FIPS mode OpenSSH suggestion
电磁波
qianbohound at hotmail.com
Thu Jun 12 17:31:58 EST 2008
Hi OpenSSH team,
I find a url
http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808,
which provides unofficial patch for FIPS Capable OpenSSH. I try it and
it seems working for some cases.
(BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't work in FIPS mode properly.
The fips mode sshd debug info is as following.
***************************
debug2: set_newkeys: mode 1
cipher_init: EVP_CipherInit: set key failed for aes128-ctr
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON)
***************************
I don't know why. Are these three ciphers FIPS forbidden?)
As you know, FIPS 1.1.2 module has been
officially released for some period and FIPS Capable OpenSSL may become
one of the important main branches of OpenSSL in the near future. So if
openssh can provide built-in FIPS Capable functionality, it will be
highly appreciated.
Would you please take this suggestion into consideration for future openssh release?
Thank you!
_________________________________________________________________
多个邮箱同步管理,live mail客户端万人抢用中
http://get.live.cn/product/mail.html
More information about the openssh-unix-dev
mailing list