Security

The following features, enhancements, and changes related to security are introduced in this Oracle Linux 10 release.

keylime-agent-rust Released at Version 0.2.7

keylime-agent-rust version 0.2.7 is a RUST based implementation of the Keylime agent. The Rust programming language focuses on safety, concurrency, and performance. The Keylime agent provides system integrity monitoring within the Keylime framework. This release includes the following improvements:
  • Initial Device Identity (IDevID) and Initial Attestation Key (IAK) are available for device identity. This includes the following options:
    • enable_iak_idevid: (default: false) Enables the use of IDevID and IAK certificates to identify the device.
    • iak_idevid_template: (default: detect) Specifies the template that sets the algorithms to be used for IDevID and IAK (defined in TPM 2.0 Keys for Identity and Attestation, section 7.3.4). The detect keyword sets the template according to the algorithms used in the configured certificates.
    • iak_idevid_name_alg: (default: sha256) Specifies the digest algorithm used in IDevID and IAK. Used only if the iak_idevid_template option is not set as detect.
    • iak_idevid_asymmetric_alg: (default: rsa) Specifies the signing algorithm used in IDevID and IAK. Used only if the iak_idevid_template option is not set as detect.
    • iak_cert: (default: default) Specifies the path to the file that contains the X509 IAK certificate. The default path is /var/lib/keylime/iak-cert.crt.
    • idevid_cert: (default: default) Specifies the path to the file that contains the X509 IDevID certificate. The default path is /var/lib/keylime/idevid-cert.crt.
  • Configurable IMA and measured boot event log locations are supported by using the new ima_ml_path and measuredboot_ml_path configuration options.
  • Local DNS name, local IP, and configured contact IP are included as part of the Subject Alternative Name of the generated self-signed X509 certificate.
  • IPv6 addresses with or without brackets are supported in the registrar_ip configuration option.
  • Hexadecimal encoded values are supported in the tpm_ownerpassword configuration option.
  • TLS 1.3 is enabled in connections to the agent.
  • API modularity and multiversion support
  • Enhanced configuration such as hostnames in addition to IP addresses and modular configurations.

Libreswan Released at Version 5.2

IKEv2 Enhancements

  • Added PPK in INTERMEDIATE exchange and initial RFC 5723 IKE_SESSION_RESUME support. Fixed crash in ipsec rereadsecrets.
  • Fixed race conditions in rekey requests and improved logging for IKE_AUTH and invalid payloads.
  • Supported addresspool=v4/mask,v6/mask and subnet=SELECTOR,... with single Child SA. Fixed NATed endpoint updates and IKE_AUTH revival.

IKEv1 Changes

  • Removed SOFTREMOTE_CLIENT_WORKAROUND, fixed reconnect and padding issues, updated ikepad= options.
  • Added ah=sha2{256,512} and DH29, DH31 to proposals. Fixed Quick mode and ISAKMP deletion issues.
  • Disabled by default (ikev1-policy=drop, RFC9395), limited cryptosuite, removed Labeled IPsec.
  • Set default ESP/AH proposals, rejected invalid ESP proposals.

IPsec Interface

  • Added support for FreeBSD, NetBSD, OpenBSD, and ipsec-interface-managed=no for namespaces.
  • Fixed Linux IPsec Interface address handling and supported FreeBSD/OpenBSD interfaces.
  • Added XFRM interface IP management with ref-counting, fixed IPcomp.

Linux Kernel Support

  • Supported packet offload counters (kernel 6.7+), added IPTFS (RFC 9347), and adjusted SA settings for kernel 6.10+.
  • Handled NLMSG_DONE for kernels > 6.9.0, fixed TCP connection hangs.
  • Added HW packet offload support.

Security Fixes

  • Fixed CVE-2024-3652.
  • Fixed CVE-2024-2357.
  • Fixed CVE-2023-38710, CVE-2023-38711, CVE-2023-38712 for IKEv1/IKEv2, and IPcomp crash.

