Re: using sshd in fips mode

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 2018-03-16 at 23:13 +0530, Sudarshan Soma wrote:
> Hi,
> We would like to use openssh in fips mode. It looks it is not
> provided as a
> configurable option through sshd_config, Are there plans to do
> incorporate
> such change.
> 
> Do we have to change openssh code for now until the option is
> provided.
> If sshd is operating in fipsmode, does it provide additional
> errors/audits
> to indicate failures such as pair wise consistency failed during on
> of the
> sshd internal key generation, etc.
> 
> Please suggest for any recomendations and suggestions or
> references  on how
> to use openssh (sshd) in fips mode.

Using FIPS mode is more complicated than changing a configuration
option or using the OpenSSL library in some way. There are several
patches adding this functionality, but none of them is incorporated
upstream.

Additionally, if you would like to claim you are running OpenSSH in
FIPS mode, you need to undergo audit of the code (and OpenSSL as a
crypto provider) and obtain a certificate from NIST, which is quite
expensive so I would rather recommend you to use a version that is
already certified from other vendors that went this way.

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux