OpenSSH FIPS support
Chris Rapier
rapier at psc.edu
Sat Mar 11 02:44:49 AEDT 2023
I know that the fedora package for OpenSSH enables FIPS support. If you
get the source code for the rpm you'll see openssh-7.7p1-fips.patch in
the rpmbuild/SOURCE directory.
Also, you may want to look at hpnssh (That's my fork of OpenSSH so I am
biased but I think it's pretty good). https://psc.edu/hpn-ssh-home/ and
https://github.com/rapier1/openssh-portable. The latest version uses
OSSL3 and there is a fedora package which is based on the fedora OpenSSH
package. So it includes all of their patches as well.
You can find that at
https://copr.fedorainfracloud.org/coprs/rapier1/hpnssh/ or you can add
it to your package repo with 'sudo dnf copr enable rapier1/hpnssh' and
then download the source or binary via DNF. You can review the FIPS
compliance there and see what you thing.
If you are on debian I don't have a debian package that include FIPS
support but it may be possible to use the fedora package and compile it
under debian. I've never tried though.
Chris
On 3/10/23 10:22 AM, Joel GUITTET wrote:
> Hi,
> We currently work on a project that require SSH server with FIPS and using OpenSSL v3.
> Patching OpenSSH for this looks to be a massive job. Is it something that is considered on your side?
> Is it currently a work in progress by somebody else as far as you know? Or something that has been partially done and aborded in the past, that could be relevant?
> We just started considering making this and send the patch, but we are speaking of thousands of lines probably, what will be the perception of this on your side?
> Thanks,
> Joel
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list