using sshd in fips mode
Sudarshan Soma
sudarshan12s at gmail.com
Tue Mar 20 22:23:28 AEDT 2018
Thanks All so much for your valuable guidence. understood the complexity.
Regards,
On Mon, Mar 19, 2018 at 9:51 PM, Ingo Schwarze <schwarze at usta.de> wrote:
> Hi,
>
> Jakub Jelen wrote on Mon, Mar 19, 2018 at 02:17:14PM +0100:
>
> > Using FIPS mode is more complicated than changing a configuration
> > option or using the OpenSSL library in some way. There are several
> > patches adding this functionality, but none of them is incorporated
> > upstream.
>
> In OpenBSD and the sub-projects like LibreSSL and OpenSSH, we are
> convinced that providing FIPS support would actually *lower* the
> overall security standards of the projects - even for users that
> keep it disabled, because ifdefs, options and the like always make
> code less readable and cause an additional risk of introducing bugs.
>
> For that reason, it is very unlikely that *any* FIPS-related patches
> might ever get merged. They will most likely be summarily rejected,
> except when they have beneficial effects unrelated to FIPS.
>
> The lowered security standard that is caused by FIPS ought to remain
> restricted to those people who want it, and those people should
> also pay with their own money for having their security standard
> lowered in that way. In a nutshell, if you want FIPS, use money
> and buy it somewhere, but not from OpenBSD/LibreSSL/OpenSSH directly.
> On the other hand, if you want the best possible security standards,
> stay away from FIPS.
>
> Yours,
> Ingo
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list