeradius | High-performance and highly configurable free RADIUS server | |
gnome-user-share | Gnome user file sharing | |
htdig | ht://Dig - Web search engine | |
httpd | Apache HTTP Server | |
jetty | The Jetty Webserver and Servlet Container | |
libntlm | NTLM authentication library | |
mailman | Mailing list manager with built in Web access | |
mod_auth_mysql | Basic authentication for the Apache web server using a MySQL database | |
mod_auth_pgsql | Basic authentication for the Apache HTTP Server using a PostgreSQL database | |
ntp | The NTP daemon and utilities | |
openswan | Openswan IPSEC implementation | |
postgresql | PostgreSQL client programs and libraries |
|
samba | The Samba Suite of programs | |
scsi-target-utils | The SCSI target daemon and utility programs | |
sendmail | A widely used Mail Transport Agent (MTA) | |
squid | The Squid proxy caching server | |
squirrelmail | SquirrelMail webmail client | |
struts | Web application framework | |
subversion | Modern Version Control System designed to replace CVS | |
tomcat5 | Apache Servlet/JSP Engine, RI for Servlet 2.4/JSP 2.0 API | |
mod_perl | An embedded Perl interpreter for the Apache HTTP Server | |
mod_python | An embedded Python interpreter for the Apache HTTP Server |
Untrusted data handling
Package | Description | Notes |
---|---|---|
curl | A utility for getting files from remote servers (FTP, HTTP, and others) | |
elinks | A text-mode Web browser | |
ghostscript | A PostScript(TM) interpreter and renderer. | |
lftp | A sophisticated file transfer program | |
mailx | Enhanced implementation of the mailx command | |
net-snmp | A collection of SNMP protocol tools and libraries | |
NetworkManager | Network connection manager and user applications | |
python-urlgrabber | A high-level cross-protocol url-grabber | |
rp-pppoe | A PPP over Ethernet client (for xDSL support). | |
sos | A set of tools to gather troubleshooting information from a system | |
tcpdump | A network traffic monitoring tool | |
telnet | The client program for the telnet remote login protocol. | |
wget | A utility for retrieving files using the HTTP or FTP protocols | |
wpa_supplicant | WPA/WPA2/IEEE 802.1X Supplicant | |
binutils | A GNU collection of binary utilities | |
elfutils | A collection of utilities and DSOs to handle compiled objects | |
fontconfig | Font configuration and customization library | |
gcc | Various compilers (C, C++, Objective-C, Java, ...) | |
glib2 | A library of handy utility functions | |
ksh | The Original ATT Korn Shell | |
man | A set of documentation tools: man, apropos and whatis | |
OpenIPMI | IPMI (Intelligent Platform Management Interface) library and tools | |
perl | Practical Extraction and Report Language | |
perl-Digest-HMAC | Digest-HMAC Perl module | |
perl-Digest-SHA1 | Digest-SHA1 Perl module | |
prelink | An ELF prelinking utility | |
python | An interpreted, interactive, object-oriented programming language | |
python-sqlite2 | DB-API 2.0 interface for SQLite 3.x | |
rhpl | Library of Python code used by installation and configuration tools | |
sqlite | Library that implements an embeddable SQL database engine | |
system-config-network | The GUI of the Network Adminstration Tool | |
util-linux-ng | A collection of basic system utilities | |
cadaver | Command-line WebDAV client | |
clucene | A C++ port of Lucene | |
dirmngr | Client for Managing/Downloading CRLs | |
empathy | Instant Messaging Client for GNOME | |
evolution | Mail and calendar client for GNOME | |
evolution-data-server | Backend data server for Evolution | |
firefox | Mozilla Firefox Web browser | |
flac | An encoder/decoder for the Free Lossless Audio Codec | |
gftp | A multi-threaded FTP client for the X Window System | |
gnome-pilot-conduits | Additional conduits for gnome-pilot | |
gpgme | GnuPG Made Easy - high level crypto API | |
gstreamer-plugins-base | GStreamer streaming media framework base plug-ins | |
gstreamer-plugins-good | GStreamer plug-ins with good code and licensing | |
gvfs | Backends for the gio framework in GLib | |
iscsi-initiator-utils | iSCSI daemon and utility programs | |
jakarta-commons-httpclient | Jakarta Commons HTTPClient implements the client side of HTTP standards | |
jpilot | Jpilot pilot desktop software | |
jsch | Pure Java implementation of SSH2 | |
jss | Java Security Services (JSS) | |
libdvdread | A library for reading DVD video discs based on Ogle code | |
libgadu | A Gadu-gadu protocol compatible communications library | |
libggz | Library for client-server games | |
libgpod | Library to access the contents of an iPod | |
libksba | X.509 library | |
libmsn | Library for connecting to the MSN Messenger service | |
libmusicbrainz | Library for accessing MusicBrainz servers | |
libotr | Off-The-Record Messaging library and toolkit | |
libprelude | The prelude library | |
libsilc | SILC Client Library | |
libsoup | Soup, an HTTP library implementation | |
libssh2 | A library implementing the SSH2 protocol | |
lucene | High-performance, full-featured text search engine | |
mrtg | Multi Router Traffic Grapher | |
mutt | A text mode mail user agent | |
mysql | MySQL client programs and shared libraries | |
neon | An HTTP and WebDAV client library | |
nmap | Network exploration tool and security scanner | |
openoffice.org | OpenOffice.org comprehensive office suite. | |
perl-Net-DNS | DNS resolver modules for Perl | |
perl-Net-SNMP | Object oriented interface to SNMP | |
pidgin | A Gtk+ based multiprotocol instant messaging client | |
pilot-link | File transfer utilities between Linux and PalmPilots | |
poppler | PDF rendering library | |
postgresql-jdbc | JDBC driver for PostgreSQL | |
postgresql-odbc | PostgreSQL ODBC driver | |
pygpgme | Python module for working with OpenPGP messages | |
python-ldap | An object-oriented API to access LDAP directory servers | |
rdesktop | X client for remote desktop into Windows Terminal Server | |
rhythmbox | Music Management Application | |
spamassassin | Spam filter for email which can be invoked from mail delivery agents | |
spambayes | Bayesian anti-spam filter | |
strigi | A desktop search program for KDE | |
thunderbird | Mozilla Thunderbird mail/newsgroup client | |
totem | Movie player for GNOME | |
wavpack | A completely open audiocodec | |
WebKit | Web content engine library | |
wireshark | Network traffic analyzer | |
xine-lib | A multimedia engine | |
xmlsec1 | Library providing support for ""XML Signature"" and ""XML Encryption"" standards | |
xulrunner | XUL Runtime for Gecko Applications |
General
Package | Description | Notes |
---|---|---|
ant | Ant build tool for java | |
arts | aRts (analog realtime synthesizer) - the KDE sound system | |
boost | The Boost C++ Libraries | |
bug-buddy | Crash reporting utility for the GNOME desktop | |
cdrkit | A collection of CD/DVD utilities | |
classpathx-mail | GNU JavaMail(tm) | |
cmake | Cross-platform make system | |
corosync | The Corosync Cluster Engine and Application Programming Interfaces | |
doxygen | A documentation system for C/C++. | |
eclipse | An open, extensible IDE | |
eet | Library for speedy data storage, retrieval, and compression | |
emacs | GNU Emacs text editor | |
exempi | Library for easy parsing of XMP metadata | |
exiv2 | Exif and Iptc metadata manipulation library | |
fftw | Fast Fourier Transform library | |
gdb | A GNU source-level debugger for C, C++, Java and other languages | |
gedit | Text editor for the GNOME desktop | |
geronimo-specs | Geronimo J2EE server J2EE specifications | |
gimp | GNU Image Manipulation Program | |
glibmm24 | C++ interface for GTK2 (a GUI library for X) | |
gnome-desktop | Package containing code shared among gnome-panel, gnome-session, nautilus, etc | |
gnome-doc-utils | Documentation utilities for GNOME | |
gnome-python2 | The sources for the PyGNOME Python extension module | |
gnome-terminal | Terminal emulator for GNOME | |
google-gadgets | Google Gadgets for Linux | |
gutenprint | Printer Drivers Package. | |
hplip | HP Linux Imaging and Printing Project | |
hsqldb | Hsqldb Database Engine | |
ImageMagick | An X application for displaying and manipulating images | |
imsettings | Delivery framework for general Input Method configuration | |
ipmitool | Utility for IPMI control | |
ipv6calc | IPv6 address format change and calculation utility | |
isomd5sum | Utilities for working with md5sum implanted in ISO images | |
jack-audio-connection-kit | The Jack Audio Connection Kit | |
jakarta-commons-codec | Implementations of common encoders and decoders | |
jakarta-commons-net | Internet protocol suite Java library | |
java-1.6.0-openjdk | OpenJDK Runtime Environment | |
javacc | A parser/scanner generator for java | |
k3b | CD/DVD burning application for KDE | |
kdeadmin | K Desktop Environment - Administrative tools | |
kdebase-runtime | K Desktop Environment - Runtime | |
kdebase-workspace | K Desktop Environment - Workspace | |
kdebindings | KDE bindings to non-C++ languages | |
kdegames | K Desktop Environment 4 - Games | |
kdegames3 | K Desktop Environment 3 - Games not ported to KDE 4 | |
kdegraphics | K Desktop Environment - Graphics Applications | |
kdelibs | K Desktop Environment 4 - Libraries | |
kdelibs3 | K Desktop Environment 3 - Libraries | |
kdemultimedia | K Desktop Environment - Multimedia applications | |
kdenetwork | K Desktop Environment - Network Applications | |
kdepim | PIM (Personal Information Manager) applications | |
kdepimlibs | K Desktop Environment 4 - PIM Libraries | |
kdesdk | The KDE Software Development Kit (SDK) | |
kdeutils | K Desktop Environment - Utilities | |
kdewebdev | Web development applications | |
libdiscid | A Library for creating MusicBrainz DiscIDs | |
libfprint | Tool kit for fingerprint scanner | |
libgnomeui | GNOME base GUI library | |
libical | Reference implementation of the iCalendar data type and serialization format | |
liboil | Library of Optimized Inner Loops, CPU optimized functions | |
libwvstreams | WvStreams is a network programming library written in C++ | |
libxslt | Library providing the Gnome XSLT engine | |
mc | User-friendly text console file manager and visual shell | |
mhash | Thread-safe hash algorithms library | |
mx | A collection of Python software tools | |
mx4j | Open source implementation of JMX Java API | |
netbeans-platform8 | NetBeans Platform 8 | |
ntfsprogs | NTFS filesystem libraries and utilities | |
objectweb-asm | A code manipulation tool to implement adaptable systems | |
opal | Open Phone Abstraction Library | |
openhpi | Hardware Platform Interface library and tools | |
pakchois | A wrapper library for PKCS#11 | |
perl-Crypt-DES | Perl DES encryption module | |
perl-libwww-perl | A Perl interface to the World-Wide Web | |
perl-Net-SSLeay | Perl extension for using OpenSSL | |
perl-Tk | Perl Graphical User Interface ToolKit | |
php | PHP scripting language for creating dynamic web sites | |
php-pear | PHP Extension and Application Repository framework | |
ptlib | Portable Tools Library | |
PyQt4 | Python bindings for Qt4 | |
Pyrex | A compiler/language for writing Python extension modules | |
python-docs | Documentation for the Python programming language. | |
python-reportlab | Python PDF generation library | |
python-setuptools | Easily build and distribute Python packages | |
python-virtinst | Python modules and utilities for installing virtual machines | |
PyXML | XML libraries for python | |
qca-ossl | OpenSSL plugin for the Qt Cryptographic Architecture v2 | |
qca2 | Qt Cryptographic Architecture | |
