On Fri, Mar 10, 2023 at 10:27 AM Joel GUITTET <jguittet.opensource@xxxxxxxxxxx> wrote: > We currently work on a project that require SSH server with FIPS and > using OpenSSL v3. Gently: this is meaningless. You probably mean one of the following: 1. The SSH server implementation is required to use only cryptographic algorithms that are FIPS-approved. 2. The SSH server implementation is required to be FIPS-validated. If you mean #1, you don’t have to patch anything: it is trivial to configure the various sshd options to permit only FIPS-approved cryptographic algorithms. If you mean #2, then patches aren’t going to help you: being FIPS-validated means that you have submitted your cryptographic module to the NIST CMVP (Cryptographic Module Validation Program), paid the requisite fee, passed, and received a certificate number that others can verify: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search If your SSH server must be FIPS-validated, then use the CMVP search page (above) to find an OS vendor that submits their OS cryptographic components to the CMVP, run sshd on that OS, and make sure the OS is configured to enforce FIPS validation. (E.g., on a Linux host, pass the “fips=1” parameter to the kernel via grub, and run “update-crypto-policies --set FIPS” within the OS to configure the various cryptography libraries to permit only FIPS-approved algorithms.) > Patching OpenSSH for this looks to be a massive job. Is it something > that is considered on your side? No patching of OpenSSH is required. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
