Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: add fipsonly mode #64769

Open
drakkan opened this issue Dec 16, 2023 · 3 comments
Open

x/crypto/ssh: add fipsonly mode #64769

drakkan opened this issue Dec 16, 2023 · 3 comments

Comments

@drakkan
Copy link
Member

drakkan commented Dec 16, 2023

Proposal Details

Similar to crypto/tls/fipsonly add golang.org/x/crypto/ssh/fipsonly

//go:build boringcrypto

// Package fipsonly restricts all SSH configuration to FIPS-approved settings.
//
// The effect is triggered by importing the package anywhere in a program, as in:
//
//	import _ "golang.org/x/crypto/ssh/fipsonly"
//
// This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto.
@gopherbot gopherbot added this to the Proposal milestone Dec 16, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/550515 mentions this issue: ssh: add fipsonly mode

@rsc
Copy link
Contributor

rsc commented Jan 10, 2024

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

reedloden added a commit to gravitational/teleport that referenced this issue Jan 14, 2024
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
reedloden added a commit to gravitational/teleport that referenced this issue Jan 14, 2024
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
reedloden added a commit to gravitational/teleport that referenced this issue Jan 15, 2024
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
reedloden added a commit to gravitational/teleport that referenced this issue Jan 15, 2024
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-merge-queue bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
…hanges (#36685)

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-actions bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-merge-queue bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
…hanges (#36709)

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
@rsc
Copy link
Contributor

rsc commented Jan 19, 2024

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

Proposal is to add a new x/crypto/ssh/fipsonly package that is _ imported for the side effect of changing SSH configuration to FIPS-approved settings. The package only exists with GOEXPERIMENT=boringcrypto.

@rsc rsc changed the title proposal: x/crypto/ssh: add fipsonly mode x/crypto/ssh: add fipsonly mode Jan 19, 2024
@rsc rsc modified the milestones: Proposal, Backlog Jan 19, 2024
drakkan added a commit to drakkan/crypto that referenced this issue Feb 24, 2024
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Mar 7, 2024
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Apr 9, 2024
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue May 7, 2024
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue May 9, 2024
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue May 23, 2024
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Jun 4, 2024
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Accepted
Development

No branches or pull requests

3 participants