OpenSSH fips compliance
Senthil Kumar
senthilkumar_sen at hotpop.com
Mon Apr 17 19:25:14 EST 2006
"Stephen John Smoogen" <smooge at gmail.com> wrote:
>
> Ok.. I am not a member of the SSH team.. I just am dealing with FIPS
> items currently where I work.
>
> Which FIPS are you meaning to be compliant with? There are multiple of
> them that could potentially cover OpenSSH. Second who is the
> sponsoring Federal agency for FIPS compliance? From what I can tell..
> it would be a bigger point for OpenSSH to have a solid financial floor
> versus any sort of 'compliance' work.
Im talking about FIPS 140-2 which is available at
http://csrc.nist.gov/cryptval/140-1/140sp/140sp642.pdf.
This says that applications (like OpenSSH etc) using fips certified OpenSSL
needs to follow some guidelines.
Also, the MD5 is not supported in fips and it needs some work on OpenSSH
code. I digged up the old
archives and came across some patches during June 2004 time frame and not
sure about support level
for it today. Is there any other recommendations?
Thanks,
Senthil Kumar.
More information about the openssh-unix-dev
mailing list