[ssh_x509] Consider logging "run in FIPS mode" as DEBUG level message

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Mar 12 16:01:06 EET 2017

Hi Martin
> Hi Roumen,
> The following INFO-level message is printed to syslog when operating in
> FIPS mode:
> Jan 01 00:00:00 HOST sshd[3333]: sshd run in FIPS mode
> This is printed for all sub-sshd processes that get started (ref. line
> 2198: execv(rexec_argv[0], rexec_argv);) and not just for the main sshd.
> In our application, we setup and close several ssh connections per
> minutes (those are triggered by processes, not humans). So we end up
> with lots of "sshd run in FIPS mode" showing up in the syslog.
Message is added due to some FIPS application requirement.
If I remember well is not required but good to have.
> I was wondering if you would consider changing the level of this message
> from INFO to DEBUG1 (or even lower) so that it would not appear with
> every ssh connection. Another option would be to only print it for the
> main sshd process and not every sub-process.
I prefer to write message to standard output, preferable error output 
I hope that such modification is fine with your environment.

> In the meantime we're going to change LogLevel from INFO to ERROR in
> sshd_config.
> Thanks,
> Martin Belanger
> Dell Networking


Secure shell with X.509 certificate support

More information about the ssh_x509 mailing list