Red Hat Enterprise Linux 9 (RHEL 9) is the latest version of Red Hat’s flagship operating system, released at the Red Hat Summit in May 2022. New capabilities added to RHEL 9 help simplify how organizations manage security and compliance when deploying new systems or managing existing infrastructure. This article takes a brief look at three of the new security features available in this release.
SSH root password login disabled by default
The default superuser account in Unix- and Linux-based systems is “root”. Because the username is always “root” and access rights are unlimited, this account is the most valuable target for hackers. Attackers use bots to scan for systems with exposed SSH ports, and when found, they attempt to use common usernames and brute-force passwords to gain entry. Of course, the impact of a successful exploit would be a lot lower if the compromised user has unprivileged access. The breach would then be contained and limited to one user only.
With RHEL 9, root user authentication with a password over SSH has been disabled by default. The OpenSSH default configuration only allows root logins via authentication methods such as public-key authentication, reducing the chance that attackers will gain access through brute-force password attacks. Instead of using the root password, developers can access remote development environments using SSH keys to log in.
OpenSSL 3.0.1
RHEL 9 provides OpenSSL packages in upstream version 3.0.1, which includes many improvements and bug fixes over the previous versions. Some notable improvements include the following.
Providers are collections of algorithms, and you can choose different providers for different applications. This allows application developers to make security decisions about their applications without worrying too much about the security of underlying cryptographic algorithms. OpenSSL currently includes the following providers: base, default, fips, legacy and null. By default, OpenSSL loads and activates the default provider, which includes commonly used algorithms. Developers can programmatically invoke any providers based on application requirements.
The IBM Z-platform supports “CP Assist For Cryptographic Functions (CPACF)” which delivers high-speed on-chip cryptography. OpenSSL now supports this via NIST SP800-90A-compliant AES-based deterministic random bit generator (DRBG). This allows applications running on IBM Z-platform to use this higher speed and more secure random number generator.
Finally, support has been added for better certificate management via Certificate Management Protocol (CMP, RFC 4210), the Certificate Request Message Format (CRMF), and HTTP transfer (RFC 6712). CMP messages are self-contained with protection independent of transfer mechanism, therefore they support end-to-end security.
Built-in RHEL utilities have been recompiled to utilize OpenSSL 3. This allows users to take advantage of new security ciphers for encrypting and protecting information.
Improved system-wide crypto-policies
In RHEL 9, the system-wide cryptographic policies have been adjusted to provide up-to-date security defaults:
-
Disabled TLS 1.0, TLS 1.1, DTLS 1.0, RC4, CAMELLIA, DSA, 3DES, and FFDHE-1024 in all policies.
-
Increased minimum RSA key size and minimum Diffie-Hellman parameter size in LEGACY.
-
With the exception of Hash-based Message Authentication Codes (HMACs), SHA-1 is disabled in TLS and SSH algorithms.
If needed, customers can enable some of the disabled algorithms by using custom policies or sub policies.
Apart from the above, RHEL 9 includes protection against hardware-level security vulnerabilities like Spectre and Meltdown, and the operating system can also help user-space processes create memory areas inaccessible to malicious code.
Additionally, RHEL 9 provides readiness for Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and other customer security requirements. Its integrity measurement architecture (IMA) digital hashes and signatures create a new way for users to detect rogue infrastructure modifications.
Learn more about these and other security enhancements included in RHEL 9.
About the author
Huzaifa Sidhpurwala is a Senior Principal Product Security Engineer - AI security, safety and trustworthiness, working for Red Hat Product Security Team.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit