Arshad Khan
2018-Nov-11 02:17 UTC
Getting "key_demote: error in libcrypto" error when using OpenSSH 7.6p1 with OpenSSL in FIPS mode
Hi Roumen Thanks for your reply. We used to have openssh compiled with older fips openssl and it worked fine. Now due to some system updates, we have to update openssl and recompile openssh with the newer version and it now fails when the system is in fips mode. Could you or someone on the forum help me understand this key demotion step. What is it and how does it work? May be I can try my luck and see if I can come up with a fix. Thanks and regards Arshad Arshad On Sat, Nov 10, 2018 at 1:32 AM ????? ?????? <pkixssh at roumenpetrov.info> wrote:> > Hello Arshad, > > Arshad Khan wrote: > > Hello All > > > > I posted this query on comp.security.ssh but haven't got any response > > to it so far. I'd appreciate if I can get any help to resolve this > > issue. > > I guess you choose wrong project . > It is long story about OpenBSD community and world. > > > I have a CentOS 6 system that is running OpenSSH version 7.6p1 built > > with OpenSSL 1.0.2o. The OpenSSL is built with FIPS module 2.0.16. > > OpenBSD refuses to accept modification that allows ssh programs to work > with cryptographic library run in FIPS mode. It is not just about > OpenBSD refusal of community patches. One of issues is that OpenBSD uses > outdated OpenSSL API - some functions are not allowed in FIPS mode. > > So RedHat and respective CentOS distribute heavy patched version build > against custom FIPS validated openssl. > > If you like to use FIPS enabled SSH then PKIX-SSH is exactly for you - > work with FIPS enabled versions of OpenSSL, RedHat , Solaris (see link > in signature below) . > > Let me know if you need some hints for build with FIPS enabled OpenSSL > library. > > > > > I > > have a python based pluggable authenticataion module configured using > > pam_python 1.0.6 and Python 2.7.10. > > > > When I use a ssh client to login to this system, the connection is > > immediately closed by the system. This happens whether I login using > > password or key. > > > > Checking the /var/log/secure I see following error: > > > > sshd[11255]: fatal: key_demote: error in libcrypto > > > > [SNIP] > > Hmm, from above message is not clear what is reason for failure. > If OpenSSL is in FIPS mode is expected OpenBSD version to crash, not to > raise error. > > > > Thanks > > Arshad > > _____ > > Regard, > Roumen Petrov > > -- > Advanced secure shell implementation with X.509 certificate support > http://roumenpetrov.info/secsh/ >