using sshd in fips mode

Ingo Schwarze schwarze at
Tue Mar 20 03:21:32 AEDT 2018


Jakub Jelen wrote on Mon, Mar 19, 2018 at 02:17:14PM +0100:

> Using FIPS mode is more complicated than changing a configuration
> option or using the OpenSSL library in some way. There are several
> patches adding this functionality, but none of them is incorporated
> upstream.

In OpenBSD and the sub-projects like LibreSSL and OpenSSH, we are
convinced that providing FIPS support would actually *lower* the
overall security standards of the projects - even for users that
keep it disabled, because ifdefs, options and the like always make
code less readable and cause an additional risk of introducing bugs.

For that reason, it is very unlikely that *any* FIPS-related patches
might ever get merged.  They will most likely be summarily rejected,
except when they have beneficial effects unrelated to FIPS.

The lowered security standard that is caused by FIPS ought to remain
restricted to those people who want it, and those people should
also pay with their own money for having their security standard
lowered in that way.  In a nutshell, if you want FIPS, use money
and buy it somewhere, but not from OpenBSD/LibreSSL/OpenSSH directly.
On the other hand, if you want the best possible security standards,
stay away from FIPS.


More information about the openssh-unix-dev mailing list