Has anyone gotten their machine to run with FIPS? I have tried using the fips-mode-setup script as part of the crypto-policies-scripts. fips-mode-setup(8) — crypto-policies-scripts
This script completes and seems to enable FIPS. I then restart the system and FIPS is enabled.
The problem is that after doing this “ssh” no longer works. Calling ssh returns “PRNG is not seeded”.
Looking at the sshd.service logs it is also failing with the “PRNG is not seeded”.
I worked through all the solutions online for the “PRNG is not seeded” error to no avail.
Something to note: this machine is a VM so it may be affecting the capability to capture entropy.
If anyone has any options to try please let me know!
Hello thanks for reaching out! I am using QEMU virtualization. VirtIO RNG was not enabled.
I just tried all three different sources for this setting: “/dev/hwrng” “/dev/random” “/dev/urandom” rebooting each time and am still seeing the “PRNG is not seeded” error when calling ssh
Open each certificate (press left mouse button over certificate number) and scroll down to the box “Related Files”. Open the “security policy”. Each security policy includes instructions how to enable, configure and check the FIPS mode for this software module.
Check your system backup before you enable fips mode…
FIPS has more strict requirements for the available entropy. Having /dev/hwrng is not enough - to actually use it you need rngd that feeds information from /dev/hwrng into the kernel entropy pool. It is provided by rng-tools.
I tried installing libopenssl-3-fips-provider and rng-tools. After installing them ssh began to function normally. Then I uninstalled both and tried each separately to isolate the fix.
The package that fixed the issue was libopenssl-3-fips-provider.
For future reference to get FIPS mode working on openSUSE 15.6:
install crypto-policies-scripts and libopenssl-3-fips-provider
