Red Hat SummitChapter 53. Deprecated Functionality in Red Hat Enterprise Linux 7
Deprecated packages related to Identity Management
The following packages are deprecated and will not be included in a future major release of Red Hat Enterprise Linux:
| Deprecated Packages | Proposed Replacement Package or Product |
|---|---|
| authconfig | authselect |
| pam_pkcs11 | sssd [a] |
| pam_krb5 | sssd [b] |
| openldap-servers | Depending on the use case, migrate to Identity Management included in Red Hat Enterprise Linux or to Red Hat Directory Server. [c] |
[a]
System Security Services Daemon (SSSD) contains enhanced smart card functionality.
[b]
For details on migrating from pam_krb5 to sssd, see How to migrate from pam_krb5 to SSSD Knowledgebase article on the Red Hat Customer Portal.
[c]
Red Hat Directory Server requires a valid Directory Server subscription.
| |
Deprecated Insecure Algorithms and Protocols
Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. See the Enhancing the Security of the Operating System with Cryptography Changes in Red Hat Enterprise Linux 7.4 Knowledgebase article on the Red Hat Customer Portal for more information.
- Weak ciphers and algorithms are no longer used by default in
OpenSSH - With this update, the
OpenSSHlibrary removes several weak ciphers and algorithms from default configurations. However, backward compatibility is ensured in most cases.The following have been removed from theOpenSSHserver and client:- Host key algorithms:
- ssh-rsa-cert-v00@openssh.com
- ssh-dss-cert-v00@openssh.com
- Ciphers:
- arcfour256
- arcfour128
- arcfour
- rijndael-cbc@lysator.liu.se
- MACs:
- hmac-md5
- hmac-md5-96
- hmac-md5-96-etm@openssh.com
- hmac-md5-etm@openssh.com
- hmac-ripemd160
- hmac-ripemd160-etm@openssh.com
- hmac-ripemd160@openssh.com
- hmac-sha1-96
- hmac-sha1-96-etm@openssh.com
The following have been removed from theOpenSSHclient:- Ciphers:
- blowfish-cbc
- cast128-cbc
- 3des-cbc
OpenSSHno longer uses the SHA-1-based key exchange algorithms in FIPS mode- This update removes the SHA-1-based key exchange algorithms from the default list in FIPS mode. To enable those algorithms, use the following configuration snippet for the
~/.ssh/configand/etc/ssh/sshd_configfiles:KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
- The SSH-1 protocol has been removed from the
OpenSSHserver - SSH-1 protocol support has been removed from the
OpenSSHserver. For more information, see the The server-side SSH-1 protocol removal from RHEL 7.4 Knowledgebase article. - MD5, MD4, and SHA0 can no longer be used as signing algorithms in
OpenSSL - With this update, support for verification of MD5, MD4, and SHA0 signatures in certificates, Certificate Revocation Lists (CRL) and message signatures has been removed.Additionally, the default algorithm for generating digital signatures has been changed from SHA-1 to SHA-256. The verification of SHA-1 signatures is still enabled for legacy purposes.The system administrator can enable MD5, MD4, or SHA0 support by modifying the
LegacySigningMDsoption in theetc/pki/tls/legacy-settingspolicy configuration file, for example:echo 'LegacySigningMDs algorithm' >> /etc/pki/tls/legacy-settingsTo add more than one legacy algorithm, use a comma or any whitespace character except for a new line. See theREADME.legacy-settingsfile in theOpenSSLpackage for more information.You can also enable MD5 verification by setting theOPENSSL_ENABLE_MD5_VERIFYenvironment variable. OpenSSLclients no longer allow connections to servers with DH shorter than 1024 bits- This update prevents
OpenSSLclients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients usingOpenSSLare not susceptible to vulnerabilities, such as Logjam.The system administrator can enable shorter DH parameter support by modifying theMinimumDHBitsoption in the/etc/pki/tls/legacy-settings, for example:echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settingsThis option can also be used to raise the minimum if required by the system administrator. - SSL 2.0 support has been completely removed from
OpenSSL - The SSL protocol version 2.0, which is considered insecure for more than seven years, was deprecated by RFC 6176 in 2011. In Red Hat Enterprise Linux, support of SSL 2.0 was already disabled by default. With this update, SSL 2.0 support has been removed completely. The
OpenSSLlibrary API calls that use this protocol version now return an error message. - EXPORT cipher suites in
OpenSSLhave been deprecated - This change removes support for EXPORT cipher suites from the
OpenSSLtoolkit. Disabling these weak cipher suites ensures that clients usingOpenSSLare not susceptible to vulnerabilities, such as FREAK. EXPORT cipher suites are no longer required in anyTLSprotocol configurations. GnuTLSclients no longer allow connections to servers with DH shorter than 1024 bits- This change prevents GNU Transport Layer Security (GnuTLS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using
GnuTLSare not susceptible to vulnerabilities, such as Logjam.In applications that accept a priority string from the user or configuration directly, this change can be reverted by appending the priority string%PROFILE_VERY_WEAKto the used priority string. NSSclients usingTLSno longer allow connections to servers with DH shorter than 1024 bits- This change prevents Network Security Services (NSS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using
NSSare not susceptible to vulnerabilities, such as Logjam.The system administrator can enable shorter DH parameter support by modifying the/etc/pki/nss-legacy/nss-rhel7.configpolicy configuration file to:library= name=Policy NSS=flags=policyOnly,moduleDB config="allow=DH-MIN=767:DSA-MIN=767:RSA-MIN=767"
Note that an empty line is required at the end of the file. - EXPORT cipher suites in
NSShave been deprecated - This change removes support for EXPORT cipher suites in the Network Security Services (NSS) library. Disabling these weak cipher suites protects against vulnerabilities, such as FREAK. EXPORT cipher suites are not required in any
TLSprotocol configuration.
