OpenSSH FIPS support

Chris Rapier rapier at psc.edu
Sat Mar 11 02:44:49 AEDT 2023


I know that the fedora package for OpenSSH enables FIPS support. If you 
get the source code for the rpm you'll see openssh-7.7p1-fips.patch in 
the rpmbuild/SOURCE directory.

Also, you may want to look at hpnssh (That's my fork of OpenSSH so I am 
biased but I think it's pretty good). https://psc.edu/hpn-ssh-home/ and 
https://github.com/rapier1/openssh-portable. The latest version uses 
OSSL3 and there is a fedora package which is based on the fedora OpenSSH 
package. So it includes all of their patches as well.

You can find that at 
https://copr.fedorainfracloud.org/coprs/rapier1/hpnssh/ or you can add 
it to your package repo with 'sudo dnf copr enable rapier1/hpnssh' and 
then download the source or binary via DNF. You can review the FIPS 
compliance there and see what you thing.

If you are on debian I don't have a debian package that include FIPS 
support but it may be possible to use the fedora package and compile it 
under debian. I've never tried though.

Chris

On 3/10/23 10:22 AM, Joel GUITTET wrote:
> Hi,
> We currently work on a project that require SSH server with FIPS and using OpenSSL v3.
> Patching OpenSSH for this looks to be a massive job. Is it something that is considered on your side?
> Is it currently a work in progress by somebody else as far as you know? Or something that has been partially done and aborded in the past, that could be relevant?
> We just started considering making this and send the patch, but we are speaking of thousands of lines probably, what will be the perception of this on your side?
> Thanks,
> Joel
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list