OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?

security veteran security.veteran at gmail.com
Thu Jan 28 21:25:52 AEDT 2016


Thanks Jakub.

With this patch, would both the SSH server side (e.g. sshd) and client side
(e.g. ssh, scp, ssh-keygen) applications be operating with OpenSSL FIPS
mode?

Thanks a lot for your answers.

On Thu, Jan 28, 2016 at 12:12 AM, Jakub Jelen <jjelen at redhat.com> wrote:

> On 01/28/2016 03:12 AM, security veteran wrote:
>
>> I have one question regarding the FIPS patch in
>>
>> http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
>> :
>>
>> I assume somewhere from within the OpenSSH code it should invoke
>> FIPS_set_mode API, but all I saw was FIPS_mode().
>> Does FIPS_mode() serve the same purposes as  FIPS_set_mode()?
>>
> FIPS_mode() is openssl function [1]. As manual page says, it determines if
> the FIPS mode is enabled. The other function FIPS_mode_set() [2] is used to
> modify FIPS status (enables/disables).
>
> Openssh itself should not change the FIPS mode. It should behave according
> to the system setup (FIPS mode should be set up system-wide).
>
>> Also the patch is for OpenSSH 7.0. Is there a patch for OpenSSH 6.6?
>>
> You should be able to go back in the git history to 6.6 version or put
> hands on CentOS patches [3], where we use 6.6 version.
>
> [1] https://wiki.openssl.org/index.php/FIPS_mode%28%29
> [2] https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
> [3]
> https://git.centos.org/blob/rpms!openssh/6745269c7b486c1c096ca27e0c1aa97fe8b03c60/SOURCES!openssh-6.6p1-fips.patch;jsessionid=f8qjnilsd281oo2uwua8fm17
>
> Regards,
>
> --
> Jakub Jelen
> Associate Software Engineer
> Security Technologies
> Red Hat
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list