Legacy CA certificates removed from the ca-certificates package
Previously, to allow older versions of the
GnuTLS, OpenSSL, and glib-networking libraries to remain compatible with the Public Key Infrastructure (PKI), the ca-certificates package included a set of legacy CA certificates with 1024-bit RSA keys as trusted by default.
Since Red Hat Enterprise Linux 7.4, updated versions of
OpenSSL, GnuTLS, and glib-networking are available, which are able to correctly identify a replacement of root CA certificates. Trusting these legacy CA certificates is no longer required for public web PKI compatibility.
The legacy configuration mechanism, which could previously be used to disable the legacy CA certificates, is no longer supported; the list of legacy CA certificates has been changed to empty.
The ca-legacy tool is still available and it also keeps current configuration settings for potential future reuse.
coolkey replaced with opensc
The
OpenSC library implements the PKCS#11 API and replaces the coolkey packages. In Red Hat Enterprise Linux 7, the CoolKey Applet functionality is also provided by the opensc package.
The coolkey package will remain supported for the lifetime of Red Hat Enterprise Linux 7, but new hardware enablement will be provided through the opensc package.
The inputname option of the rsyslog imudp module has been deprecated
The
inputname option of the imudp module for the rsyslog service has been deprecated. Use the name option instead.
FedFS has been deprecated
Federated File System (FedFS) has been deprecated because the upstream FedFS project is no longer being actively maintained. Red Hat recommends migrating FedFS installations to use
autofs, which provides more flexible functionality.
Btrfs has been deprecated
The
Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.
The
Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.
tcp_wrappers deprecated
The tcp_wrappers package, which provides a library and a small daemon program that can monitor and filter incoming requests for
systat, finger, FTP, telnet, rlogin, rsh, exec, tftp, talk, sshd, and other network services, has been deprecated.
nautilus-open-terminal replaced with gnome-terminal-nautilus
Since Red Hat Enterprise Linux 7.3, the nautilus-open-terminal package has been deprecated and replaced with the gnome-terminal-nautilus package. This package provides a Nautilus extension that adds the option to the right-click context menu in Nautilus. nautilus-open-terminal is replaced by gnome-terminal-nautilus during the system upgrade.
sslwrap() removed from Python
The
sslwrap() function has been removed from Python 2.7. After the 466 Python Enhancement Proposal was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream.
Red Hat recommends using the
ssl.SSLContext class and the ssl.SSLContext.wrap_socket() function instead. Most applications can simply use the ssl.create_default_context() function, which creates a context with secure default settings. The default context uses the system's default trust store, too.
Symbols from libraries linked as dependencies no longer resolved by ld
Previously, the
ld linker resolved any symbols present in any linked library, even if some libraries were linked only implicitly as dependencies of other libraries. This allowed developers to use symbols from the implicitly linked libraries in application code and omit explicitly specifying these libraries for linking.
For security reasons,
ld has been changed to not resolve references to symbols in libraries linked implicitly as dependencies.
As a result, linking with
ld fails when application code attempts to use symbols from libraries not declared for linking and linked only implicitly as dependencies. To use symbols from libraries linked as dependencies, developers must explicitly link against these libraries as well.
