OpenSSH FIPS support

Dmitry Belyavskiy dbelyavs at redhat.com
Sun Mar 12 21:27:58 AEDT 2023


On Sun, Mar 12, 2023 at 2:48 AM Damien Miller <djm at mindrot.org> wrote:
>
>
>
> On Fri, 10 Mar 2023, Joel GUITTET wrote:
>
> > Hi,
> > We currently work on a project that require SSH server with FIPS and using OpenSSL v3.
> > Patching OpenSSH for this looks to be a massive job. Is it something that is considered on your side?
>
> Patching OpenSSH for what exactly? OpenSSH builds just fine using OpenSSL 3.x
> and indeed it is tested constantly via our github test infrasructure (e.g.
> https://github.com/openssh/openssh-portable/actions/runs/4381500619/jobs/7669643412)

If OpenSSH doesn't rely on OpenSSL deprecated functions in crypto
operations, it will be fips-compatible
when used with properly configured OpenSSL. We in Red Hat are working
on the minimal patch to provide it.

Also it's necessary to use combined methods for Digest + Signature/Verification.

-- 
Dmitry Belyavskiy



More information about the openssh-unix-dev mailing list