Hello All, Im using OpenSSH 4.2p1 statically linked with OpenSSL 0.9.7i. It looks now that a fips certified OpenSSL is now available at http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz . I like to know of any patches applicable for OpenSSH versions to make it fips compliant. Is there any idea for OpenSSH core team to make OpenSSH as fips compliant? What amount of work it needs at this point? I and some of my colleagues wish to contribute for it. Thanks, Senthil Kumar.
On 4/15/06, Senthil Kumar <senthilkumar_sen at hotpop.com> wrote:> Hello All, > > Im using OpenSSH 4.2p1 statically linked with OpenSSL 0.9.7i. It looks now > that a fips certified OpenSSL is now available at > http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz . I like to know of > any patches applicable for OpenSSH versions to make it fips compliant. Is > there any idea for OpenSSH core team to make OpenSSH as fips compliant? What > amount of work it needs at this point? I and some of my colleagues wish to > contribute for it. >Ok.. I am not a member of the SSH team.. I just am dealing with FIPS items currently where I work. Which FIPS are you meaning to be compliant with? There are multiple of them that could potentially cover OpenSSH. Second who is the sponsoring Federal agency for FIPS compliance? From what I can tell.. it would be a bigger point for OpenSSH to have a solid financial floor versus any sort of 'compliance' work. -- Stephen J Smoogen. CSIRT/Linux System Administrator
Senthil, I just came across your thread about OpenSSH and FIPS 140 OpenSSL. I have played around with compiling my OpenSSL applications to become FIPS 140 compliant, and after finding out about fipsld (used to link your app to the library), I got this working. I'm also now looking for a version of OpenSSH, as well as Apache Web Server, that has been compiled with the OpenSSL FIPS 140 Cryptographic Module. I will post another email if I find these versions. Thomass