On 12/04/2015 10:02 PM, security veteran wrote:> Hi Jakub, > > Another question I have is, are there any changes in this patch RedHat > Linux distribution specific? The reason I ask is, if I port the changes to > other Linux distribution like Debian or Ubuntu, do you see any issues?I don't think there is something distro-specific. Distro specific parts are handled in other patches.> Thanks. > > On Fri, Dec 4, 2015 at 12:58 PM, security veteran < > security.veteran at gmail.com> wrote: > >> Thanks Jakub. >> >> How does this patch match the OpenSSH source version? Does the patch only >> applicable to OpenSSH version 6.6.1, or does other version available as >> well? >> >> Thanks.We were doing certification for openssh-6.6.1 last time, since it is the thing we ship in our recent system. But we are maintaining similar patch for current openssh version (though the name is outdated, it is for 7.1p1) for Fedora [1], even though it is not "verified" by certification, it should fulfill similar requirements. [1] http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch -- Jakub Jelen Security Technologies Red Hat
security veteran
2015-Dec-07 20:21 UTC
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
Thanks Jakub. If I want to build the FIPS supported OpenSSH, do I just need to apply this one single patch http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch to the vanilla OpenSSH source code? I saw there are few other patches for OpenSSH version 6.7p1 under the same folder http://pkgs.fedoraproject.org/cgit/openssh.git/tree/. Do I need these other patches? Thanks. On Mon, Dec 7, 2015 at 7:53 AM, Jakub Jelen <jjelen at redhat.com> wrote:> On 12/04/2015 10:02 PM, security veteran wrote: > >> Hi Jakub, >> >> Another question I have is, are there any changes in this patch RedHat >> Linux distribution specific? The reason I ask is, if I port the changes to >> other Linux distribution like Debian or Ubuntu, do you see any issues? >> > I don't think there is something distro-specific. Distro specific parts > are handled in other patches. > > Thanks. >> >> On Fri, Dec 4, 2015 at 12:58 PM, security veteran < >> security.veteran at gmail.com> wrote: >> >> Thanks Jakub. >>> >>> How does this patch match the OpenSSH source version? Does the patch only >>> applicable to OpenSSH version 6.6.1, or does other version available as >>> well? >>> >>> Thanks. >>> >> > We were doing certification for openssh-6.6.1 last time, since it is the > thing we ship in our recent system. But we are maintaining similar patch > for current openssh version (though the name is outdated, it is for 7.1p1) > for Fedora [1], even though it is not "verified" by certification, it > should fulfill similar requirements. > > [1] > http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch > > > -- > Jakub Jelen > Security Technologies > Red Hat > >
On 12/07/2015 09:21 PM, security veteran wrote:> Thanks Jakub. > > If I want to build the FIPS supported OpenSSH, do I just need to apply this > one single patch > http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch > > to the vanilla OpenSSH source code? > > I saw there are few other patches for OpenSSH version 6.7p1 under the same > folder http://pkgs.fedoraproject.org/cgit/openssh.git/tree/. > Do I need these other patches?It should be enough to add that one, directly related to FIPS. There were other unused patches, which I cleaned up now. -- Jakub Jelen Associate Software Engineer Security Technologies Red Hat