PGNet wrote:
...
Ok.
So , e.g. (reading the UserGuide now ...), to ensure that all ssh <->
ssh comms between boxes were limited correctly to fips-only algo
usages, in "openssl.cnf", I'd specifically add:
# Openssh section
openssh_conf = openssh_options
...
[ openssh_options ]
alg_section = algs
...
[ algs ]
fips_mode = yes
yes?
Yes, though with a caveat: the application (OpenSSH in this instance)
still begs for some source modifications to handle exceptions. For one
thing the ssh_config and sshd_config files might contain illegal
ciphersuite specifications at runtime. Stock OpenSSH doesn't even
default to a FIPS compatible ciphersuite. The FIPS capable OpenSSL with
FIPS mode enabled will reject attempts to use non-allowed algorithms,
but that rejection will not necessarily occur at the appropriate place
from the perspective of the end user. Worse, we (or at least I) do not
know that OpenSSH correctly checks the return codes from all OpenSSL API
calls; if not some very undesirable behavior could result.
Long story short, OpenSSH really needs some source mods to gracefully
invoke and run in FIPS mode. Several people, myself included, have
created patches to that end. Note I also specifically discuss OpenSSH
in the User Guide.
Of course, if you don't plan to actually run in FIPS mode and just need
buzzword compliance (often the case) then what you plan should work.
-Steve M.
--
Steve Marquess
Open Source Software institute
marqu...@oss-institute.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