Configuration and Utilities

  • Fixed ipsec add performance with protoports.
  • Improved ipsec.conf comment handling, added --narrowing options.
  • Updated ipsec.conf.5, added encap-dscp=, interface-ip=, ppk-ids=, and experimental debug=. Deprecated ipsec auto and moved scripts to contrib/.

Building and Testing

  • Fixed builds for OpenBSD 7.6, GCC 15/C23, and Alpine. Updated testing for OpenBSD 7.6, NetBSD 10.1, FreeBSD 14.2, Alpine 3.21.
  • Removed libxz dependency, added Alpine/Debian/NetBSD/FreeBSD to nightly builds, improved install options.

For the full changelog, see https://download.libreswan.org/CHANGES.

Libreswan Improved Adding Connection Speed

Libreswan is updated to resolve a significant performance issue when adding a large number of connections defined in the ipsec.conf configuration file. In an example configuration where 1000 connection entries were specified, it took 30 minutes to complete processing of the configuration, because the full configuration file was parsed for each connection added and the resource intensive getservbyname() function was called each time.

The latest libreswan update optimizes performance by bypassing the getservbyname() function for numbered connections and delegating the validation of existing connections to the pluto daemon. This enhancement reduces the loading times associated with large configuration files with many defined connections.

OpenSSH Released at Version 9.9

Oracle Linux 10 now includes OpenSSH version 9.9, upgrading from version 8.7 in Oracle Linux 9. This brings many security and usability improvements. Key changes include:

  • Key and Agent Security: New restrictions on forwarding and using keys with ssh-agent, enhancing security.
  • Improved FIDO Support: Better handling of hardware keys, fewer unnecessary PIN prompts, and safeguards to avoid overwriting credentials.
  • New Features:
    • EnableEscapeCommandline lets users access escape commands during sessions.
    • ChannelTimeout allows automatic closing of inactive SSH channels.
    • ssh-keygen now creates Ed25519 keys by default (RSA in FIPS mode).
  • Keystroke Obfuscation: The SSH client can obscure keystroke timing to prevent side-channel attacks.
  • Removed/Updated Components: DSA key support, pam-ssh-agent, and some tools are removed or moved.
  • Security Enhancements:
    • sshd now blocks and penalizes problematic client addresses.
    • Splitting sshd into listener and session binaries for better security.
    • Improved compatibility with PKCS #11 and overall hardening.
  • Post-Quantum Cryptography (Preview): Initial support for new cryptographic algorithms that resist quantum attacks.

These changes make SSH connections in Oracle Linux 10 more secure, easier to manage, and ready for future security challenges. For full technical details, see the openssh-9.9p1/ChangeLog file.

libkcapi Released at Version 1.5.0

libkcapi version 1.5.0 provides various improvements including:
  • The sha* applications in libkcapi are removed and replaced with a single application called kcapi-hasher. Symlinks to kcapi-hasher with equivalent names as the original sha* applications are added into the libexec directory and symlinks to sha*hmac applications are added into bin directory.
  • The sha3sum command, which prints checksums of files that use sha3, is added.
  • The kcapi_md_sha3_* wrapper APIs are added.

p11-kit Released at Version 0.25.5

The p11-kit packages are provided in version 0.25.5 in Oracle Linux 10. This version provides enhancements and fixes over the previous version, most importantly, the following:
  • Recursive attributes can be used with the p11-kit RPC protocol.
  • A function to check runtime version of the library is added.
  • Version information is no longer accessible through macros.
  • With the new --id option, you can assign an ID to key pairs generated with the generate-keypair command or imported with the import-object command.
  • With the new --provider option, you can specify a PKCS #11 module when using p11-kit commands.
  • Fixed a bug in p11-kit where the EdDSA mechanism wasn't recognized in generate-keypair.
  • p11-kit falls back to the C_GetFunctionList function when the C_GetInterface function isn't supported.

setools Released at Version 4.5.0

setools version 4.5.0 provides the following improvements:
  • Graphical results for information flow analysis and domain transition analysis are added to the apol, sedta, and seinfoflow tools.
  • Tooltips and detail popups in apol are added to help cross-referencing query and analyzing results along with context-sensitive help.

