Re: OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



security veteran wrote:
Hi All:

I tried to rebuild openssl with the FIPS modules, and then install the new
openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.

After that I noticed it seemed to break OpenSSH: I couldn't login to the
box using ssh, and couldn't run the client command like ssh-keygen either.

My questions are:

1. Does OpenSSH support FIPS mode?

2. Or does OpenSSH support with OpenSSL FIPS modules?

3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?

4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?

Redhat use different FIPS validation process for OpenSSL. You could extract fips patch from source package. Impact is not only for source code. Build process has to be updated as well. Red Hat is based on "fipscheck".

You could try with my version of secure shell. It include OpenSSH but adds support for public keys algorithms based on X.509 certificates support and works with FIPS enabled openssl. It should work with OpenSSL build with FIPS module , RedHat or Solaris openssl fips enabled library either in fips mode or not.

Regards,
Roumen Petrov

--
Get SSH with X.509 certificate support
http://roumenpetrov.info/openssh/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux