Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows

Sat Jul 24 01:09:34 EST 2010

On Fri, Jul 23, 2010 at 09:42, Peter Stuge <peter at stuge.se> wrote:
> Bryan wrote:
>> Putty is not an option for us since it uses it's own OpenSSL libs
>> and we need it FIPS enabled.
>
> If PuTTY uses OpenSSL for encryption then you could of course build
> PuTTY against your FIPS-enabled OpenSSL.
>
>
>> I've been able to build OpenSSL 0.9.8o and enable the
>> fipcanister.lib and create the openssl executables and libraries.
>> I've been able to find instructions on how to build OpenSSH at this
>> site:
>>
>> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563
>>
>> and here:
>>
>> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/
>>
>> But I can't tell if either method is the correct one for building
>> using cygwin.
>
> Note that Cygwin is a very different system from Windows. First
> decided what it is that you want. Do you want a native binary, or a
> Cygwin binary?
>

I've read that it is possible to build openssh and use it with a
minimal cygwin presence (i.e. just the necessary dlls, like
cygwin1.dll, etc)

> Note that the method at the former URL produces a native binary. The
> latter URL seems rather uninformed with platform differences in
> general and Windows platform details vs. UNIX platform details in
> particular.
>
Well, to be fair, the "nomachine" link seemed to be for running
openssh on an vendor specific environment, but I have not found a
decent how-to yet.

The other link was good to show what was needed for a minimal cygwin
environment, but from 3 years ago, and things have changed in both
cygwin and openssh.  If that will work, then I'll follow those
instructions.

>
>> When I looked through the Configure script for OpenSSH,
>> I did not find anything "FIPS" related to be able to point my build
>> to it.  Can I assume that just linking to my FIPS-enabled OpenSSL
>> is enough to FIPS enable OpenSSH?
>
> I don't know FIPS well enough to say for sure, but in any case
> OpenSSH does not do any crypto operations internally, it relies on
> OpenSSL for this. If that's good enough (how useless is that
> requirement?) then yes.
>
>
>> And if someone has a non-vendor or more current version of how to
>> build OpenSSH online, could you provide a link?  I would greatly
>> appreciate it.
>
> You don't say too well what exactly you need.
>
> Since you mention PuTTY it's safe to assume that you need an SSH
> client for Windows. Since Windows has no built-in terminal emulation,
> you will also need that. PuTTY provides this, as does Cygwin and
> MinGW. You don't say if you already have a Cygwin environment and
> thus would be comfortable using a Cygwin OpenSSH, or if you want a
> native OpenSSH for Windows.
>
> In short, please provide more information.

We are looking to create scp/sftp executables that will allow us to
send updates to Linux. sftp is more important than having terminal
emulation, as I need the ability to script the transfer from one to
another.  As I said earlier, we are using WRQ Reflections for our
transfer, but it requires us to buy a license for each box we install
it on, and that gets expensive.

Someone must have run into this issue before, or does no one need FIPS
enabled software?  If OpenSSH just needs to link to an FIPS-OpenSSL,
then I'm all good.  I just need to figure out how to build OpenSSH
with a link to the already build OpenSSL libs in cygwin.