thr3ads.net - openssh unix dev - Is there any plan for OpenSSH to support FIPS? [Jun 2008]

If this information is useful, please help other people find it:
Share via:

电磁波

2008-Jun-19 06:17 UTC

Is there any plan for OpenSSH to support FIPS?

Hi OpenSSh Developer,

Currently, I can make openssh-5.0p1 working in FIPS mode. The detail steps I did
are as follows.

1) Build FIPS OpenSSL according to FIPS User
Guide(http://www.openssl.org/docs/fips/) on HP-UX PA 11.23 box.
FIPS object module is generated by compiling openssl-fips-1.1.2.
FIPS OpenSSL is built by openssl-0.9.7m, which is passed fips option for
Configure step.

2) Modify openssh-5.0p1 according to 
http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808
.
   Although the patch is for openssh 4.7, I make some necessary minor changes
fit for 5.0.

3) On HP-UX PA 11.23 box, compile openssh (using fipsld instead of cc), which
links against FIPS object module and FIPS libcrypto.a generated from step 1.

4) Set OpenSSH_FIPS environment variable to "1", lauch sshd by
"sshd -ddd"
   From the debug information, I can see sshd enters FIPS mode successfully

5) On the same machine, connect sshd by ssh
   ssh -c 3des-cbc localhost
   ssh -c aes128-cbc localhost
   ssh -c aes192-cbc localhost
   ssh -c aes256-cbc localhost
These above ciphers are FIPS allowed and ssh can successfully connect to sshd
which is running in FIPS mode.
On the other hand,when using FIPS unallowed ciphers,
   ssh -c arcfour localhost
   ssh -c blowfish-cbc localhost
   ssh -c cast128-cbc locahost
the sshd will disconnect the connection. Some debug messages like below appear.
 ***************************
 debug2: set_newkeys: mode 1
 cipher_init: EVP_CipherInit: set key failed for aes128-ctr
 debug1: do_cleanup
 debug3: PAM: sshpam_thread_cleanup entering
 debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON)
 ***************************
The above experiments show that the modified sshd actually works in FIPS mode,
conforming to FIPS standard.

As we know, FIPS is very important for security software.It will be greatly
appreciated, if FIPS is officially supported by openssh in the near future.(To
provide flexibility to end user, one extra configuration directive/environment
variable may be set to switch between FIPS and normal  mode.)

So, is there any plan that FIPS will be supported by OpenSSH?

Looking forward to your reply!

Best Regards,

Bo

_________________________________________________________________
Windows Live Photo gallery ?????????????????????????????
http://get.live.cn/product/photo.html

Apparently Analagous Threads

Search for more possibly parallel threads

openssh unix dev - Jun 2008 - Is there any plan for OpenSSH to support FIPS?

Is there any plan for OpenSSH to support FIPS?

Apparently Analagous Threads

Wisdom of the Ancients