Date: Wed, 8 Apr 2026 10:26:12 -0700 From: Enji Cooper (yaneurabeya) <yaneurabeya@gmail.com> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> Cc: Christian Weisgerber <naddy@mips.inka.de>, Alexander Leidinger <Alexander@leidinger.net>, freebsd-arch@freebsd.org Subject: Re: Stronger ssh settings Message-ID: <041CF094-40A4-4D2A-A87A-CE3CF6F1FBB3@gmail.com> In-Reply-To: <86zf3htpmn.fsf@ltc.des.dev> References: <7655dcd5cbd65d9276213dd8d2a25552@Leidinger.net> <adJtJ5j345d-eNNR@lorvorc.mips.inka.de> <86zf3htpmn.fsf@ltc.des.dev>
index | next in thread | previous in thread | raw e-mail
> On Apr 5, 2026, at 8:04 AM, Dag-Erling Smørgrav <des@FreeBSD.org> wrote: > > Christian Weisgerber <naddy@mips.inka.de> writes: >> Government standards may require disabling some of the algorithms >> OpenSSH prefers. That is more likely a disimprovement. Anyway, >> if people would like example configurations compliant with FIPS or >> such, I don't object. > > FIPS compliance requires not only using only approved algorithms, but > also using only approved implementations of those algorithms. Simply > editing your ssh(d) configuration will not achieve that. Yup. OpenSSH needs to be told to use FIPS using sshd_config (I need to figure out where that patch is) and the FIPS module needs to be present/configured for the running system. FIPS 140* is both “stronger” while also being a bit silly about how it’s accomplished (less about the standard and more about the folks that help enforce/certify for it): a lot of consulting businesses make money validating that FIPS 140* compliance is achieved by OSes for a stamp of approval that entities like the US Government require in order to get on Approved Product Lists (APL compliance). It’s one way of being “secure”, but isn’t the end-all-be-all for security in my book *shrug*. Using passwordless authentication, for instance, isn’t a requirement to get on the APL (last I checked), but it’s a good best practice. Thanks, -Enjihome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?041CF094-40A4-4D2A-A87A-CE3CF6F1FBB3>