森è¥ã§ãã
Red Hat Enterprise Linux 8ï¼RHEL 8ï¼ã¯ãã»ãã¥ãªãã£ãå¼·åããããã«å¤ãã®æ°æ©è½ãå°å ¥ãã¾ãããããã®ä¸ã§ãç¹ã«éç¨ã®æéåæ¸ãã»ãã¥ãªãã£ã®ä¸è²«æ§åä¸ãå¾æ¥ããã®æé å¤æ´ã¨ããç¹ã§éç¨ç®¡çã¸ã®å½±é¿ã大ãããã®ãcrypto-policies(ã·ã¹ãã å ¨ä½ã®æå·åããªã·ã¼)ã§ãããã®è¨äºã§ã¯ãcrypto-policiesãã©ã®ããã«æ¡å¼µããã¦ããããç´¹ä»ãã¾ãã
Crypto-Policiesã¨ã¯ï¼
èæ¯ã¨ãã¦ã¯ãã·ã¹ãã ã«å«ã¾ããå¤æ°ã®ã¢ããªã±ã¼ã·ã§ã³å ¨ä½ã«ã¤ãã¦æå·åãªã©ã®ã¬ãã«ãæãããã¨ãéè¦ã§ããä¸é¨ã®ãµã¼ãã¹ã ããå¼·ãæå·åã使ã£ã¦ãã¦ãä»ã®ãµã¼ãã¹ãèå¼±ãªæå·åã使ã£ã¦ããã¨ãã·ã¹ãã å ¨ä½ã¨ãã¦ã¯èå¼±ã§ãã ä¸è¨ã§ãæãããã¨è¨ã£ã¦ããå®éã«ã·ã¹ãã ã«å¤æ°åå¨ããæå·åã©ã¤ãã©ãªãã¢ããªã±ã¼ã·ã§ã³ã®è¨å®ãå®æ½ããã«ã¯å¿ è¦ãªç¥èãé常ã«å¹ åºãé£ããã§ããcrypto-policiesã¯ãã®å°é£ãªä½æ¥ã容æã«ããããã«éçºããã¾ããã
Crypto-policiesã¯ãã·ã¹ãã å ¨ä½ã®æå·åããªã·ã¼ãä¸å 管çããããã®ãã¬ã¼ã ã¯ã¼ã¯ã§ãã管çè ã¯è¤æ°ã®ã¢ããªã±ã¼ã·ã§ã³ãã©ã¤ãã©ãªã«ããã£ã¦ä¸è²«ããæå·åè¨å®ãç°¡åã«é©ç¨ã§ãã¾ãã ã½ããã¦ã§ã¢ã®è¨å®æ¹æ³ãå¤æ°ã®ã½ããã¦ã§ã¢ã§å¾æ¥ã¨ã¯å¤ããã¾ããããæ§ç¯æé ãéç¨ç®¡çã¸ã®å½±é¿ã大ãããªãã¾ãã
Crypto-Policiesã§è¨å®ã管çãããã½ããã¦ã§ã¢ã¯ä½ï¼
Crypto-policiesã¯ãRHELã«å梱ãããOpenSSLãGnuTLSãOpenSSHãOpenJDKãªã©ãå¤ãã®ã»ãã¥ãªãã£ã©ã¤ãã©ãªããã¼ã«ã®è¨å®ã管çãã¾ããããã«ãããã·ã¹ãã å ¨ä½ã§ã»ãã¥ãªãã£åºæºãçµ±ä¸ãããã¨ãå¯è½ã«ãªãã¾ããcrypto-policiesããã±ã¼ã¸ã§è¨å®ãçæããæå·åæ©è½ãæã¤ä»ã®ããã±ã¼ã¸ã§ã¯crypto-policiesã®è¨å®ãèªã¿ããå®è£ ããããªããã¦ãã¾ãã
管ç対象ã¨ãªããªãã½ããã¦ã§ã¢ã¨ãã¦ã¯ãRHELå梱以å¤ã®ãµã¼ããã¼ãã£ã½ããã¦ã§ã¢ã®ãã¡ãRHELå梱ã®æå·åã©ã¤ãã©ãªã使ããç¬èªã«ãã¤ãã®ããç¬èªã«æ示çãªè¨å®ãè¡ããã®ãGoè¨èªã§è¨è¿°ãããããã°ã©ã ã®ã»ã¨ãã©ã§ãã(RHELå梱ã®Podmanã§ã¯crypto-policiesã®è¨å®ãåæ ããopensslãå©ç¨ããä¿®æ£ããããªããã¦ãã¾ãã)
RHEL 8.0ã§ã®Crypto-Policies
RHEL 8.0ããªãªã¼ã¹ãããå½åãcrypto-policiesã¯DEFAULTãLEGACYãFUTUREãããã³FIPSã®4種é¡ã®äºåå®ç¾©ãããããªã·ã¼ããé¸æãããã¨ããã§ãã¾ããã§ããããããã®ããªã·ã¼ã¯ã«ã¹ã¿ãã¤ãºãããã¨ãã§ãã¾ããã
以ä¸ã®ãããªã³ãã³ãã§ããªã·ã¼ãè¨å®ãã¾ãã
# update-crypto-policies --set DEFAULT
RHEL 8.2ã§ã®ã«ã¹ã¿ãã¤ãºå°å ¥
RHEL 8.2ãããããªã·ã¼è¨èªã使ç¨ãã¦crypto-policiesãã®ããªã·ã¼ãã¦ã¼ã¶ãå®ç¾©ããæ©è½ãå°å ¥ããã¾ããã以ä¸ã®ä¾ã®ãããªç°¡åãªè¨è¿°ã§ã管çè ã¯ããªã·ã¼ãèªä½ããããç¹å®ã®è¦ä»¶ã«åããã¦ããªã·ã¼ãç´°ãã調æ´ã§ããããã«ãªãã¾ãããããªã·ã¼è¨èªã¯ããªãã·ã§ã³ = æå·åã¹ã¤ã¼ãå(ãªãã·ã§ã³ã«ãã£ã¦ã¯è¤æ°)ãããªãã·ã§ã³ = å¤ãã®ãããªè¨è¿°ãåæãããã®ã§ãã
å ¸åçã«ã¯ããªã·ã¼ãã¼ãããæ°è¦ã«æ¸ããããã¨ã®ããªã·ã¼ããã®å¤æ´é¨åããµãããªã·ã¼ã¨ãã¦å®ç¾©ãã¦ãæ¢åã®ããªã·ã¼ã¨ãã¿ãããã¦å©ç¨ãã¾ãããµãããªã·ã¼ã§ã¯é常ã®ããªã·ã¼ã®è¨è¿°ã®ã»ãã«ããã¨ã®ããªã·ã¼å·®åãå®ç¾©ãã¦ãããªãã·ã§ã³ = +å¤ãããªãã·ã§ã³ = -å¤ãã®ãããªè¨è¿°ã§ä¸é¨ã®å¤ã追å ã»åé¤ãã§ãã¾ãããµãããªã·ã¼ã¯ä»»æã®æ°ã ãæå®ã§ãã¾ãã
ãã¨ãã° NO-SHA1.pmod ã§SHA-1ã®å©ç¨ãç¦æ¢ãããµãããªã·ã¼ãè¨è¿°ãã¾ãããã®ä¾ã§ã¯ããã·ã¥é¢æ°ãç½²åã証ææ¸ã§ã®SHA-1ã®å©ç¨ãç¦æ¢ãã¦ãã¾ããããªã·ã¼è¨èªã®è©³ç´°ã¯ man crypto-policies
ã® CRYPTO POLICY DEFINITION FORMAT
ã«èª¬æãããã¾ãã
hash = -SHA1 sign = -*-SHA1 sha1_in_certs = 0
以ä¸ã®ããã«ãã¿ãããã¦ãåºæ¬ã¯DEFAULTããªã·ã¼ã§ãããSHA-1ã®å©ç¨ãç¦æ¢ããããªã·ã¼ãæå®ã§ãã¾ãã
# update-crypto-policies --set DEFAULT:NO-SHA1
RHEL 8.5ã§ã®ã¹ã³ã¼ãæå®å°å ¥
RHEL 8.4ã¾ã§ã¯ã·ã¹ãã å ¨ä½ã§çµ±ä¸ãããããªã·ã¼ããæ±ãã¾ããã§ãããæ¬æ¥ã®ç®çããããã¨å¦¥å½ãªã®ã§ãããåé¡ã¨ãªãã±ã¼ã¹ãåå¨ãã¾ããããå¤ãã·ã¹ãã ããæ¥ç¶ãããã¤ããããsshã ãèå¼±ãªæå·åã使ãããããå¤ãActive Directoryãå©ç¨ããããKerberosã ãèå¼±ãªããã·ã¥é¢æ°ã使ãããããªã©ã®ã±ã¼ã¹ã§ãã
RHEL 8.5ããã¯ã ããªã·ã¼è¨èªã®ä¸ã§ cipher@ssh
ã®ããã«ç¹å®ã®ã¹ã³ã¼ããæå®ãã¦ãä¸é¨ã®ããã°ã©ã ã«ã ãå½±é¿ããããªã·ã¼ãè¨å®ã§ããããã«ãªãã¾ãããããã«ããããã¨ãã°SSHæ¥ç¶ã«å¯¾ããæå·åè¦ä»¶ã ããä»ã®ãµã¼ãã¹ã¨ã¯ç¬ç«ãã¦ç®¡çã§ããããã«ãªãã¾ãã
