OpenSSH FIPS support

Roumen Petrov openssh at
Mon Mar 13 00:50:54 AEDT 2023


James Ralston wrote:
> On Fri, Mar 10, 2023 at 10:27 AM Joel GUITTET
> <jguittet.opensource at> wrote:
> [SNIP]
>> Patching OpenSSH for this looks to be a massive job. Is it something
>> that is considered on your side?
> No patching of OpenSSH is required.

Reality is different .

1.) Some FIPS validated modules limit API use.
Program code must use only allowed API for cryptographic operations.

2.) Some PIPS validated modules do not include FIPS allowed algorithms.
Program code could inform cryptographic library that "custom" algorithm is allowed n FIPS mode.

3) User friendly program does not require manual configurations.
Program must detect that cryptographic module runs in FIPS mode and do not offer or to refuse use of non-FIPS allowed algorithms.
Optionally program may force cryptographic module to run in FIPS mode.

For protocol all above is part or PKIX-SSH.

Roumen Petrov

Advanced secure shell implementation with X.509 certificate support

More information about the openssh-unix-dev mailing list