Call for testing: OpenSSH-5.7

[Iain Morgan]

On Mon, Jan 17, 2011 at 07:47:07 -0600, Steve Marquess wrote:
> Damien Miller wrote:
> > On Sat, 15 Jan 2011, Jan Chadima wrote:
> >
> >   
> >> The build in FIPS enabled RHEL6 does not still work.
> >>     
> >
> > We don't (yet) support building against FIPS enabled OpenSSL.
> >   
> 
> Out of curiosity, what is needed to make that happen?
> 
> That's a semi-rhetorical question; a well crafted patch would surely go
> a long way.  I've had that on my rainy day to-do list for a long time. 
> I have been building FIPS enabled versions of OpenSSH for my DoD clients
> for some time, and I know others have done the same.  My feeble excuses
> for not doing a better job of sharing with the community vary over time;
> at the moment I'm more than fully committed with a day job and a newly
> launched OpenSSL FIPS Object Module validation.
> 
> Anyone interested in taking working code that FIPS enables OpenSSH and
> transforming it into something suitable for direct inclusion?  The
> result will be very much noticed in the U.S. DoD where OpenSSH is widely
> used in violation of the FIPS 140-2 validation mandate.
> 
> -Steve M.
> 

Hi Steve,

I'm interested in seeing that happen, but alas can't commit any time to
it. I would, however, like to take this opportunity to make a few
comments.

I have never taken a close look at the various patches that have been
posted on this mailing list to enable FIPS support, but as I understand
it they are fairly invasive. As we all know, the more invasive the
changes are, the longer it will take for them to be included. Also,
there may be some reluctance to include changes required for FIPS-mode
support in the OpenBSD version of OpenSSH, since the FIPS Object Module
is not validated for that platform.

Is there any realistic way to take an incremental approach to adding
FIPS support? For example, replacing arc4random() with an acceptable
CSPRNG. Doing that would bring us a step closer to compliance.

-- 
Iain Morgan