ä»ã®ä¾ã§ AD-SUPPORT.pmod ã§ã¯ãå¤ãè¨å®ã®Active Directoryã¨ã®äºææ§ã®ãã RC4ãªã©ãKerberosã ãã§è¨±å¯ãããã以ä¸ã®ãããªãµãããªã·ã¼ãå®ç¾©ãã¾ãã
cipher@kerberos = RC4-128+ hash@kerberos = MD5+
RHEL 8 㨠RHEL 9 ã§ã®ssh ãµã¼ãå®è£ ã®éã
ããã話ãå¤ããã¾ãããRHEL 8ã¨RHEL 9ã§ã¯å®è£ ã®éããããã¾ããããªã·ã¼è¨èªã¯ãã®ã¾ã¾ãªã®ã§ãããsshãµã¼ãã¸è¨å®ãåæ ãããæ¹æ³ãå¤ãã£ã¦ãã¾ãã RHEL 8, 9 ã®ã©ã¡ããåé¡ãªãåä½ããã®ã§ãããã¤ã³ãã¬ã¼ã¹ã¢ããã°ã¬ã¼ããè¡ãã¨åé¡ãçºçããå ´åãããã¾ãã
RHEL 8ã®æã«crypto-policiesã®è¨å®ãç¡è¦ããè¨å®ããããªã£ãç¶æ ã§ãRHEL 9ã«æ´æ°ããã¨ã(8ã®æã®ã¾ã¾åä½ãã¦ã»ããæå¾ ã«åãã¦)crypto-policiesã®è¨å®ã«å¾ã£ãè¨å®ãå©ç¨ãããã®ã§ãæå³ããªãåä½ã®éããçºçãã¾ããã¤ã³ãã¬ã¼ã¹ã¢ããã°ã¬ã¼ãã§ãªãã¦ããè¨å®ã®ä½¿ãã¾ãããã§ãã¾ããã®ã§æ³¨æãå¿ è¦ã§ãã
RHEL 8ã¨RHEL 9ã®å®è£ ã®éãã¯ãã®ããã«ãªã£ã¦ãã¾ãã
- RHEL 8ã§ã¯ãsshdèµ·åæã®ã³ãã³ãã©ã¤ã³ãªãã·ã§ã³ã¨ã㦠crypto-policies ãçæããããªã·ã¼ãæå®ãããã¨ã§è¨å®ããããªã£ã¦ãã¾ããã
- RHEL 9ã§ã¯ãè¨å®ã®includeã«ãããcrypto-policiesãçæããããªã·ã¼ãè¨å®ãã¡ã¤ã«ã®ä¸é¨ã¨ãã¦èªã¿è¾¼ã¿ãã³ãã³ãã©ã¤ã³ã®æå®ã¯è¡ãã¾ããã
å©ç¨ä¸ã®æ³¨æ
/etc/crypto-policies/back-ends
ã®ç´æ¥ç·¨éã¯NG - ãã®ãã£ã¬ã¯ããªå ã®ãã¡ã¤ã« update-crypto-policies ã³ãã³ãã®å®è¡ãããã±ã¼ã¸ã®æ´æ°ã§ä¸æ¸ãããã¾ããç¹ã«ããã©ã«ãã ã¨ã·ã³ããªãã¯ãªã³ã¯ã§/usr/share/crypto-policies/
以ä¸ã®ãã¡ã¤ã«ãæãã¦ããã管çè ãç´æ¥ç·¨éãããã¨ã¯æ³å®ããã¦ãã¾ãããééãã¦ç·¨éãã¦ãã¾ã£ãå ´åã¯ãyum reinstall crypto-policies
ã¨ãã¦ããã±ã¼ã¸ãåã¤ã³ã¹ãã¼ã«ãããã¨ã§å ã«ãã©ãã¾ãã
ææ°ãã¼ã¸ã§ã³ã®å©ç¨ãæ¨å¥¨
- Crypto-policiesã¯ãããã§ç´¹ä»ãã以å¤ã«ãããªã·ã¼è¨èªã®æ¡å¼µãªã©ãRHELã®åãã¤ãã¼ãªãªã¼ã¹ã®ã¿ã¤ãã³ã°ã§æ¡å¼µãè¡ããã¦ãã¾ãã常ã«ææ°ãã¼ã¸ã§ã³ã®å©ç¨ãæ¨å¥¨ãã¾ãã
- å¤æ´å
容ã«ã¤ãã¦ã¾ã¨ã¾ã£ãããã¥ã¡ã³ãã¯åå¨ãã¾ãããã
rpm -q --changelog crypto-policies
ã¨ãã¦ããã±ã¼ã¸ã®æ´æ°å±¥æ´ã確èªã§ãã¾ãã