NSS Released at Version 3.101

The NSS cryptographic toolkit packages are released at version 3.101 to provide many bug fixes and enhancements, including an important fix to prevent RSA certificates with keys shorter than 2048 bits from working, in accordance with the system-wide cryptographic policy.

  • PBMAC1 is now available (RFC 9579) for stronger password-based protection in PKCS #12 files, enhancing security for key and certificate management.

  • libpkix is now the default certificate validator, ensuring strict RFC 5280 compliance for X.509 certificate validation.

  • RSA certificates with keys shorter than 2048 bits stopped working, aligning with system-wide cryptographic policies for stronger security.

gnutls Released at Version 3.8.9

The gnutls packages in version 3.8.9 includes various non backward compatible security-related changes such as the enhanced handling of Online Certificate Status Protocol (OCSP) responses.

Additionally, the validation process for OCSP responses is strengthened to check all records in an OCSP response until it finds a match for the server certificate, rather than only the first one. In FIPS mode, the minimum RSA key size required for verification to be considered approved is raised to 2048 bits, enhancing the security posture.

Other notable changes include:

  • Certificate compression in TLS is available (RFC 8879).
  • Optimal Asymmetric Encryption Padding scheme (RSA-OAEP) is available (RFC 8017).
  • API for incremental calculation of SHAKE hashes of arbitrary length across multiple calls is added.
  • RSA encryption and decryption with PKCS #1 v1.5 padding is deprecated and disallowed by default.
  • In FIPS mode, gnutls now defaults to exporting PKCS #12 files with Password-Based Message Authentication Code 1 (PBMAC1) as defined in RFC 9579. If you need interoperability with systems running in FIPS mode, use PBMAC1 explicitly.

clevis Released at Version 21

clevis version 21 includes the following changes:

  • The new subpackage called clevis-pin-pkcs11, provides the necessary PIN functionality for PKCS #11 devices. This allows users to securely unlock LUKS-encrypted volumes using a smart card, thereby enhancing the security of their encrypted data.

  • Two new checks into the clevis-udisks2 subpackage improve the reliability and functionality of Clevis. These checks are designed to ensure smoother operation and better error handling when working with LUKS-encrypted volumes in conjunction with udisks2.

  • A critical issue that was causing "Address in use" errors is fixed. This enhancement ensures that users can rely on Clevis for secure and automated decryption of their encrypted volumes without interruptions.

  • Increased security by fixing potential problems reported by static analyzer tools in the clevis luks command, udisks2 integration, and the Shamir’s Secret Sharing (SSS) thresholding scheme.
  • Password generation now uses the jose utility instead of pwmake. This ensures enough entropy for passwords generated during the Clevis binding step.

jose Released at Version 14

jose version 14 is a C-language implementation of the Javascript Object Signing and Encryption (JOSE) standards. It includes tools for handling various cryptographic operations such as signing, encryption, and verification for JSON Web Tokens (JWT), JSON Web Signatures (JWS), and JSON Web Encryption (JWE). Changes include the following:
  • Improved bound checks for the len function for the oct JSON Web Key (JWK) Type in OpenSSL, as a fix to an error reported by the Static Application Security Testing (SAST) process.
  • The protected JWE headers no longer contain zip.
  • Avoids potential DoS attacks using high decompression chunks.

openCryptoki Released at Version 3.24.0

openCryptoki version 3.24.0 is an implementation of the PKCS#11 API, enabling applications to use cryptographic tokens for secure operations such as encryption, decryption, and key management. This version includes the following changes:

  • RSA-OAEP encryption and decryption works with SHA-224, SHA-384, and SHA-512 hash functions.

