Open ajit-pawar-sp opened 3 years ago
It might be that for FIPS you would require a different version of BouncyCastle to handle the encryption. Not sure actually, I know there is a FIPS certified version of it.
I am currently evaluating sshj for use with BouncyCastle's FIPS providers:
fips.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
fips.provider.3=sun.security.provider.Sun
See list of provider facilities.
So far I found the following issues:
Ciphers aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
GSSAPIKeyExchange no
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
I'll see about tackling some of these issues.
EDIT: qualified the origin of the openssh FIPS-restricted settings.
I was able to access a FIPS machine, using the workaround I wrote yesterday. I'm just looking to see if this is being worked on currently. The clean and useful way to address this would be for me to provide a patch.
https://github.com/hierynomus/sshj/issues/526#issuecomment-895576566
Hi,
When Linux system is FIPS enabled, while connecting using sshj client, getting NPE. When FIPS is disabled, we can successfully establish ssh connection. Please suggest.
2021-02-24 14:27:34,672 INFO [net.schmizz.sshj.transport.TransportImpl] (default task-7) Client identity string: SSH-2.0-SSHJ_0.27.0 2021-02-24 14:27:34,773 INFO [net.schmizz.sshj.transport.TransportImpl] (default task-7) Server identity string: SSH-2.0-OpenSSH_7.4 2021-02-24 14:27:34,829 ERROR [net.schmizz.sshj.transport.TransportImpl] (reader) Dying because - null: java.lang.NullPointerException at net.schmizz.sshj.transport.kex.AbstractDHGex.parseGexReply(AbstractDHGex.java:89) at net.schmizz.sshj.transport.kex.AbstractDHGex.next(AbstractDHGex.java:58) at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:364) at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:503) at net.schmizz.sshj.transport.Decoder.decodeMte(Decoder.java:159) at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:79) at net.schmizz.sshj.transport.Decoder.received(Decoder.java:231) at net.schmizz.sshj.transport.Reader.run(Reader.java:59) 2021-02-24 14:27:34,830 INFO [net.schmizz.sshj.transport.TransportImpl] (reader) Disconnected - UNKNOWN 2021-02-24 14:27:34,834 ERROR [net.schmizz.concurrent.Promise] (default task-7) <> woke to: net.schmizz.sshj.transport.TransportException