“FIPS mode initialized” when you ssh out of an ESXi box
Posted by jpluimers on 2021/05/28
The once per console/shell logon output of FIPS mode initialized to stderr when you ssh out of an ESXi box seems to be something new since ESXi 6.7.
Since I hardly do this, it took a while to reproduce and track back the version where it was introduced and to realise why it is on stderr.
stderr in retrospect is logical: if you need to parse stdout of a job running across an ssh channel, you do not want it to get interfered with “side channel” output, hence stderr.
For a longer explanation see, for instance [WayBack] ssh “FIPS mode initialized” message to stderr – Why? – Unix and Linux | DSLReports Forums:
Keep in mind that “ssh” is used to transport a stream, as with “rsync”. What you put on “stdout” becomes part of the stream. That’s why this sort of informational message needs to go to “stderr”.
Parsing is hard, so bugs like [WayBack] Git fetcher fails on machine with FIPS enabled machines · Issue #3664 · inspec/inspec · GitHub got [WayBack] fixed in [WayBack] pull request like [WayBack] not parsing stderr, but checking for exitstatus.
Stock OpenSSH portable does not contain FIPS support
Finding back when and how FIPS support for OpenSSH was introduced provide a bit harder than I hoped for.
It appears that stock [WayBack] OpenSSH: Portable Release does not support FIPS. But there are patches on top of these files:
- [WayBack] openssh-portable/ssh.c at master · openssh/openssh-portable · GitHub
- [WayBack] openssh-portable/sshd.c at master · openssh/openssh-portable · GitHub
Many (most?) Linux distributions include a patched version like [WayBack] ssh.c in openssh located at /openssh-5.9p1 (git://pkgs.fedoraproject.org/openssh).
They integrate the patches like [WayBack] File openssh.spec of Package openssh – openSUSE Build Service.
Patches for instance look like [WayBack] openssh/openssh-5.3p1-fips.patch at master · gooselinux/openssh · GitHub which is more than a decade old (see the 2009 message [WayBack] rpms/openssh/devel openssh-5.3p1-fips.patch, NONE, 1.1 openssh-5.3p1-mls.patch, NONE, 1.1 openssh-5.3p1-nss-keys.patch, NONE, 1.1 openssh-5.3p1-selabel.patch, NONE, 1.1 openssh-5.3p1-skip-initial.patch, NONE, 1.1 .cvsignore, 1.24, 1.25 openssh.spec, 1.170, 1.171 sources, 1.24, 1.25 openssh-3.8.1p1-krb5-config.patch, 1.1, NONE openssh-4.7p1-audit.patch, 1.2, NONE openssh-5.1p1-mls.patch, 1.1, NONE openssh-5.1p1-skip-initial.patch, 1.1, NONE openssh-5.2p1-fips.patch, 1.6, NONE openssh-5.2p1-nss-keys.patch, 1.3, NONE openssh-5.2p1-selabel.patch, 1.2, NONE).
The patches seem to originate at the (now defunct) WayBack Index of /export/openssh of http://openssl.com/export/openssh/ .
In the end I found [WayBack] Mailing List Archive: OpenSSH FIPS 140-2 support using OpenSSL FIPS modules? having these quotes:
vanilla OpenSSH doesn’t support running OpenSSL in FIPS-140 mode. Some
downstream providers patch OpenSSH they deliver with their distributions
with changes to enable FIPS-140 mode.
[WayBack] Secure Shell and FIPS 140-2 – Managing Secure Shell Access in Oracle® Solaris 11.4 explains a bit of background of them.
ESXi 6.7
Binary searching for the version where this was introduced could have been a lot shorter if I had done a “FIPS mode initialized” “ESXi” – Google Search, resulting in for instance:
- [WayBack] Solved: SSH and SCP commands stucked in “FIPS initializing” when launched from ESXi 6.7 CLI |VMware Communities
- [WayBack] New ESXCLI Commands in vSphere 6.7 | Virten.net
- [WayBack] XSIBackup: Restoring from remote XSITools repo in ESXi 6.7 fails
- [WayBack] XSIBackup: change log since version 4.2.4
Removal of annoying "FIPS mode initialized" message from --link-srv output in ESXi 6.7
The final two links made me discover XSIBackup
They see be one of the few (only one?!) free backup solutions for the bare ESXi:
- [WayBack] Free VMWare ESXi backup solution: full featured: XSIBackup Free is a VMWare ESXi data protection solution. Differential backup and block deduplication. Works in the unlicensed version of ESXi 5.1 to 6.7
- [WayBack] VMWare Differential Backup | XSIBackup, XSIDiff: differential backup copy software for ESXi
In addition, they have a binary for rsync version 3.1.0: [WayBack] 33HOPS | Rsync for VMWare Backup, so lees need to go to Source: ESXi 5.1 and rsync – damiendebin.net
The Wiert Corner - irregular stream of stuff 
Leave a Reply