FIPS 140-2 certification

Ben Lindstrom mouring at etoh.eviladmin.org
Sat Sep 28 07:34:44 EST 2002


On Fri, 27 Sep 2002, Nathan Bardsley wrote:

> Hello everyone!
>
> I work for a company that uses OpenSSH to remotely support systems we've
> sold.  Since some of our clients are US Dept. of Defense hospitals, our
> access to these servers needs to comply with a whole range of
> requirements and standards.  At this point it's looking like the SSH
> daemon needs to be FIPS 140-2 compliant, and the only package that is
> certified is F-Secure.
>

Where are theses 'DIPS 140-2' requirements?  If they are anything like the
other military requirements they are impratical and insane (yes I've had
some time in the area.  Not my idea of fun =).

> The other option is for CliniComp to sponser getting OpenSSH through the
> certification process, and that's what I'm exploring.
>
> I'd really appreciate knowing what the core developers think about this,
> and how willing they would be to assisting in the process.  I know there
> will need to be a fair amount of documentation, and there is no
> subsitute for first-hand knowledge.  Also, it seems pretty clear that at
> least some code changes will be needed including self-tests, a new prng,
> and work in the key generation & validation modules.
>

We have a regess/ section in the current tree.

What is the issue with prng?  You really should be using kernel level
devices.  prngd and built-in prng should be a last resort.  Besides, I
bet our prng could easily get certified by NIST.  It is a more sane
implementation than some of the NIST certified stuff at my work.=)

- Ben




More information about the openssh-unix-dev mailing list