security veteran
2015-Dec-04 20:58 UTC
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
Thanks Jakub. How does this patch match the OpenSSH source version? Does the patch only applicable to OpenSSH version 6.6.1, or does other version available as well? Thanks. On Fri, Dec 4, 2015 at 4:26 AM, Jakub Jelen <jjelen at redhat.com> wrote:> > On 12/04/2015 03:26 AM, security veteran wrote: > >> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to >> make it FIPS complaint? >> >> 4. Does the RedHat OpenSSH FIPS modules ( >> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf) >> also open sourced to the OpenSSH community? >> > Yes, what we ship in RHEL is open-source. You can pick up sources that are > actually used in RHEL version in CentOS repository: > https://git.centos.org/summary/?r=rpms/openssh > > So as said before, upstream openssh is not FIPS-140 ready and we carry the > patches downstream. I am not sure if there was initiative to provide > patches upstream or if there would be some interest in them here, since it > is quite special use case. > > -- > Jakub Jelen > Security Technologies > Red Hat > >
security veteran
2015-Dec-04 21:02 UTC
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
Hi Jakub, Another question I have is, are there any changes in this patch RedHat Linux distribution specific? The reason I ask is, if I port the changes to other Linux distribution like Debian or Ubuntu, do you see any issues? Thanks. On Fri, Dec 4, 2015 at 12:58 PM, security veteran < security.veteran at gmail.com> wrote:> Thanks Jakub. > > How does this patch match the OpenSSH source version? Does the patch only > applicable to OpenSSH version 6.6.1, or does other version available as > well? > > Thanks. > > > On Fri, Dec 4, 2015 at 4:26 AM, Jakub Jelen <jjelen at redhat.com> wrote: > >> >> On 12/04/2015 03:26 AM, security veteran wrote: >> >>> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to >>> make it FIPS complaint? >>> >>> 4. Does the RedHat OpenSSH FIPS modules ( >>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf >>> ) >>> also open sourced to the OpenSSH community? >>> >> Yes, what we ship in RHEL is open-source. You can pick up sources that >> are actually used in RHEL version in CentOS repository: >> https://git.centos.org/summary/?r=rpms/openssh >> >> So as said before, upstream openssh is not FIPS-140 ready and we carry >> the patches downstream. I am not sure if there was initiative to provide >> patches upstream or if there would be some interest in them here, since it >> is quite special use case. >> >> -- >> Jakub Jelen >> Security Technologies >> Red Hat >> >> >
On 12/04/2015 10:02 PM, security veteran wrote:> Hi Jakub, > > Another question I have is, are there any changes in this patch RedHat > Linux distribution specific? The reason I ask is, if I port the changes to > other Linux distribution like Debian or Ubuntu, do you see any issues?I don't think there is something distro-specific. Distro specific parts are handled in other patches.> Thanks. > > On Fri, Dec 4, 2015 at 12:58 PM, security veteran < > security.veteran at gmail.com> wrote: > >> Thanks Jakub. >> >> How does this patch match the OpenSSH source version? Does the patch only >> applicable to OpenSSH version 6.6.1, or does other version available as >> well? >> >> Thanks.We were doing certification for openssh-6.6.1 last time, since it is the thing we ship in our recent system. But we are maintaining similar patch for current openssh version (though the name is outdated, it is for 7.1p1) for Fedora [1], even though it is not "verified" by certification, it should fulfill similar requirements. [1] http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch -- Jakub Jelen Security Technologies Red Hat