[sles-beta] SLES 11 SP4 sshd/fips

Marcus Meissner meissner at suse.de
Tue Jun 16 02:10:20 MDT 2015 

Hi,

This is a mistake in packaging/delivery, can you open a bugreport please?

Ciao, MArcus
On Mon, Jun 15, 2015 at 09:32:58PM +0000, Joel Barbieri wrote:
> 
> Has anyone fips'd their kernel [via boot param] and openssl [OPENSSL_FORCE_FIPS_MODE in /etc/profile.local] and had a happy sshd?
> 
> From an strace of /usr/sbin/sshd, it seems like it might be looking for /usr/sbin/sshd.hmac possibly and getting ENOENT (no such file or directory).  It's hard to include more information as I only have the console and no remote access any longer.  :(
> 
> This configuration worked on SLES11SP3 with the exception of utilizing DSA instead of RSA.
> 
> I will submit a bug report if no one has any simple answers for me, like, hmac is dead, and you must use [fill in the blank].  Also, I did switch to RSA from DSA as this version of openssh/openssl is stricter.  What is and is not FIPS acceptable still tends to remain a bit of a mystery in the openssl 0.9.8 world.  Things are more specific in the >1.0 openssl world.
> 
> Thanks,
> 
> -Joel
> 
> Joel Barbieri
> Merge Healthcare
> 
> #grub.cfg
> ###Don't change this comment - YaST2 identifier: Original name: linux###
> title SUSE Linux Enterprise Server 11 SP4 - 3.0.101-64
>     root (hd0,0)
>     kernel /boot/vmlinuz-3.0.101-64-default root=/dev/sda1 ramdisk=65536 io_delay=none resume=/dev/sda2 splash=silent crashkernel= showopts elevator=cfq fips=1
>     initrd /boot/initrd-3.0.101-64-default
> 
> # last line of profile.local
> export OPENSSL_FORCE_FIPS_MODE=1
> 
> #sshd_config
> Port 22
> Protocol 2
> ListenAddress 0.0.0.0
> 
> HostKey /etc/ssh/ssh_host_rsa_key
> 
> SyslogFacility AUTH
> LogLevel QUIET
> 
> LoginGraceTime 1m
> PermitRootLogin without-password
> StrictModes yes
> 
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile      .ssh/authorized_keys
> 
> RhostsRSAAuthentication no
> HostbasedAuthentication no
> IgnoreRhosts yes
> 
> PasswordAuthentication no
> PermitEmptyPasswords no
> 
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
> MACs hmac-sha1
> UsePAM yes
> 
> AllowTcpForwarding no
> X11Forwarding no
> #PrintMotd yes
> #PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation yes
> PermitUserEnvironment no
> Compression no
> UseDNS no
> MaxSessions 1
> GatewayPorts no
> GSSAPIAuthentication no
> KerberosAuthentication no
> PermitTunnel no
> AllowGroups raccess
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> 
> # no default banner path
> Banner /etc/issue.net
> Subsystem       sftp    /usr/lib64/ssh/sftp-server
> _______________________________________________
> sles-beta mailing list
> sles-beta at lists.suse.com
> http://lists.suse.com/mailman/listinfo/sles-beta
> 

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner at suse.de>

More information about the sles-beta mailing list