Created attachment 2135 [details] Suggested patch When building openssh with openssl library with FIPS (specifically versions newer than openssl 0.9.8q), there is an issue if FIPS mode is active for openssl. In ssh-rsa.c on line 243 RSA_public_decrypt is called, which is disallowed now in openssl (if in FIPS mode). The library requires applications to use the EVP API if running in FIPS mode so it can disallow certain cipher suites and hash algorithms that are not considered FIPS compliant. The user experience is that the scp/ssh client fails because RSA_public_decrypt just returns null if FIPS mode is active in openssl > 0.9.8q. The reference below states that there is a patch, but I cannot find it so I am submitting my own for review. References: http://www.mail-archive.com/openssl-users@openssl.org/msg63512.html
OpenSSH doesn't (yet) have support for FIPS OpenSSL. We might one day, but in the meantime you should address this to the developers of one of the FIPS patchsets. Unfortunately, this approach disables our custom RSA signature-verification code that is designed to save a substantial amount of pre-authentication attack surface from sshd. For this reason it is not going to be accepted for regular OpenSSH,
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1