To restore the previous behavior of
ld, use the -copy-dt-needed-entries command-line option. (BZ#1292230)
Windows guest virtual machine support limited
As of Red Hat Enterprise Linux 7, Windows guest virtual machines are supported only under specific subscription programs, such as Advanced Mission Critical (AMC).
libnetlink is deprecated
The
libnetlink library contained in the iproute-devel package has been deprecated. The user should use the libnl and libmnl libraries instead.
S3 and S4 power management states for KVM have been deprecated
Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.
The Certificate Server plug-in udnPwdDirAuth is discontinued
The
udnPwdDirAuth authentication plug-in for the Red Hat Certificate Server was removed in Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with a profile using the udnPwdDirAuth plug-in are still valid if they have been approved.
Red Hat Access plug-in for IdM is discontinued
The Red Hat Access plug-in for Identity Management (IdM) was removed in Red Hat Enterprise Linux 7.3. During the update, the redhat-access-plugin-ipa package is automatically uninstalled. Features previously provided by the plug-in, such as Knowledgebase access and support case engagement, are still available through the Red Hat Customer Portal. Red Hat recommends to explore alternatives, such as the
redhat-support-tool tool.
The Ipsilon identity provider service for federated single sign-on
The ipsilon packages were introduced as Technology Preview in Red Hat Enterprise Linux 7.2. Ipsilon links authentication providers and applications or utilities to allow for single sign-on (SSO).
Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The ipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release.
Red Hat has released Red Hat Single Sign-On as a web SSO solution based on the Keycloak community project. Red Hat Single Sign-On provides greater capabilities than Ipsilon and is designated as the standard web SSO solution across the Red Hat product portfolio.
Several rsyslog options deprecated
The
rsyslog utility version in Red Hat Enterprise Linux 7.4 has deprecated a large number of options. These options no longer have any effect and cause a warning to be displayed.
- The functionality previously provided by the options
-c,-u,-q,-x,-A,-Q,-4, and-6can be achieved using thersyslogconfiguration. - There is no replacement for the functionality previously provided by the options
-land-s
Deprecated symbols from the memkind library
The following symbols from the
memkind library have been deprecated:
memkind_finalize()memkind_get_num_kind()memkind_get_kind_by_partition()memkind_get_kind_by_name()memkind_partition_mmap()memkind_get_size()MEMKIND_ERROR_MEMALIGNMEMKIND_ERROR_MALLCTLMEMKIND_ERROR_GETCPUMEMKIND_ERROR_PMTTMEMKIND_ERROR_TIEDISTANCEMEMKIND_ERROR_ALIGNMENTMEMKIND_ERROR_MALLOCXMEMKIND_ERROR_REPNAMEMEMKIND_ERROR_PTHREADMEMKIND_ERROR_BADPOLICYMEMKIND_ERROR_REPPOLICY
Options of Sockets API Extensions for SCTP (RFC 6458) deprecated
The options
SCTP_SNDRCV, SCTP_EXTRCV and SCTP_DEFAULT_SEND_PARAM of Sockets API Extensions for the Stream Control Transmission Protocol have been deprecated per the RFC 6458 specification.
New options
SCTP_SNDINFO, SCTP_NXTINFO, SCTP_NXTINFO and SCTP_DEFAULT_SNDINFO have been implemented as a replacement for the deprecated options.
Managing NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by libstorageMgmt
The SSLv2 and SSLv3 connections to the NetApp ONTAP storage array are no longer supported by the
libstorageMgmt library. Users can contact NetApp support to enable the Transport Layer Security (TLS) protocol.
dconf-dbus-1 has been deprecated and dconf-editor is now delivered separately
With this update, the
dconf-dbus-1 API has been removed. However, the dconf-dbus-1 library has been backported to preserve binary compatibility. Red Hat recommends using the GDBus library instead of dconf-dbus-1.
The
dconf-error.h file has been renamed to dconf-enums.h. In addition, the dconf Editor is now delivered in the separate dconf-editor package; see Chapter 8, Desktop for more information.
FreeRADIUS no longer accepts Auth-Type := System
The
FreeRADIUS server no longer accepts the Auth-Type := System option for the rlm_unix authentication module. This option has been replaced by the use of the unix module in the authorize section of the configuration file.
Deprecated Device Drivers
- 3w-9xxx
- 3w-sas
- mptbase
- mptctl
- mptsas
- mptscsih
- mptspi
- mvsas
- qla3xxx
- The following controllers from the
megaraid_sasdriver have been deprecated:- Dell PERC5, PCI ID 0x15
- SAS1078R, PCI ID 0x60
- SAS1078DE, PCI ID 0x7C
- SAS1064R, PCI ID 0x411
- VERDE_ZCR, PCI ID 0x413
- SAS1078GEN2, PCI ID 0x78
- The following adapters from the
qla2xxxdriver have been deprecated:- ISP24xx, PCI ID 0x2422
- ISP24xx, PCI ID 0x2432
- ISP2422, PCI ID 0x5422
- QLE220, PCI ID 0x5432
- QLE81xx, PCI ID 0x8001
- QLE10000, PCI ID 0xF000
- QLE84xx, PCI ID 0x8044
- QLE8000, PCI ID 0x8432
- QLE82xx, PCI ID 0x8021
- The following Ethernet adapter controlled by the
be2netdriver has been deprecated:- TIGERSHARK NIC, PCI ID 0x0700
- The following controllers from the
be2iscsidriver have been deprecated:- Emulex OneConnect 10Gb iSCSI Initiator (generic), PCI ID 0x212
- OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x702
- OCe10100 BE2 adapter family, PCI ID 0x703
- The following Emulex boards from the
lpfcdriver have been deprecated:BladeEngine 2 (BE2) Devices
- TIGERSHARK FCOE, PCI ID 0x0704
Fibre Channel (FC) Devices
- FIREFLY, PCI ID 0x1ae5
- PROTEUS_VF, PCI ID 0xe100
- BALIUS, PCI ID 0xe131
- PROTEUS_PF, PCI ID 0xe180
- RFLY, PCI ID 0xf095
- PFLY, PCI ID 0xf098
- LP101, PCI ID 0xf0a1
- TFLY, PCI ID 0xf0a5
- BSMB, PCI ID 0xf0d1
- BMID, PCI ID 0xf0d5
- ZSMB, PCI ID 0xf0e1
- ZMID, PCI ID 0xf0e5
- NEPTUNE, PCI ID 0xf0f5
- NEPTUNE_SCSP, PCI ID 0xf0f6
- NEPTUNE_DCSP, PCI ID 0xf0f7
- FALCON, PCI ID 0xf180
- SUPERFLY, PCI ID 0xf700
- DRAGONFLY, PCI ID 0xf800
- CENTAUR, PCI ID 0xf900
- PEGASUS, PCI ID 0xf980
- THOR, PCI ID 0xfa00
- VIPER, PCI ID 0xfb00
- LP10000S, PCI ID 0xfc00
- LP11000S, PCI ID 0xfc10
- LPE11000S, PCI ID 0xfc20
- PROTEUS_S, PCI ID 0xfc50
- HELIOS, PCI ID 0xfd00
- HELIOS_SCSP, PCI ID 0xfd11
- HELIOS_DCSP, PCI ID 0xfd12
- ZEPHYR, PCI ID 0xfe00
- HORNET, PCI ID 0xfe05
- ZEPHYR_SCSP, PCI ID 0xfe11
- ZEPHYR_DCSP, PCI ID 0xfe12
To check the PCI IDs of the hardware on your system, run the
lspci -nn command.
Note that other controllers from the mentioned drivers that are not listed here remain unchanged.
SFN4XXX adapters have been deprecated
Starting with Red Hat Enterprise Linux 7.4, SFN4XXX Solarflare network adapters have been deprecated. Previously, Solarflare had a single driver
sfc for all adapters. Recently, support of SFN4XXX was split from sfc and moved into a new SFN4XXX-only driver, called sfc-falcon. Both drivers continue to be supported at this time, but sfc-falcon and SFN4XXX support is scheduled for removal in a future major release.
Software initiated only FCoE storage technologies have been deprecated
The software initiated only portion of Fibre Channel over Ethernet (FCoE) storage technology has been deprecated due to limited customer adoption. The software initiated only storage technology will remain supported for the life of Red Hat Enterprise Linux 7. The deprecation notice indicates the intention to remove software-initiated-based FCoE support in a future major release of Red Hat Enterprise Linux. It is important to note that the hardware support and the associated userspace tools (such as drivers,
libfc, or libfcoe) are unaffected by this deprecation notice.
Containers using the libvirt-lxc tooling have been deprecated
The following libvirt-lxc packages are deprecated since Red Hat Enterprise Linux 7.1:
- libvirt-daemon-driver-lxc
- libvirt-daemon-lxc
- libvirt-login-shell
Future development on the Linux containers framework is now based on the docker command-line interface. libvirt-lxc tooling may be removed in a future release of Red Hat Enterprise Linux (including Red Hat Enterprise Linux 7) and should not be relied upon for developing custom container management applications.
For more information, see the Red Hat KnowledgeBase article.