  • PKCS #11 v3.0 SHA-3 mechanisms are available, ensuring compliance with the latest industry standards.

  • SHA-2 mechanisms and SHA-based key derivation mechanisms are available.

  • Tokens can be protected with a token-specific user group.

SELinux Userspace Component Updated in Version 3.8

SELinux userspace components in version 3.8 includes the following updates and changes:

  • New audit2allow -C option for the CIL output mode.

  • The sepolgen utility is adjusted to parse refpolicy modules.

  • The semanage utility can change records on add.

  • The semanage utility no longer sorts local fcontext definitions.

  • The checkpolicy program includes the CIDR notation for nodecon statements.

  • The SELinux sandbox utility includes the Wayland display protocol.

  • Several performance enhancements, including updates to the selabel_lookup call.

  • The binary file_contexts.bin file format is changed in SELinux 3.8 for optimization. The file is part of the SELinux policy and contains mappings between file paths and their associated SELinux contexts. You can re-create the file in the correct format by rebuilding the policy.

polkit Released at Version 125

polkit version 125 is a tool for controlling system-wide privileges allowing unprivileged processes to communicate with privileged ones in a controlled manner, enhancing security by centralizing policy decisions. Changes in this version include:

  • tmpfiles.d file used to store configuration in the /etc/polkit-1 directory.

  • Adopting more granular syslog-style log levels.

  • Improved logging control with the LogControl protocol.

  • Improved control over log verbosity in logs and in the journal. This enhancement addresses the requirement to log every loaded .rules file for debug purposes, preventing the journal from being flooded with unnecessary information.

  • Log-level control in the polkit.service unit. The polkit.service unit file contains a new parameter specified in the call of polkitd daemon called --log-level=<level>. By default this parameter is set to --log-level=err, logging only error messages. If the parameter --log-level is omitted, only critical messages are logged.

  • Better handling of accidental or intentional removal of the /etc/polkit-1/ directory

    or subdirectories. polkit can automatically re-create the required /etc/polkit-1/ subdirectories upon the next boot, and no longer requires a full reinstall to restore missing configuration directories.

SCAP Security Guide Released at Version 0.1.76

The SCAP Security Guide (SSG) packages are released at version 0.1.76.

OpenSCAP Released at Version 1.4.1

The OpenSCAP packages are released at version 1.4.1. Notable features and changes include:

  • The oscap info subcommand no longer prints SCAP source data stream component references.

  • Fixed error when applying tailoring on DISA SCAP content caused by incorrect xlink namespace processing.

  • Introduces the ability to generate kickstart files for unattended operating system installation by running:

    oscap xccdf generate fix --fix-type kickstart

See the OpenSCAP release notes for more information.

libssh Released at Version 0.11.1

The libssh SSH library is released at version 0.11.1, with new functionalities such as improved asynchronous SFTP IO, PKCS #11 provider for OpenSSL 3.0, testing for GSSAPI authentication, and proxy jump capabilities.

OpenSC Released at Version 0.26.1

The opensc packages are released at version 0.26.1. This update includes several security-related enhancements and bug fixes, notably addressing time side-channel leakage related to RSA PKCS #1 v1.5 padding removal after decryption. It also introduces unified OpenSSL logging, improving the overall logging consistency.

The pkcs11-tool utility now includes various cryptographic mechanisms, including HKDF, RSA OEAP encryption, AES GCM, and AES GMAC. Furthermore, several CVEs related to uninitialized memory problems are addressed, such as CVE-2024-45615, CVE-2024-45616, CVE-2024-45617, CVE-2024-45618, CVE-2024-45619, and CVE-2024-45620.

Other notable fixes in this update include resolving issues with allocations of aligned memory that were causing malfunctions in the Chromium web browser, and improving the reading of certificates in the TeleSec Chipcard Operating System (TCOS) card driver.

