[ DRAFT PATCH ] - FIPS 140-2 patch for OpenSSH 6.5p1

Steve Marquess marquess at opensslfoundation.com
Thu Feb 27 00:40:46 EST 2014 

On 02/25/2014 03:54 PM, Schaaf, Jonathan P (GE Healthcare) wrote:
>> Then there is the additional consideration that FIPS 140-2 is only
>> desirable in a context (USG and DoD) where x.509 support is also
>> mandatory. OpenSSH has adopted a different (and more robust)
>> certificate scheme. FIPS 140-2 has always been focused on
>> compliance to a specific ritualized policy and process, and thus is
>> necessarily less secure in an absolute sense, while OpenSSH is
>> focused on real-world security. IMHO that discrepancy will probably
>> continue to grow.
> 
>> So while it remains technically possible to jam the round OpenSSH
>> peg into the square FIPS 140-2 hole, I'm no longer sure it makes
>> sense to attempt it in the baseline OpenSSH.
> 
> What the government asks for in any given situation can be highly
> variable, and in many cases what they explicitly ask for is a round
> peg squashed into the square hole.

How true, and the formal requirements are widely ignored or
circumvented. For instance I've been told by many vendors that most of
their customers never enable the FIPS mode of operation at runtime.

> I for one am very interested in
> seeing patches of this nature continue to be maintained.

Good point; I should make it clear that I'm not opposed to the continued
existence and maintenance of those patches per se. There are many
OpenSSH users who have no choice about the constraints imposed by those
USG/DoD policies. So the patches serve an important role.

However, I'm no longer sure it makes sense to compromise and distort the
baseline OpenSSH (or OpenSSL for that matter) to accommodate arbitrary
policies that are indifferent or hostile to best security practices. In
the case of OpenSSL I have to reluctantly admit that support of the FIPS
140-2 validated module has to some extent impacted the quality of the
overall OpenSSL product.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc

More information about the openssh-unix-dev mailing list