[openssl-users] Is there any patch for OpenSSH for it to work with OpenSSL FIPS?

Steve Marquess marquess at openssl.com
Fri Sep 18 11:49:31 UTC 2015


On 09/16/2015 09:57 PM, Salz, Rich wrote:
>> Is there any reliable patch for OpenSSH to support FIPS mode?
> 
> Try the openssh mailing lists?
> 
>>From what I've seen the OpenBSD folks actively dislike FIPS, so good luck.

You can find one out-of-date patch here:

  http://openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch

Note that is a non-trivial patch, as all the inlined cryptographic
operations must be replaced with references to the validated module.

Also note that you'll only want FIPS mode if you're deploying in a
USG/DoD environment, in which case you'll also need x.509 support.

Roumen Petrov has for years maintained a very nice (and also
non-trivial) set of patches (http://roumenpetrov.info/openssh/) that add
x.509 functionality. So apply his patches first, then do the FIPS mode
adaptation.

It's my understanding that stock OpenSSH will not support either FIPS or
x.509, ever, a deliberate choice that frankly makes perfect sense given
their project objectives. They have chosen to implement a simpler,
leaner, and tighter certificate scheme specific to OpenSSH, to avoid the
huge attack surface of x.509. Likewise FIPS validated software is
necessarily less secure than the unvalidated equivalent. You use it only
because you must per policy mandates, not because it has any technical
advantages.

Ssh is the de facto 21st century telnet and is widely used in U.S. DoD
either in violation of the policy requirements for FIPS 140-2 and x.509,
or with various homegrown vendor hacks that probably introduce still
more vulnerabilities. I've long felt there would be a market for a "U.S.
government compliant" version of OpenSSH, but if that's ever done it
won't be by the OpenSSH maintainers.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list