On Fri, 2018-03-16 at 23:13 +0530, Sudarshan Soma wrote: > Hi, > We would like to use openssh in fips mode. It looks it is not > provided as a > configurable option through sshd_config, Are there plans to do > incorporate > such change. > > Do we have to change openssh code for now until the option is > provided. > If sshd is operating in fipsmode, does it provide additional > errors/audits > to indicate failures such as pair wise consistency failed during on > of the > sshd internal key generation, etc. > > Please suggest for any recomendations and suggestions or > references on how > to use openssh (sshd) in fips mode. Using FIPS mode is more complicated than changing a configuration option or using the OpenSSL library in some way. There are several patches adding this functionality, but none of them is incorporated upstream. Additionally, if you would like to claim you are running OpenSSH in FIPS mode, you need to undergo audit of the code (and OpenSSL as a crypto provider) and obtain a certificate from NIST, which is quite expensive so I would rather recommend you to use a version that is already certified from other vendors that went this way. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev