On 02/17/2014 01:09 AM, Manish Jagtap wrote: > Hi, > > > > Here is FIPS 140-2 patch for OpenSSH 6.5p1. Since our expertise in OpenSSH > code is limited, request moderators to validate this patch and update as > required. I didn't see any patch but the following comments apply regardless. For a long time I hoped to see native OpenSSL FIPS module support in OpenSSH. Over the years OSF has prepared a number of patches such as: http://opensslfoundation.com/export/openssh/openssh-6.0p1.fips-revised.patch for interested clients. However, with continuing evolution of OpenSSH and changing FIPS 140-2 requirements such support is becoming increasingly difficult. In order to make any reasonable claim that an application like OpenSSH is "FIPS 140-2 compliant" *all* cryptography used by that application must be implemented in the validated module(s). OpenSSH has always had some inlined cryptography, but the recent introduction of "non-NIST" cryptography exacerbates that issue. Then there is the additional consideration that FIPS 140-2 is only desirable in a context (USG and DoD) where x.509 support is also mandatory. OpenSSH has adopted a different (and more robust) certificate scheme. FIPS 140-2 has always been focused on compliance to a specific ritualized policy and process, and thus is necessarily less secure in an absolute sense, while OpenSSH is focused on real-world security. IMHO that discrepancy will probably continue to grow. So while it remains technically possible to jam the round OpenSSH peg into the square FIPS 140-2 hole, I'm no longer sure it makes sense to attempt it in the baseline OpenSSH. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess@xxxxxxxxxxxxxxxxxxxxx marquess@xxxxxxxxxxx gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
