second FIPS patch for openssh 6.0p1, fix pubkey
John E. Krokes
mag at netherworld.org
Thu Aug 30 05:52:40 EST 2012
The patch to enable FIPS mode for openssh 6.0p1 missed two instances of
the ssh client trying to use MD5. It causes pubkey-based authentication
to fail in FIPS mode.
I have copied the missing changes from auth2-pubkey.c into sshconnect2.c.
Here is a patch:
diff -cr openssh-6.0p1/sshconnect2.c openssh-6.0p1-patched/sshconnect2.c
*** openssh-6.0p1/sshconnect2.c Sun May 29 07:42:34 2011
--- openssh-6.0p1-patched/sshconnect2.c Wed Aug 29 14:59:19 2012
***************
*** 77,82 ****
--- 77,88 ----
#include "ssh-gss.h"
#endif
+ #include <openssl/sha.h>
+ #ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
+ #endif
+
+
/* import */
extern char *client_version_string;
extern char *server_version_string;
***************
*** 591,597 ****
key->type, pktype);
goto done;
}
! fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
debug2("input_userauth_pk_ok: fp %s", fp);
xfree(fp);
--- 604,611 ----
key->type, pktype);
goto done;
}
! fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
! SSH_FP_HEX);
debug2("input_userauth_pk_ok: fp %s", fp);
xfree(fp);
***************
*** 1204,1210 ****
int have_sig = 1;
char *fp;
! fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
xfree(fp);
--- 1218,1225 ----
int have_sig = 1;
char *fp;
! fp = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
! SSH_FP_HEX);
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
xfree(fp);
-Mag
More information about the openssh-unix-dev
mailing list