qt | Qt toolkit | |
qt3 | The shared library for the Qt 3 GUI toolkit | |
quagga | Routing daemon | |
redland | RDF Application Framework | |
ricci | Remote Cluster and Storage Management System | |
ruby | An interpreter of object-oriented scripting language | |
sane-backends | Scanner access software | |
scribus | DeskTop Publishing application written in Qt | |
setroubleshoot | Helps troubleshoot SELinux problems | |
stardict | A powerful dictionary platform written in GTK+2 | |
system-config-bind | BIND DNS Configuration Tool | |
system-config-httpd | Apache configuration tool | |
system-config-kickstart | A graphical interface for making kickstart files | |
systemtap | Instrumentation System | |
texlive | Binaries for the TeX formatting system | |
tokyocabinet | A modern implementation of a DBM | |
torque | Tera-scale Open-source Resource and QUEue manager | |
unixODBC | A complete ODBC driver manager for Linux | |
uuid | Universally Unique Identifier library | |
xsane | X Window System front-end for the SANE scanner interface | |
yum-utils | Utilities based around the yum package manager |
Legacy and low-priority
Package | Description | Notes |
---|---|---|
dump | Programs for backing up and restoring ext2/ext3 filesystems | |
xen | Xen is a virtual machine monitor | |
gnupg | A GNU utility for secure communication and data storage | |
beecrypt | An open source cryptography library | |
cyrus-imapd | A high-performance mail server with IMAP, POP3, NNTP and SIEVE support | |
uw-imap | UW Server daemons for IMAP and POP network mail protocols | |
inn | The InterNetNews system, an Usenet news server | |
nss_compat_ossl | Source-level compatibility library for OpenSSL to NSS porting | |
syslinux | Simple kernel loader which boots from a FAT filesystem | |
fetchmail | A remote mail retrieval and forwarding utility | |
w3m | A pager with Web browsing abilities | |
gnome-vfs2 | The GNOME virtual file-system libraries | |
gthumb | Image viewer, editor, organizer | |
slrn | A threaded Internet news reader | |
compat-gcc-34 | Compatibility GNU Compiler Collection | |
compat-db | The Berkeley DB database compatibility library | |
xdelta | A binary file delta generator and an RCS replacement library. | |
isdn4k-utils | Utilities for configuring an ISDN subsystem. | |
sharutils | The GNU shar utilities for packaging and unpackaging shell archives | |
busybox | Statically linked binary providing simplified versions of system commands |
Configuration
Various packages support SHA-256, but their default configuration does not use it. Note that configuring the packages to use SHA-256 may prevent interoperability with systems that do not use SHA-256.
aide
Add the sha256 or sha512 group to your aide.conf.
krb5
On the KDC, add
master_key_type = aes256-cts supported_enctypes = aes256-cts:normal
to your realm configuration in kdc.conf.
On all machines add the following to the [libedefaults] section of krb5.conf:
default_tgs_enctypes = aes256-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 kdc_req_checksum_type = 12 ap_req_checksum_type = 12 safe_checksum_type = 12
Done
These packages were already migrated, or the features that need migrating are not essential. The "Notes" column should contain enough information to migrate from SHA-256 to a stronger hash in the future.
Package | Description | Notes |
---|---|---|
amanda | A network-capable tape backup solution | Only uses HMAC-SHA-1 to authenticate to Amazon S3 |
aide | Intrusion detection environment |
|
coreutils | A set of basic GNU tools commonly used in shell scripts |
|
dbus | D-BUS message bus | Only uses SHA-1 for DBUS_COOKIE_SHA1 authentication, which is not used in Fedora (#485277). |
glibc | The GNU libc libraries |
|
nss_db | An NSS library for the Berkeley DB | The integrated db4:
|
nss_ldap | NSS library and PAM module for LDAP |
|