Rsyslog Released at Version 8.2412.0

The rsyslog packages is released at version 8.2412.0.

In this version, you can bind a ruleset to the imjournal module, allowing for early filtering and processing of log messages at the input stage. This optimization reduces the load on the main message queue, resulting in more efficient handling of large log volumes and minimizing resource usage.

setroubleshoot Released at Version 3.3.35

The setroubleshoot packages are released at version 3.3.35.

AppStream metadata is corrected to address previously broken data. The paths of used icons are updated to reflect recent changes to file paths.

Keylime Released at Version 7.12

The Keylime packages is released at version 7.12.

The new keylime-policy tool merges the management of Keylime runtime policies and measured boot policies, and also improves policy generation performance. The verifier and tenant components of Keylime no longer require payloads for the agent component, simplifying their operation.

nettle Library Released at Version 3.10.1

The nettle library package is released at version 3.10.1.

This update includes several key enhancements and changes:

  • Performance improvements for certain cryptographic operations.
  • The addition of DRBG-CTR-AES256, a new deterministic random-bit generator.
  • The introduction of RSA-OAEP, an RSA encryption/decryption method that uses a new OAEP padding scheme.
  • The inclusion of SHAKE-128, an arbitrary-length hash function from the SHA-3 family.
  • A streaming API for SHAKE-128 and SHAKE-256.
  • The removal of the MD5 assembly, which might result in a slight performance impact.

For more information, see the upstream information on https://git.lysator.liu.se/nettle/nettle/-/blob/master/NEWS?ref_type=heads.

OpenSSL pkcs11-provider Hardware Tokens

pkcs11-provider is an OpenSSL provider used with hardware tokens in applications such as httpd, libssh, bind, and other applications. It also includes asymmetric private keys stored in an HSM, smartcard, or other tokens with a PKCS #11 driver available. This provider replaces openssl-pkcs11 engine

pkcs11-provider New Custom Configurations

The pkcs11-provider allows direct access to hardware tokens by using pkcs11 URIs from OpenSSL programs. Upon installation, the pkcs11-provider is automatically enabled and loads tokens detected by the pcscd daemon by using the p11-kit driver by default. Therefore, you can use tokens available to the system if you provide a key URI by using the pkcs11 URI specification to an application that supports that format by installing the package without the need to further change OpenSSL configuration. Uninstalling the package also removes the OpenSSL configuration snippet, which prevents errors when OpenSSL parses the configuration files.

/var/run = /run in SELinux Policy

The /run = /var/run file context equivalency is now /var/run = /run to match the actual file system state and to prevent some userspace tools from reporting an error. SELinux policy sources are updated with this change. If you have any custom modules that contain file specification for files in /var/run, change them to /run.

Stricter SSH Host Key Permissions

Host key permissions are now by default with the stricter 0600 permissions. ssh-keysign utility now uses SUID bit instead of the SGID bit. The ssh_keys group, that owned all SSH keys, is removed.

pkeyutl Encapsulation and Decapsulation

pkeyutl is a utility that includes operations such as signing, verifying, encrypting, decrypting, and deriving shared secrets using public key algorithms. This utility now includes encapsulation and decapsulation cryptographic operations. The new post-quantum cryptographic (PQC) algorithm ML-KEM (FIPS 203) permits only encapsulation and decapsulation operations, and you can now use algorithms such as RSASVE and ML-KEM through pkeyutl.

OpenSSL New no-atexit Option

The new no-atexit option in OpenSSL disables the automatic cleanup of OpenSSL resources using the atexit() handler when a program completes. Using this option might cause the valgrind debugging tool to report one-time memory leaks of the resources allocated on OpenSSL startup.

OpenSSL FIPS-Compliant PKCS #12 Files

OpenSSL can now create FIPS-compliant PKCS #12 files according to RFC 9579.

