[sles-beta] SLES 11 SP4 sshd/fips

Joel Barbieri Joel.Barbieri at merge.com
Mon Jun 15 15:32:58 MDT 2015 

Has anyone fips'd their kernel [via boot param] and openssl [OPENSSL_FORCE_FIPS_MODE in /etc/profile.local] and had a happy sshd?

From an strace of /usr/sbin/sshd, it seems like it might be looking for /usr/sbin/sshd.hmac possibly and getting ENOENT (no such file or directory).  It's hard to include more information as I only have the console and no remote access any longer.  :(

This configuration worked on SLES11SP3 with the exception of utilizing DSA instead of RSA.

I will submit a bug report if no one has any simple answers for me, like, hmac is dead, and you must use [fill in the blank].  Also, I did switch to RSA from DSA as this version of openssh/openssl is stricter.  What is and is not FIPS acceptable still tends to remain a bit of a mystery in the openssl 0.9.8 world.  Things are more specific in the >1.0 openssl world.

Thanks,

-Joel

Joel Barbieri
Merge Healthcare

#grub.cfg
###Don't change this comment - YaST2 identifier: Original name: linux###
title SUSE Linux Enterprise Server 11 SP4 - 3.0.101-64
    root (hd0,0)
    kernel /boot/vmlinuz-3.0.101-64-default root=/dev/sda1 ramdisk=65536 io_delay=none resume=/dev/sda2 splash=silent crashkernel= showopts elevator=cfq fips=1
    initrd /boot/initrd-3.0.101-64-default

# last line of profile.local
export OPENSSL_FORCE_FIPS_MODE=1

#sshd_config
Port 22
Protocol 2
ListenAddress 0.0.0.0

HostKey /etc/ssh/ssh_host_rsa_key

SyslogFacility AUTH
LogLevel QUIET

LoginGraceTime 1m
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes

PasswordAuthentication no
PermitEmptyPasswords no

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1
UsePAM yes

AllowTcpForwarding no
X11Forwarding no
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression no
UseDNS no
MaxSessions 1
GatewayPorts no
GSSAPIAuthentication no
KerberosAuthentication no
PermitTunnel no
AllowGroups raccess
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
Banner /etc/issue.net
Subsystem       sftp    /usr/lib64/ssh/sftp-server

More information about the sles-beta mailing list