Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: add fipsonly mode #64769

Open
drakkan opened this issue Dec 16, 2023 · 4 comments
Open

x/crypto/ssh: add fipsonly mode #64769

drakkan opened this issue Dec 16, 2023 · 4 comments
Labels
Proposal Proposal-Accepted
Milestone
Backlog

Comments

@drakkan
Copy link
Member

drakkan commented Dec 16, 2023

Proposal Details

Similar to crypto/tls/fipsonly add golang.org/x/crypto/ssh/fipsonly

//go:build boringcrypto

// Package fipsonly restricts all SSH configuration to FIPS-approved settings.
//
// The effect is triggered by importing the package anywhere in a program, as in:
//
//	import _ "golang.org/x/crypto/ssh/fipsonly"
//
// This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto.
@gopherbot gopherbot added this to the Proposal milestone Dec 16, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/550515 mentions this issue: ssh: add fipsonly mode

@ianlancetaylor ianlancetaylor moved this to Incoming in Proposals Jan 2, 2024
@rsc
Copy link
Contributor

rsc commented Jan 10, 2024

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc rsc moved this from Incoming to Active in Proposals Jan 10, 2024
@reedloden reedloden mentioned this issue Jan 14, 2024
Merged
reedloden added a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
7e85674 
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-merge-queue bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
d145487 
…hanges (#36685)

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-actions bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
40497d4 
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-merge-queue bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
9e365c2 
…hanges (#36709)

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
@rsc
Copy link
Contributor

rsc commented Jan 19, 2024

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

Proposal is to add a new x/crypto/ssh/fipsonly package that is _ imported for the side effect of changing SSH configuration to FIPS-approved settings. The package only exists with GOEXPERIMENT=boringcrypto.

@rsc rsc moved this from Active to Accepted in Proposals Jan 19, 2024
@rsc rsc changed the title proposal: x/crypto/ssh: add fipsonly mode x/crypto/ssh: add fipsonly mode Jan 19, 2024
@rsc rsc modified the milestones: Proposal, Backlog Jan 19, 2024
@kmoe kmoe mentioned this issue Feb 23, 2024
Closed
drakkan added a commit to drakkan/crypto that referenced this issue Feb 24, 2024
@drakkan
ssh: add fipsonly mode
e21c8ca 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Mar 7, 2024
@drakkan
ssh: add fipsonly mode
e2ff965 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Apr 9, 2024
@drakkan
ssh: add fipsonly mode
0e61cc6 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue May 7, 2024
@drakkan
ssh: add fipsonly mode
bf961ef 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue May 9, 2024
@drakkan
ssh: add fipsonly mode
2aa6ef5 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue May 23, 2024
@drakkan
ssh: add fipsonly mode
4966be2 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Jun 4, 2024
@drakkan
ssh: add fipsonly mode
5ec5df5 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Jul 13, 2024
@drakkan
ssh: add fipsonly mode
e833c44 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Jul 26, 2024
@drakkan
ssh: add fipsonly mode
a1d6bab 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Aug 11, 2024
@drakkan
ssh: add fipsonly mode
e7f93b9 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Aug 12, 2024
@drakkan
ssh: add fipsonly mode
63e8347 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
@amey-barve
Copy link

@drakkan - Can you please let us know when would the change request
https://go-review.googlesource.com/c/crypto/+/550515
merged to golang.org/x/crypto master and which release / tag would this change be part of ? TIA!

drakkan added a commit to drakkan/crypto that referenced this issue Oct 5, 2024
@drakkan
ssh: add fipsonly mode
ce4be0b 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Nov 9, 2024
@drakkan
ssh: add fipsonly mode
66f5383 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Nov 9, 2024
@drakkan
ssh: add fipsonly mode
7673081 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Dec 7, 2024
@drakkan
ssh: add fipsonly mode
d7d64f4 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Dec 15, 2024
@drakkan
ssh: add fipsonly mode
c7818ff 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Dec 15, 2024
@drakkan
ssh: add fipsonly mode
41d3b97 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Jan 11, 2025
@drakkan
ssh: add fipsonly mode
44ab3eb 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal Proposal-Accepted
Projects
Proposals
Status: Accepted
Milestone
Backlog
Development

No branches or pull requests
4 participants
@rsc @drakkan @gopherbot @amey-barve