Call for testing: OpenSSH-5.7
Jan Chadima
jchadima at redhat.com
Wed Jan 19 21:06:11 EST 2011
----- Original Message -----
> > -----Original Message-----
> > From: Steve Marquess
> >
> > Yes, the modifications in total are ugly because FIPS 140-2 imposes
> > a
> > number of restrictions. For one thing many types of cryptography are
> > disallowed in the FIPS mode of operation. The "FIPS capable" OpenSSL
> > library (OpenSSL built with the FIPS module to present one seamless
> > external API) will automagically fail on attempts to use disallowed
> > crypto, but not gracefully. Much of the complexity of the patches
> > comes
> > from graceful exception handling.
> >
>
> One way to deal with this is to modify the list of allowed algorithms
> when reading the ssh/sshd config file.
>
I'm attaching the red hat solution. It is not 100% nice code, but 100% functional.
There are 2 main areas where the openssh have to be changed to be fips compatible
1) ciphers .... must be reduced in fips mode
2) md5 used generally in fingerprints have to be replaced....
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
JFCh <jchadima at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-5.6p1-fips.patch
Type: text/x-patch
Size: 25113 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110119/58db06d6/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list