|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library|
Oracle Solaris provides a FIPS-140 option for the server side and the client side. FIPS mode, where Secure Shell uses the FIPS-140 mode of OpenSSL, is not the default. You can invoke FIPS mode on the command line, as in ssh -o "UseFIPS140 yes" remote-host. As an alternative, you can set a keyword in the configuration files.
Briefly, the implementation consists of the following:
The following FIPS-approved ciphers are available on the server and client side: aes128-cbc, aes192-cbc, and aes256-cbc.
3des-cbc is available by default on the client side, but it is not in the server side cipher list because of potential security risks.
The following FIPS-approved Message Authentication Codes (MAC) are available:
Four server-client configurations are supported:
No FIPS mode on either client or server side
FIPS mode on both the client and server side
FIPS mode on the server side, but no FIPS on client side
No FIPS mode on the server side, but FIPS mode on the client side
The ssh-keygen command has an option to generate the user's private key in the PKCS #8 format that Secure Shell clients in FIPS mode require. For more information, see the ssh-keygen(1) man page.
When you use a Sun Crypto Accelerator 6000 card for Secure Shell operations, Secure Shell runs with FIPS-140 support at Level 3. Level 3 hardware is certified to resist physical tampering, use identity-based authentication, and isolate the interfaces that handle critical security parameters from the hardware's other interfaces.