Shell access to SSH KDF

Damien Miller djm at
Fri Aug 31 09:49:44 EST 2012

On Thu, 30 Aug 2012, Eric Ferguson wrote:

> Hi everyone.
> I'm currently running through FIPS validation, and this year CAVP
> requires KDF tests for SSH.  I'm running OpenSSH v5.6p1 and I see that
> the 6 keys that I need are derived in kex_derived_keys in kex.c. 
> However, I don't yet see any way for me to access this function from an
> existing command line tool, being able to pass in K, H, and the
> session_id from the test vector.  Is my only option to build a custom
> executable, linking in key derivation function I need, or am I missing
> something?

No, there is definitely no way to invoke the KEX KDF from the shell. You'll
have to make you own executable.

In the future, we hope to make bits like this available in a more friendly
library form but I don't think we will ever expose them via a command
interface directly. If there are specific tests that need to be done then
I'd certainly consider adding them as unit tests though.


More information about the openssh-unix-dev mailing list