Is there any plan for OpenSSH to support FIPS?

电磁波 qianbohound at hotmail.com
Thu Jun 19 16:17:29 EST 2008 

Hi OpenSSh Developer,

Currently, I can make openssh-5.0p1 working in FIPS mode. The detail steps I did are as follows.

1) Build FIPS OpenSSL according to FIPS User Guide(http://www.openssl.org/docs/fips/) on HP-UX PA 11.23 box.
FIPS object module is generated by compiling openssl-fips-1.1.2.
FIPS OpenSSL is built by openssl-0.9.7m, which is passed fips option for Configure step.

2) Modify openssh-5.0p1 according to  http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808 .
   Although the patch is for openssh 4.7, I make some necessary minor changes fit for 5.0.

3) On HP-UX PA 11.23 box, compile openssh (using fipsld instead of cc), which links against FIPS object module and FIPS libcrypto.a generated from step 1.

4) Set OpenSSH_FIPS environment variable to "1", lauch sshd by "sshd -ddd"
   From the debug information, I can see sshd enters FIPS mode successfully

5) On the same machine, connect sshd by ssh
   ssh -c 3des-cbc localhost
   ssh -c aes128-cbc localhost
   ssh -c aes192-cbc localhost
   ssh -c aes256-cbc localhost
These above ciphers are FIPS allowed and ssh can successfully connect to sshd which is running in FIPS mode.
On the other hand,when using FIPS unallowed ciphers,
   ssh -c arcfour localhost
   ssh -c blowfish-cbc localhost
   ssh -c cast128-cbc locahost
the sshd will disconnect the connection. Some debug messages like below appear.
 ***************************
 debug2: set_newkeys: mode 1
 cipher_init: EVP_CipherInit: set key failed for aes128-ctr
 debug1: do_cleanup
 debug3: PAM: sshpam_thread_cleanup entering
 debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON)
 ***************************
The above experiments show that the modified sshd actually works in FIPS mode, conforming to FIPS standard.

As we know, FIPS is very important for security software.It will be greatly appreciated, if FIPS is officially supported by openssh in the near future.(To provide flexibility to end user, one extra configuration directive/environment variable may be set to switch between FIPS and normal  mode.)

So, is there any plan that FIPS will be supported by OpenSSH?

Looking forward to your reply!

Best Regards,

Bo

_________________________________________________________________
Windows Live Photo gallery 数码相机的超级伴侣,轻松管理和编辑照片,还能制作全景美图!
http://get.live.cn/product/photo.html

More information about the openssh-unix-dev mailing list