Does the SSH Agents plugin support FIPS 140-2?
22 views
Skip to first unread message
Dunnigan (US), Terrence J
Feb 11, 2019, 12:13:31 PM2/11/19
to jenkins...@googlegroups.com
Hi all,
Does the SSH Slaves plugin support FIPS 140-2 (https://en.wikipedia.org/wiki/FIPS_140-2) ? In my case I have a Windows VM running Jenkins trying to connect to a RHEL7 VM with FIPs enabled. I’m getting SSH authentication errors, and the RHEL logs suggest that the Jenkins SSH Slaves plugin is not using a FIPS-approved protocol.
Thanks,
Terry
Mark Waite
Feb 11, 2019, 1:55:02 PM2/11/19
to Jenkins Users
Try with an ed25519 private key. Some online docs suggest that ed25519 is FIPS-140-2 approved.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/d8563d21c76647e3ba72cedb130194b7%40boeing.com.
For more options, visit https://groups.google.com/d/optout.
Dunnigan (US), Terrence J
Feb 13, 2019, 1:43:18 PM2/13/19
to jenkins...@googlegroups.com
Thanks for the suggestion! We tried it and the ssh command said it wasn’t allowed to use ed25519 in FIPS mode. We’ve connected via JNLP so perhaps the issue has been sidestepped.
Thanks again,
Terry
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtE01W915PZv3BMPEJWfrzbKgFDRTWt%2BZw%3DwFmYJPYYPWA%40mail.gmail.com.
Mark Waite
Feb 13, 2019, 2:16:33 PM2/13/19
to Jenkins Users
My recollection from previous times was that FIPS-140-2 compliant implementations must be "certified". I thought that required that a FIPS-140-2 implementation had to be purchased and included into the product that was intended to be FIPS-140-2 compliant. Jenkins has not purchased a FIPS-140-2 compliant library. It uses open source implementations of cryptographic algorithms.
However, my exposure to that requirement was quite brief and may be entirely incorrect.
Mark Waite
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f3d19fd5ecef40cf90150a95b688394d%40boeing.com.
For more options, visit https://groups.google.com/d/optout.
Thanks!
Mark Waite
Reply all
Reply to author
Forward
0 new messages