PGNet wrote:
On Sun, Jan 11, 2009 at 3:42 PM, Steve Marquess
<marqu...@oss-institute.org> wrote:
Long story short, OpenSSH really needs some source mods to
gracefully invoke and run in FIPS mode.
Hrm ... I'd have thought that openssh would be amoong the 1st/best @
compliance.
Me too. I embarked on this FIPS validation adventure some six years ago
because my DoD client at the time wanted a FIPS validated OpenSSH. I
wrote a patch several years ago but didn't push it at the time because
the first OpenSSL FIPS Object Module validation was still pending, and
encountering some significant opposition that took all my attention.
Now the OpenSSH patch is not a priority for any of my clients and I
don't have the spare time to pursue it. I'd love to see someone else
follow it through.
To my knowledge Stunnel is the first application to formally support the
FIPS object Module. I've been told ProFTP has baselined support as
well. I've heard privately from many people who have done local mods of
various applications, but have been disappointed in how slowly this
support is appearing publicly.
Several people, myself included, have created patches to that end.
Are those specific patches sourced in the openssl trees, the openssh
trees, or somewhere else? I'll google, but if you have URLs ...
I could point you to my original very dated patch but I know there are
some more recent updates. Check the OpenSSH mail archives.
Of course, if you don't plan to actually run in FIPS mode and just
need buzzword compliance (often the case) then what you plan should
work.
We've gotten a heads-up that a gov't client will require in the next
(soon, tho hasn't occurred just yet ...) contract that
SSH/VPN/IPSec/etc comms will be required. Of course, detailed spec,
verification, etc is not yet available.
$10 says it's for _their_ buzzword compliance ....
Very typical for DoD. The mandates for *procurement* of validated
software are (increasingly) enforced, but there doesn't seem to be any
effective push to actually *use* a runtime FIPS mode. That lack of
pressure plus the interoperability issues that FIPS mode can cause means
program managers have zero incentive to actually run anything in FIPS
mode. It's a paper chase.
My goal is to get an all-ssh-in-fips-mode setup demo'd locally, then
hand it off to our tech folks so that we can then respond & document
when the demand occurs.
Please consider posting your patches to the OpenSSH lists...
-Steve M.
--
Steve Marquess
Open Source Software Institute
marqu...@oss-institute.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
