Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows

Douglas E. Engert deengert at anl.gov
Sat Jul 24 04:16:29 EST 2010 


On 7/23/2010 10:09 AM, Bryan wrote:
> On Fri, Jul 23, 2010 at 09:42, Peter Stuge<peter at stuge.se>  wrote:
>> Bryan wrote:
>>> Putty is not an option for us since it uses it's own OpenSSL libs
>>> and we need it FIPS enabled.
>>
>> If PuTTY uses OpenSSL for encryption then you could of course build
>> PuTTY against your FIPS-enabled OpenSSL.

No, PuTTY uses its own internal encryption routines.

Have you looked at SecureCRT for Windows? It does have a FIPS mode.
http://www.vandyke.com/products/fips_info.html

Some other SSH clients that do FIPS:
http://en.wikipedia.org/wiki/Comparison_of_SSH_clients


>>
>>
>>> I've been able to build OpenSSL 0.9.8o and enable the
>>> fipcanister.lib and create the openssl executables and libraries.
>>> I've been able to find instructions on how to build OpenSSH at this
>>> site:
>>>
>>> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563
>>>
>>> and here:
>>>
>>> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/
>>>
>>> But I can't tell if either method is the correct one for building
>>> using cygwin.
>>
>> Note that Cygwin is a very different system from Windows. First
>> decided what it is that you want. Do you want a native binary, or a
>> Cygwin binary?
>>
>
> I've read that it is possible to build openssh and use it with a
> minimal cygwin presence (i.e. just the necessary dlls, like
> cygwin1.dll, etc)
>
>> Note that the method at the former URL produces a native binary. The
>> latter URL seems rather uninformed with platform differences in
>> general and Windows platform details vs. UNIX platform details in
>> particular.
>>
> Well, to be fair, the "nomachine" link seemed to be for running
> openssh on an vendor specific environment, but I have not found a
> decent how-to yet.
>
> The other link was good to show what was needed for a minimal cygwin
> environment, but from 3 years ago, and things have changed in both
> cygwin and openssh.  If that will work, then I'll follow those
> instructions.
>
>>
>>> When I looked through the Configure script for OpenSSH,
>>> I did not find anything "FIPS" related to be able to point my build
>>> to it.  Can I assume that just linking to my FIPS-enabled OpenSSL
>>> is enough to FIPS enable OpenSSH?
>>
>> I don't know FIPS well enough to say for sure, but in any case
>> OpenSSH does not do any crypto operations internally, it relies on
>> OpenSSL for this. If that's good enough (how useless is that
>> requirement?) then yes.
>>
>>
>>> And if someone has a non-vendor or more current version of how to
>>> build OpenSSH online, could you provide a link?  I would greatly
>>> appreciate it.
>>
>> You don't say too well what exactly you need.
>>
>> Since you mention PuTTY it's safe to assume that you need an SSH
>> client for Windows. Since Windows has no built-in terminal emulation,
>> you will also need that. PuTTY provides this, as does Cygwin and
>> MinGW. You don't say if you already have a Cygwin environment and
>> thus would be comfortable using a Cygwin OpenSSH, or if you want a
>> native OpenSSH for Windows.
>>
>> In short, please provide more information.
>
> We are looking to create scp/sftp executables that will allow us to
> send updates to Linux. sftp is more important than having terminal
> emulation, as I need the ability to script the transfer from one to
> another.  As I said earlier, we are using WRQ Reflections for our
> transfer, but it requires us to buy a license for each box we install
> it on, and that gets expensive.
>
> Someone must have run into this issue before, or does no one need FIPS
> enabled software?  If OpenSSH just needs to link to an FIPS-OpenSSL,
> then I'm all good.  I just need to figure out how to build OpenSSH
> with a link to the already build OpenSSL libs in cygwin.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list