Hi OpenSSH team, I find a url http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808, which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems working for some cases. (BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't work in FIPS mode properly. The fips mode sshd debug info is as following. *************************** debug2: set_newkeys: mode 1 cipher_init: EVP_CipherInit: set key failed for aes128-ctr debug1: do_cleanup ?? debug3: PAM: sshpam_thread_cleanup entering debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON) *************************** I don't know why. Are these three ciphers FIPS forbidden?) ?? As you know, FIPS 1.1.2 module has been officially released for some period and FIPS Capable OpenSSL may become one of the important main branches of OpenSSL in the near future. So if openssh can provide built-in FIPS Capable functionality, it will be highly appreciated. Would you please take this suggestion into consideration for future openssh release? Thank you! _________________________________________________________________ ?????????????MSN????TA????? http://im.live.cn/emoticons/?ID=18
Hi OpenSSH team, I find a url http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808, which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems working for some cases. (BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't work in FIPS mode properly. The fips mode sshd debug info is as following. *************************** debug2: set_newkeys: mode 1 cipher_init: EVP_CipherInit: set key failed for aes128-ctr debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON) *************************** I don't know why. Are these three ciphers FIPS forbidden?) As you know, FIPS 1.1.2 module has been officially released for some period and FIPS Capable OpenSSL may become one of the important main branches of OpenSSL in the near future. So if openssh can provide built-in FIPS Capable functionality, it will be highly appreciated. Would you please take this suggestion into consideration for future openssh release? Thank you! _________________________________________________________________ ?????????live mail???????? http://get.live.cn/product/mail.html
Hi, As far as I know, aes*-ctr is different from aes*-cbc and is NOT openssl FIPS supported. However, I guess it would be possible/easy to workaround/fix this, since there is no standard for what is SSH FIPS compliant. If you're interested, try running in FIPS enabled and disabled modes and see where it breaks. This is an educated guess :) See also http://rfc.net/rfc4344.html Oren P.S. EVP_CipherInit is probably defined in libcrypto.a:fipscanister.o -----Original Message----- From: openssh-unix-dev-bounces+oren=forescout.com at mindrot.org [mailto:openssh-unix-dev-bounces+oren=forescout.com at mindrot.org] On Behalf Of ??? Sent: ? 12 ???? 2008 10:28 To: openssh-unix-dev at mindrot.org Subject: FIPS mode OpenSSH suggestion Hi OpenSSH team, I find a url http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808, which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems working for some cases. (BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't work in FIPS mode properly. The fips mode sshd debug info is as following. *************************** debug2: set_newkeys: mode 1 cipher_init: EVP_CipherInit: set key failed for aes128-ctr debug1: do_cleanup ?? debug3: PAM: sshpam_thread_cleanup entering debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON) *************************** I don't know why. Are these three ciphers FIPS forbidden?) ?? As you know, FIPS 1.1.2 module has been officially released for some period and FIPS Capable OpenSSL may become one of the important main branches of OpenSSL in the near future. So if openssh can provide built-in FIPS Capable functionality, it will be highly appreciated. Would you please take this suggestion into consideration for future openssh release? Thank you! _________________________________________________________________ ?????????????MSN????TA????? http://im.live.cn/emoticons/?ID=18 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev