Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows

Peter Stuge peter at stuge.se
Sat Jul 24 00:42:00 EST 2010 

Bryan wrote:
> Putty is not an option for us since it uses it's own OpenSSL libs
> and we need it FIPS enabled.

If PuTTY uses OpenSSL for encryption then you could of course build
PuTTY against your FIPS-enabled OpenSSL.


> I've been able to build OpenSSL 0.9.8o and enable the
> fipcanister.lib and create the openssl executables and libraries.
> I've been able to find instructions on how to build OpenSSH at this
> site:
> 
> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563
> 
> and here:
> 
> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/
> 
> But I can't tell if either method is the correct one for building
> using cygwin.

Note that Cygwin is a very different system from Windows. First
decided what it is that you want. Do you want a native binary, or a
Cygwin binary?

Note that the method at the former URL produces a native binary. The
latter URL seems rather uninformed with platform differences in
general and Windows platform details vs. UNIX platform details in
particular.


> When I looked through the Configure script for OpenSSH,
> I did not find anything "FIPS" related to be able to point my build
> to it.  Can I assume that just linking to my FIPS-enabled OpenSSL
> is enough to FIPS enable OpenSSH?

I don't know FIPS well enough to say for sure, but in any case
OpenSSH does not do any crypto operations internally, it relies on
OpenSSL for this. If that's good enough (how useless is that
requirement?) then yes.


> And if someone has a non-vendor or more current version of how to
> build OpenSSH online, could you provide a link?  I would greatly
> appreciate it.

You don't say too well what exactly you need.

Since you mention PuTTY it's safe to assume that you need an SSH
client for Windows. Since Windows has no built-in terminal emulation,
you will also need that. PuTTY provides this, as does Cygwin and
MinGW. You don't say if you already have a Cygwin environment and
thus would be comfortable using a Cygwin OpenSSH, or if you want a
native OpenSSH for Windows.

In short, please provide more information.


//Peter

More information about the openssh-unix-dev mailing list