Re: OpenSSH FIPS support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Mar 10, 2023 at 10:27 AM Joel GUITTET
<jguittet.opensource@xxxxxxxxxxx> wrote:

> We currently work on a project that require SSH server with FIPS and
> using OpenSSL v3.

Gently: this is meaningless.  You probably mean one of the following:

1. The SSH server implementation is required to use only cryptographic
   algorithms that are FIPS-approved.

2. The SSH server implementation is required to be FIPS-validated.

If you mean #1, you don’t have to patch anything: it is trivial to
configure the various sshd options to permit only FIPS-approved
cryptographic algorithms.

If you mean #2, then patches aren’t going to help you: being
FIPS-validated means that you have submitted your cryptographic module
to the NIST CMVP (Cryptographic Module Validation Program), paid the
requisite fee, passed, and received a certificate number that others
can verify:

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search

If your SSH server must be FIPS-validated, then use the CMVP search
page (above) to find an OS vendor that submits their OS cryptographic
components to the CMVP, run sshd on that OS, and make sure the OS is
configured to enforce FIPS validation.  (E.g., on a Linux host, pass
the “fips=1” parameter to the kernel via grub, and run
“update-crypto-policies --set FIPS” within the OS to configure the
various cryptography libraries to permit only FIPS-approved
algorithms.)

> Patching OpenSSH for this looks to be a massive job. Is it something
> that is considered on your side?

No patching of OpenSSH is required.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux