Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially /etc/krb5.keytab.
The key derivation function (KDF) in Kerberos is not FIPS compatible.
The krb5-server package should be removed if not in use.
Is this system the Kerberos server? If not, remove the package.
The krb5-server
package can be removed with the following command:
$ sudo dnf remove krb5-serverThe krb5-server RPM is not installed by default on a Fedora system. It is needed only by the Kerberos servers, not by the clients which use Kerberos for authentication. If the system is not intended for use as a Kerberos Server it should be removed.
Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems.
The krb5-workstation
package can be removed with the following command:
$ sudo dnf remove krb5-workstation
Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd).