OpenSSH fips compliance

Senthil Kumar senthilkumar_sen at
Mon Apr 17 19:25:14 EST 2006

"Stephen John Smoogen" <smooge at> wrote:
> Ok.. I am not a member of the SSH team.. I just am dealing with FIPS
> items currently where I work.
> Which FIPS are you meaning to be compliant with? There are multiple of
> them that could potentially cover OpenSSH. Second who is the
> sponsoring Federal agency for FIPS compliance? From what I can tell..
> it would be a bigger point for OpenSSH to have a solid financial floor
> versus any sort of 'compliance' work.

Im talking about FIPS 140-2 which is available at
This says that applications (like OpenSSH etc)  using fips certified OpenSSL 
needs to follow some guidelines.
Also, the MD5 is not supported in fips and it needs some work on OpenSSH 
code. I digged up the old
archives and came across some patches during June 2004 time frame and not 
sure about support level
for it today. Is there any other recommendations?

Senthil Kumar.

More information about the openssh-unix-dev mailing list