Link ssh client to FIPS capable openssl.
ncalsmitty1369
I have built and installed a fips capable version of openssl, based on
openssl-fips v1.2 and openssl-0.9.8k using the following config
options: fips --prefix=/some/dir --openssldir=/some/dir shared zlib-
dynamic
I then compiled a version of openssh v5.3p1with the following
configure options: --prefix=/some/dir --sysconfdir=/some/dir --with-
pam --with-tcp-wrappers --with-ssl-dir=/path/to/openssl-fips-dir --
with-4in6 --with-privsep-path=/some/dir --with-pid-dir=/some/dir --
without-rand-helper --with-libedit --with-ssl-engine --with-selinux
Openssh compiled and installed without errors and the client can
connect to remote boxes seemingly without problems. I am only
interested in the client portion of the software so that is all that I
have tested so far.
My questions to anyone who can help are:
1. How can I tell if the ssh client is using the fips libcrypto
library?
2. Are the above openssh configure options all that I need, or do I
have to do some more work such as library linking?
3. Since I am not calling openssl directly how does the openssh client
use libcrypto in fips mode? Does a env variable need to be set?
Any help would be greatly appreciated, thanks.
Michael