Skip to content

ssh-util: drop FIPS path from openssh-static, keep non-FIPS build#36858

Merged
jasonhernandez merged 1 commit into
mainfrom
jason/sec-236-openssh-static-no-fips
Jun 2, 2026
Merged

ssh-util: drop FIPS path from openssh-static, keep non-FIPS build#36858
jasonhernandez merged 1 commit into
mainfrom
jason/sec-236-openssh-static-no-fips

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Jun 2, 2026
edited
Loading

Summary

Carves the FIPS work out of #35858 and back into a separate draft (#36859), which is gated on AWS-LC-FIPS 3.x completing NIST CMVP validation. The static OpenSSH image stays on main because it is the prerequisite for the distroless migration of environmentd/clusterd, independent of FIPS.

This addresses the post-merge QA review on #35858 (#35858 (comment)), which found the FIPS path could not actually produce a validated module yet.

Changes

  • Dockerfile: remove the AWS_LC_FIPS build arg and -DFIPS=1 cmake path; the image now builds only a non-FIPS static ssh against a regular AWS-LC release. Bump OpenSSH to V_10_3_P1, which natively stubs BN_set_flags() for AWS-LC, so the prior -DBN_FLG_CONSTTIME=0 shim is dropped (it was a footgun: a global value-define of a security-critical OpenSSL macro to 0).
  • Keep the configure-CPPFLAGS hardening fix from the QA review (Finding 3): inject -DBN_FLG_CONSTTIME=0 at configure time so OpenSSH's hardening/optimization flags (-O2, -fstack-protector-strong, -fPIE, -ftrapv, ...) are preserved. A make CFLAGS=... override silently replaced them, producing an unhardened binary.
  • tunnel.rs: remove the dormant MZ_FIPS SSH-config enforcement (fips_mode_enabled / write_fips_ssh_config and the call site).

Opened as a draft at the author's request.

Part of SEC-236.

Test plan

  • cargo check -p mz-ssh-util passes (rustc 1.96.0)
  • cargo fmt -p mz-ssh-util --check clean
  • Docker build of misc/images/openssh-static/ produces a working static binary (verified: statically-linked OpenSSH_10.3p1 against AWS-LC 1.54.0, 3.9M)

🤖 Generated with Claude Code

@jasonhernandez jasonhernandez mentioned this pull request Jun 2, 2026
Draft
5 tasks
@jasonhernandez jasonhernandez force-pushed the jason/sec-236-openssh-static-no-fips branch from a4f9f1b to 2ccbafc Compare June 2, 2026 03:50
@jasonhernandez @claude
ssh-util: drop FIPS path from openssh-static, keep non-FIPS build
ce29a37 
Carves the FIPS work out of #35858 (moved to a separate SEC-236 draft that
is gated on AWS-LC-FIPS 3.x completing NIST CMVP validation). The static
OpenSSH image stays on main because it is the prerequisite for the
distroless migration of environmentd/clusterd, independent of FIPS.

- Remove the AWS_LC_FIPS build arg and the -DFIPS=1 cmake path; the image
  now builds only a non-FIPS static ssh against a regular AWS-LC release.
- Bump OpenSSH to V_10_3_P1. 10.0+ natively stubs BN_set_flags() for AWS-LC
  (openssl-compat.h, under OPENSSL_IS_AWSLC), so the prior
  -DBN_FLG_CONSTTIME=0 shim is no longer needed and is dropped. That define
  was a footgun: a global value-define of a security-critical OpenSSL macro
  to 0, inert against AWS-LC but a latent timing-side-channel landmine if
  the backend ever changed.
- Inject nothing at build time; run a plain `./configure && make ssh` so
  OpenSSH's hardening/optimization flags are preserved (a `make CFLAGS=...`
  override would replace them, producing an unhardened binary).
- Remove the dormant MZ_FIPS SSH-config enforcement from tunnel.rs
  (fips_mode_enabled / write_fips_ssh_config and the call site).

Verified: `docker build` produces a statically-linked OpenSSH_10.3p1 binary
against AWS-LC 1.54.0 (3.9M, stripped).

Part of SEC-236.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jasonhernandez jasonhernandez force-pushed the jason/sec-236-openssh-static-no-fips branch from 2ccbafc to ce29a37 Compare June 2, 2026 03:59
@jasonhernandez jasonhernandez marked this pull request as ready for review June 2, 2026 04:09
@jasonhernandez jasonhernandez requested a review from a team as a code owner June 2, 2026 04:09
@jasonhernandez jasonhernandez requested a review from def- June 2, 2026 04:09
@jasonhernandez
Copy link
Copy Markdown
Contributor Author

jasonhernandez commented Jun 2, 2026

@def- per your feedback / review. I'm removing the incomplete scaffolding for FIPS support and just focusing on getting rid of the openssh dependency to unblock more use of distroless for now.

@jasonhernandez jasonhernandez merged commit 202a4d6 into main Jun 2, 2026
118 checks passed
@jasonhernandez jasonhernandez deleted the jason/sec-236-openssh-static-no-fips branch June 2, 2026 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@def- def- def- approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasonhernandez @def-