[sles-beta] SLES 11 SP4 sshd/fips
Marcus Meissner
meissner at suse.de
Tue Jun 16 02:10:20 MDT 2015
Hi,
This is a mistake in packaging/delivery, can you open a bugreport please?
Ciao, MArcus
On Mon, Jun 15, 2015 at 09:32:58PM +0000, Joel Barbieri wrote:
>
> Has anyone fips'd their kernel [via boot param] and openssl [OPENSSL_FORCE_FIPS_MODE in /etc/profile.local] and had a happy sshd?
>
> From an strace of /usr/sbin/sshd, it seems like it might be looking for /usr/sbin/sshd.hmac possibly and getting ENOENT (no such file or directory). It's hard to include more information as I only have the console and no remote access any longer. :(
>
> This configuration worked on SLES11SP3 with the exception of utilizing DSA instead of RSA.
>
> I will submit a bug report if no one has any simple answers for me, like, hmac is dead, and you must use [fill in the blank]. Also, I did switch to RSA from DSA as this version of openssh/openssl is stricter. What is and is not FIPS acceptable still tends to remain a bit of a mystery in the openssl 0.9.8 world. Things are more specific in the >1.0 openssl world.
>
> Thanks,
>
> -Joel
>
> Joel Barbieri
> Merge Healthcare
>
> #grub.cfg
> ###Don't change this comment - YaST2 identifier: Original name: linux###
> title SUSE Linux Enterprise Server 11 SP4 - 3.0.101-64
> root (hd0,0)
> kernel /boot/vmlinuz-3.0.101-64-default root=/dev/sda1 ramdisk=65536 io_delay=none resume=/dev/sda2 splash=silent crashkernel= showopts elevator=cfq fips=1
> initrd /boot/initrd-3.0.101-64-default
>
> # last line of profile.local
> export OPENSSL_FORCE_FIPS_MODE=1
>
> #sshd_config
> Port 22
> Protocol 2
> ListenAddress 0.0.0.0
>
> HostKey /etc/ssh/ssh_host_rsa_key
>
> SyslogFacility AUTH
> LogLevel QUIET
>
> LoginGraceTime 1m
> PermitRootLogin without-password
> StrictModes yes
>
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile .ssh/authorized_keys
>
> RhostsRSAAuthentication no
> HostbasedAuthentication no
> IgnoreRhosts yes
>
> PasswordAuthentication no
> PermitEmptyPasswords no
>
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
> MACs hmac-sha1
> UsePAM yes
>
> AllowTcpForwarding no
> X11Forwarding no
> #PrintMotd yes
> #PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation yes
> PermitUserEnvironment no
> Compression no
> UseDNS no
> MaxSessions 1
> GatewayPorts no
> GSSAPIAuthentication no
> KerberosAuthentication no
> PermitTunnel no
> AllowGroups raccess
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
>
> # no default banner path
> Banner /etc/issue.net
> Subsystem sftp /usr/lib64/ssh/sftp-server
> _______________________________________________
> sles-beta mailing list
> sles-beta at lists.suse.com
> http://lists.suse.com/mailman/listinfo/sles-beta
>
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner at suse.de>
More information about the sles-beta
mailing list