OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?

security veteran security.veteran at gmail.com
Tue Dec 8 02:44:44 AEDT 2015


Thanks Roumen.

I have few more questions below:

1. What version of OpenSSH can the patch be applied to? What branch should
I check out the patch?

2.
>Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".
What build process should be changed? What is fipscheck?

3. My understanding any application (such as OpenSSH) which need to use the
OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function
first, otherwise the OpenSSL library will be operating as the non-FIPS
version.
My question is, how and when does OpenSSH server invoke the FIPS function?

Thanks.




On Sun, Dec 6, 2015 at 1:30 AM, Roumen Petrov <openssh at roumenpetrov.info>
wrote:

> security veteran wrote:
>
>> Hi All:
>>
>> I tried to rebuild openssl with the FIPS modules, and then install the new
>> openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
>>
>> After that I noticed it seemed to break OpenSSH: I couldn't login to the
>> box using ssh, and couldn't run the client command like ssh-keygen either.
>>
>> My questions are:
>>
>> 1. Does OpenSSH support FIPS mode?
>>
>> 2. Or does OpenSSH support with OpenSSL FIPS modules?
>>
>> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to
>> make it FIPS complaint?
>>
>> 4. Does the RedHat OpenSSH FIPS modules (
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
>> also open sourced to the OpenSSH community?
>>
>> Redhat use different FIPS validation process for OpenSSL. You could
> extract fips patch from source package.
> Impact is not only for source code. Build process has to be updated as
> well. Red Hat is based on "fipscheck".
>
> You could try with my version of secure shell. It include OpenSSH but adds
> support for public keys algorithms based  on X.509 certificates support and
> works with FIPS enabled openssl.
> It should work with OpenSSL build with FIPS module , RedHat or Solaris
> openssl fips enabled library either in fips mode or not.
>
> Regards,
> Roumen Petrov
>
> --
> Get SSH with X.509 certificate support
> http://roumenpetrov.info/openssh/
>
>


More information about the openssh-unix-dev mailing list