[ DRAFT PATCH ] - FIPS 140-2 patch for OpenSSH 6.5p1

Steve Marquess marquess at opensslfoundation.com
Mon Feb 17 23:05:07 EST 2014


On 02/17/2014 01:09 AM, Manish Jagtap wrote:
> Hi,
> 
> 
> 
> Here is FIPS 140-2 patch for OpenSSH 6.5p1. Since our expertise in OpenSSH
> code is limited, request moderators to validate this patch and update as
> required.

I didn't see any patch but the following comments apply regardless.

For a long time I hoped to see native OpenSSL FIPS module support in
OpenSSH. Over the years OSF has prepared a number of patches such as:


http://opensslfoundation.com/export/openssh/openssh-6.0p1.fips-revised.patch

for interested clients.

However, with continuing evolution of OpenSSH and changing FIPS 140-2
requirements such support is becoming increasingly difficult. In order
to make any reasonable claim that an application like OpenSSH is "FIPS
140-2 compliant" *all* cryptography used by that application must be
implemented in the validated module(s). OpenSSH has always had some
inlined cryptography, but the recent introduction of "non-NIST"
cryptography exacerbates that issue.

Then there is the additional consideration that FIPS 140-2 is only
desirable in a context (USG and DoD) where x.509 support is also
mandatory. OpenSSH has adopted a different (and more robust) certificate
scheme. FIPS 140-2 has always been focused on compliance to a specific
ritualized policy and process, and thus is necessarily less secure in an
absolute sense, while OpenSSH is focused on real-world security. IMHO
that discrepancy will probably continue to grow.

So while it remains technically possible to jam the round OpenSSH peg
into the square FIPS 140-2 hole, I'm no longer sure it makes sense to
attempt it in the baseline OpenSSH.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc


More information about the openssh-unix-dev mailing list