Ron Maltz wrote: > I assume OpenSSH doesn't know about FIPS because there are no configure > options to include if I compile it, thus the precompiled binary is > affected the same way (no FIPS configure options when it was created).
Correct your OpenSSH will not operate in FIPS mode unless changes are made so that it can be built to use FIPS mode. You may want read the email thread on "OpenSSH use of OpenSSL in FIPS Mode" here http://marc.info/?l=openssh-unix-dev&r=1&b=200703&w=2 > So if a remote client wants to use SFTP or SCP in FIPS mode to this > server, then the client software is responsible for enabling the FIPS > mode, correct? The crypto at the remote client is independent of the crypto at the server. It may be operating in FIPS mode, but your server may not be. There is nothing in the connection establishment protocols that conveys FIPS-ness to each other. > If so, then I cannot do anything else on my server and it's up to the > client to have the proper software. No. Your server will never operate OpenSSH in FIPS mode unless specifics steps are taken for it to do so. The remote client is responsible for doing the same if the entire connection is to operate in FIPS mode. Bill ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]