AlmaLinux OS 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

STIG ID: ALMA-09-039290  |  SRG: SRG-OS-000120-GPOS-00061 |  Severity: medium |  CCI: CCI-000803 |  Vulnerability Id: V-269413

Vulnerability Discussion

The key derivation function (KDF) in Kerberos is not FIPS compatible.

Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.

Check

Verify that the symlink exists and targets the correct Kerberos crypto policy, with the following command:

$ file /etc/crypto-policies/back-ends/krb5.config

/etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt

If the symlink does not exist or points to a different target, this is a finding.

Fix

Configure Kerberos to use systemwide crypto policy.

Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command:

$ ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.