Older ssh clients can't connect to sshd (6.3p1) built using FIPS object module 2.0.5
Manish Jagtap
manish.jagtap at airtightnetworks.com
Thu Oct 31 19:19:04 EST 2013
Hi,
ssh server: OpenSSH_6.3-FIPS, OpenSSL FIPS Object Module v2.0.5
ssh client: OpenSSH_5.3p1, OpenSSL FIPS Object Module v1.2
We have built and installed FIPS object module (v2.0.5) using
http://www.openssl.org/source/openssl-fips-2.0.5.tar.gz
Using this FIPS object module, we have build FIPS capable openssl as well.
Note that we have "not" used ecp version (with binary curve ECC omitted) of
FIPS object module.
We have applied a FIPS patch similar to
http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch
<http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch%20to
%20openssh%20suite%20v6.3p1> to openssh suite v6.3p1 and successfully
generated openssh suite binaries. PFA our draft of FIPS patch for openssh:
openssh-6.3p1-fips-patch (Not reviewed by OpenSSL Software Foundation).
sshd built this way has connection issues with older ssh clients - even in
FIPS off mode. PFA error logs (ssh_error.log)
ssh client just blocks at the following log:
>debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
openssh client v6.3.p1 can successfully connect to this server - but some of
older clients can't.
Any pointers?
Thanks,
Manish Jagtap
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-6.3p1-fips-patch.txt
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131031/20199067/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ssh_error.log.txt
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131031/20199067/attachment-0003.txt>
More information about the openssh-unix-dev
mailing list