OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
Roumen Petrov
openssh at roumenpetrov.info
Sun Dec 6 20:30:50 AEDT 2015
security veteran wrote:
> Hi All:
>
> I tried to rebuild openssl with the FIPS modules, and then install the new
> openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
>
> After that I noticed it seemed to break OpenSSH: I couldn't login to the
> box using ssh, and couldn't run the client command like ssh-keygen either.
>
> My questions are:
>
> 1. Does OpenSSH support FIPS mode?
>
> 2. Or does OpenSSH support with OpenSSL FIPS modules?
>
> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to
> make it FIPS complaint?
>
> 4. Does the RedHat OpenSSH FIPS modules (
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
> also open sourced to the OpenSSH community?
>
Redhat use different FIPS validation process for OpenSSL. You could
extract fips patch from source package.
Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".
You could try with my version of secure shell. It include OpenSSH but
adds support for public keys algorithms based on X.509 certificates
support and works with FIPS enabled openssl.
It should work with OpenSSL build with FIPS module , RedHat or Solaris
openssl fips enabled library either in fips mode or not.
Regards,
Roumen Petrov
--
Get SSH with X.509 certificate support
http://roumenpetrov.info/openssh/
More information about the openssh-unix-dev
mailing list