using sshd in fips mode

Jakub Jelen jjelen at redhat.com
Tue Mar 20 00:17:14 AEDT 2018


On Fri, 2018-03-16 at 23:13 +0530, Sudarshan Soma wrote:
> Hi,
> We would like to use openssh in fips mode. It looks it is not
> provided as a
> configurable option through sshd_config, Are there plans to do
> incorporate
> such change.
> 
> Do we have to change openssh code for now until the option is
> provided.
> If sshd is operating in fipsmode, does it provide additional
> errors/audits
> to indicate failures such as pair wise consistency failed during on
> of the
> sshd internal key generation, etc.
> 
> Please suggest for any recomendations and suggestions or
> references  on how
> to use openssh (sshd) in fips mode.

Using FIPS mode is more complicated than changing a configuration
option or using the OpenSSL library in some way. There are several
patches adding this functionality, but none of them is incorporated
upstream.

Additionally, if you would like to claim you are running OpenSSH in
FIPS mode, you need to undergo audit of the code (and OpenSSL as a
crypto provider) and obtain a certificate from NIST, which is quite
expensive so I would rather recommend you to use a version that is
already certified from other vendors that went this way.

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.


More information about the openssh-unix-dev mailing list