[sles-beta] SLES 11 SP4 sshd/fips
Joel Barbieri
Joel.Barbieri at merge.com
Mon Jun 15 15:32:58 MDT 2015
Has anyone fips'd their kernel [via boot param] and openssl [OPENSSL_FORCE_FIPS_MODE in /etc/profile.local] and had a happy sshd?
From an strace of /usr/sbin/sshd, it seems like it might be looking for /usr/sbin/sshd.hmac possibly and getting ENOENT (no such file or directory). It's hard to include more information as I only have the console and no remote access any longer. :(
This configuration worked on SLES11SP3 with the exception of utilizing DSA instead of RSA.
I will submit a bug report if no one has any simple answers for me, like, hmac is dead, and you must use [fill in the blank]. Also, I did switch to RSA from DSA as this version of openssh/openssl is stricter. What is and is not FIPS acceptable still tends to remain a bit of a mystery in the openssl 0.9.8 world. Things are more specific in the >1.0 openssl world.
Thanks,
-Joel
Joel Barbieri
Merge Healthcare
#grub.cfg
###Don't change this comment - YaST2 identifier: Original name: linux###
title SUSE Linux Enterprise Server 11 SP4 - 3.0.101-64
root (hd0,0)
kernel /boot/vmlinuz-3.0.101-64-default root=/dev/sda1 ramdisk=65536 io_delay=none resume=/dev/sda2 splash=silent crashkernel= showopts elevator=cfq fips=1
initrd /boot/initrd-3.0.101-64-default
# last line of profile.local
export OPENSSL_FORCE_FIPS_MODE=1
#sshd_config
Port 22
Protocol 2
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_rsa_key
SyslogFacility AUTH
LogLevel QUIET
LoginGraceTime 1m
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression no
UseDNS no
MaxSessions 1
GatewayPorts no
GSSAPIAuthentication no
KerberosAuthentication no
PermitTunnel no
AllowGroups raccess
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
Banner /etc/issue.net
Subsystem sftp /usr/lib64/ssh/sftp-server
More information about the sles-beta
mailing list