similar to: [Bug 1647] New: Implement FIPS 186-3 for DSA keys

https://bugzilla.mindrot.org/show_bug.cgi?id=1647 mackyle at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mackyle at gmail.com --- Comment #2 from mackyle at gmail.com --- RFC 6668 [1] (2012-07) updated RFC 4253 adding the SHA-256 data

https://bugzilla.mindrot.org/show_bug.cgi?id=1647 mackyle at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mackyle at gmail.com --- Comment #2 from mackyle at gmail.com --- RFC 6668 [1] (2012-07) updated RFC 4253 adding the SHA-256 data

Hello, I saw from OpenSSH man pages that the DSA key length must be 1024 bytes (according to the standard FIPS 186-2). According to the FIPS186-3 and NIST SP800-57, DSA key length could be greater than 1024 bytes (2048, 3072). Will OpenSSH be compliant with this new standard? If yes, could you share with me the delivery plan of OpenSSh version implementing FIPS186-3/NIST SP800-57

<bugzilla-daemon at mindrot.org> writes: > https://bugzilla.mindrot.org/show_bug.cgi?id=1647 > > mackyle at gmail.com changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > CC| |mackyle at gmail.com > > --- Comment #2 from

https://bugzilla.mindrot.org/show_bug.cgi?id=1647 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX CC|

https://bugzilla.mindrot.org/show_bug.cgi?id=1647 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release

https://bugzilla.mindrot.org/show_bug.cgi?id=2115 Bug ID: 2115 Summary: Support for DSA p=2048 q=256/224 bit keys Product: Portable OpenSSH Version: 6.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at

https://bugzilla.mindrot.org/show_bug.cgi?id=2115 Bug ID: 2115 Summary: Support for DSA p=2048 q=256/224 bit keys Product: Portable OpenSSH Version: 6.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at

Thanks Roumen. >Lets assume that application use OpenSSL FIPS validated module. FIPS mode is activated in openssl command if environment variable OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. Did you mean the FIPS patched OpenSSH server and client (such as ssh-keygen) always

Hi, Why is there still a limit on the length of a DSA key generated by ssh-keygen? I mean that ssh-keygen only expects 1024 as key length, or fails. Here is the code excerpt that enforces the limitation: if (type == KEY_DSA && *bitsp != 1024) fatal("DSA keys must be 1024 bits"); Commenting these two lines allows the generation of, say, 2048 bit DSA keys that work just fine

Thanks Roumen. I have few more questions below: 1. What version of OpenSSH can the patch be applied to? What branch should I check out the patch? 2. >Impact is not only for source code. Build process has to be updated as well. Red Hat is based on "fipscheck". What build process should be changed? What is fipscheck? 3. My understanding any application (such as OpenSSH) which need

Hi All: I tried to rebuild openssl with the FIPS modules, and then install the new openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box. After that I noticed it seemed to break OpenSSH: I couldn't login to the box using ssh, and couldn't run the client command like ssh-keygen either. My questions are: 1. Does OpenSSH support FIPS mode? 2. Or does OpenSSH support with

I'm checking back in to see if samba is FIPS compliant, as in using FIPS compliant algorithms ? Can it be built with openssl, which is FIPS compliant ? We're currently running 4.7.5. Please let me know. Regards, Mike

Hi OpenSSH team, I find a url http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808, which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems working for some cases. (BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't work in FIPS mode properly. The fips mode sshd debug info is as following.

Hello All, Im using OpenSSH 4.2p1 statically linked with OpenSSL 0.9.7i. It looks now that a fips certified OpenSSL is now available at http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz . I like to know of any patches applicable for OpenSSH versions to make it fips compliant. Is there any idea for OpenSSH core team to make OpenSSH as fips compliant? What amount of work it needs at this

On 12/04/2015 10:02 PM, security veteran wrote: > Hi Jakub, > > Another question I have is, are there any changes in this patch RedHat > Linux distribution specific? The reason I ask is, if I port the changes to > other Linux distribution like Debian or Ubuntu, do you see any issues? I don't think there is something distro-specific. Distro specific parts are handled in other

Hi, We would like to use openssh in fips mode. It looks it is not provided as a configurable option through sshd_config, Are there plans to do incorporate such change. Do we have to change openssh code for now until the option is provided. If sshd is operating in fipsmode, does it provide additional errors/audits to indicate failures such as pair wise consistency failed during on of the sshd

Hi, Is FIPS 140-2 patch for openssh 6.3.p1 available somewhere or do I have to make one using http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch ? Regards, Manish

On Fri, Mar 10, 2023 at 10:27?AM Joel GUITTET <jguittet.opensource at witekio.com> wrote: > We currently work on a project that require SSH server with FIPS and > using OpenSSL v3. Gently: this is meaningless. You probably mean one of the following: 1. The SSH server implementation is required to use only cryptographic algorithms that are FIPS-approved. 2. The SSH server

On Tue, 18 Apr 2023, Norbert Pocs wrote: > Hi OpenSSH mailing list, > > I would like to announce the newly introduced patch in Fedora rawhide [0] > for > > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > > version. > > The patch targets OpenSSL support of OpenSSH, specifically the usage of > > old low level API. The new