GnuTLS Certificate Compression

You can use GnuTLS to compresses client and server certificates based on the RFC 8879 standard with the zlib, brotli, or zstd compression algorithms. Both the client and server side must use the same library. Compression reduces the size of the certificate data transmitted.

DEFAULT Cryptographic Policy Includes New Scopes

crypto-policies includes the following new scopes in the DEFAULT system-wide cryptographic policy:
  • @pkcs12
  • @pkcs12-legacy
  • @smime
  • @smime-legacy
The selection of cryptographic algorithms used for PKCS #12 and S/MIME when network security services (NSS) is the underlying cryptographic library now follows system-wide cryptographic policies. Therefore, you can more easily select algorithms with higher granularity by using custom policies and subpolicies. The scopes use the following ciphers, hashes, and key exchanges: 
cipher@pkcs12 = AES-256-CBC AES-128-CBC
cipher@pkcs12-import = 3DES-CBC+ RC2-CBC+
cipher@smime = AES-256-CBC AES-128-CBC 3DES-CBC
cipher@smime-import = RC2-CBC+
hash@{pkcs12,smime} = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 \
	SHA2-224 SHA3-224
hash@{pkcs12-import,smime} = SHA1+
key_exchange@smime = RSA DH ECDH

The LEGACY cryptographic policy uses a less strict selection of ciphers, hashes, and key exchanges than the DEFAULT policy, whereas the FUTURE policy is stricter. As a result, you can customize the algorithms used in NSS for importing and exporting PKCS #12 files and S/MIME encryption and decryption. NSS is currently the only cryptographic library linked to the newly offered scopes.

FIPS Mode OpenSSH Generates RSA Keys by Default

The ssh-keygen utility in OpenSSH by default generates ed25519 keys in non-FIPS mode and RSA keys in FIPS mode.

NSS FIPS-Compliant PKCS #12 Files

NSS can now create FIPS-compliant PKCS #12 files according to RFC 9579.

Password-based message authentication code 1 (PBMAC1) is now in PKCS #12 files to Network Security Services (NSS) as defined in RFC 9579. NSS can now read any .p12 file that uses RFC 9579 and can generate RFC-9579-compliant message authentication codes (MAC) when requested by the user. For compatibility, NSS generates old MACs by default when not in FIPS mode. For more information on generating new MACs, see the pk12util(1) man page.

New SELinux Policy libvirt Services Rules

New SELinux types related to the libvirt services are added to the SELinux policy:
  • virt_dbus_t
  • virt_hook_unconfined_t
  • virt_qmf_t
  • virtinterfaced_t
  • virtnetworkd_t
  • virtnodedevd_t
  • virtnwfilterd_t
  • virtproxyd_t
  • virtqemud_t
  • virtsecretd_t
  • virtstoraged_t
  • virtvboxd_t
  • virtvzd_t
  • virtxend_t

SELinux Policy Confinement for More Services

The SELinux policy includes new rules to further confine certain systemd services. The services now confined include iio-sensor-proxy, samba-bgqd, tlshd, gnome-remote-desktop, and pcm-sensor-server.

With these changes, these services are no longer running with the unconfined_service_t SELinux label, which was in violation of the CIS Server Level 2 benchmark rule: Ensure No Daemons are Unconfined by SELinux. With the new confinement in place, these services can now run successfully in SELinux enforcing mode.

dmesg Hardening for Administrator Privileges

Administrator privileges are required to run the dmesg command. This update hardens the system against unrestricted access to sensitive information about the system. Use the sudo command to gain administrator privileges when running dmesg.

Flatpak Applications can now use Smart Card Functionality (opensc)

The opensc packages are now divided into the following subpackages: opensc and opensc-libs so that Flatpak applications can now use smart card functionality.

tpm2-openssl New Package

The new tpm2-openssl package includes a Trusted Platform Module (TPM) 2.0 provider for the OpenSSL TLS toolkit. You can now use cryptographic keys stored in a TPM 2.0 chip with the OpenSSL API, enhancing the integration of TPM 2.0 capabilities with OpenSSL-based applications.

Enhanced Audit Event Filtering and Forwarding

You can use the new audisp-filter plugin to suppress specific Audit events based on custom ausearch expressions, reducing unnecessary output to downstream plugins. By acting as an intermediary between Audit and other plugins, audisp-filter selectively filters out certain events and forwards only those that match the rules defined in its configuration file.

Use this capability for targeted filtering of Audit events with either allowlist or blocklist modes, where each plugin uses audisp-filter to specify its own configuration file containing matching rules. A common application of this feature is to exclude unnecessary or irrelevant Audit events, forwarding only significant ones to the syslog plugin for logging, thus making Audit logs more manageable.

Optimized SELinux Policy Packaging for EPEL

The SELinux policy modules that are only related to packages found in the Extra Packages for Enterprise Linux (EPEL) repository, and not associated with any Oracle Linux package, are moved from the selinux-policy package to a new package called selinux-policy-epel. This reorganization results in a more streamlined selinux-policy package, leading to improved performance in operations such as rebuilding and loading the SELinux policy.

Group Merging Added in authselect

To use the authselect utility for group merging, enable it in the authselect profiles. You no longer need to manually edit the nssswitch.conf file to enable group merging.

authselect Is a Required Component of PAM

The authselect-libs package is now mandatory and can't be removed, because it's a dependency of the pam package. authselect-libs now takes ownership of several key configuration files, including /etc/nsswitch.conf and various PAM configuration files in /etc/pam.d/, such as system-auth, password-auth, smartcard-auth, fingerprint-auth, and postlogin. These files were managed by other packages, including glibc and pam.

When upgrading from a previous Oracle Linux version:
  • If an existing authselect configuration is detected, authselect apply-changes automatically updates it to the latest version.
  • If no authselect configuration exists, no changes is made.
  • On systems managed by authselect, non-authselect configurations is overwritten without prompting during the next authselect call.
  • To maintain a custom configuration, create a custom authselect profile and manually update it to ensure it remains compatible with the system.
To stop using authselect, opt out by running the command: 
# authselect opt-out

authselect Local Profile Replaces SSSD Files Provider

The authselect local profile replaces the SSSD files provider when handling local user management. The local profile replaces the previous minimal profile and becomes the default authselect profile for new installations instead of the SSSD profile.

The authselect utility automatically migrates existing configurations from minimal to local profile during an upgrade.

The authselect profile no longer includes with-files-domain and with-files-access-provider options. If you relied on these options, update the SSSD configuration to use proxy provider instead of files provider.

The sssd profile now includes the --with-tlog option, which enables session recording for users managed by SSSD.

New SSSD exop_force Option

With the exop_force option, you can force a password change in the following scenarios:

  • When no grace logins remain on the LDAP server.
  • The SSSD service attempts to change the password even if the LDAP server indicates that no remaining grace logins.

To use this feature, configure the following setting in the sssd.conf file:

  • Set ldap_pwmodify_mode = exop_force in the [domain/…​] section.

SSSD can Run With Reduced Privileges

To enhances system security, System Security Services Daemon (SSSD) can run with the sssd or root user through the systemd service configuration. The default is the sssd user. All root capabilities are dropped for the SSSD service except for a few privileged helper processes.

Note:

Ensure that the sssd.conf configuration file is owned by the same user running the SSSD service, which is sssd by default. If the configuration file is created manually or with tools like Ansible, set the ownership to sssd:sssd with chown command if it was initially created by root.

KnownHostsCommand Added to SSSD

SSSD includes KnownHostsCommand in SSH configurations so that users can fetch host public keys from servers like FreeIPA or LDAP using the sss_ssh_knownhosts tool. This new tool replaces the older sss_ssh_knownhostsproxy tool. A message now indicates that sss_ssh_knownhostsproxy is obsolete.