|
| 1 | +--- |
| 2 | +title: "Set up FIPS-compliant secure remote Linux development" |
| 3 | +description: "How to set up a FIPS-compliant cryptographic connection between Visual Studio and a Linux machine for remote development." |
| 4 | +ms.date: "01/17/2020" |
| 5 | +--- |
| 6 | +# Set up FIPS-compliant secure remote Linux development |
| 7 | + |
| 8 | +::: moniker range="<=vs-2017" |
| 9 | + |
| 10 | +Linux support is available in Visual Studio 2017 and later. FIPS-compliant secure remote Linux development is available in Visual Studio 2019 version 16.5 and later. |
| 11 | + |
| 12 | +::: moniker-end |
| 13 | + |
| 14 | +::: moniker range="vs-2019" |
| 15 | + |
| 16 | +Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard for cryptographic modules. Implementations of the standard are validated by NIST. Windows has [validated support for FIPS-compliant cryptographic modules](/windows/security/threat-protection/fips-140-validation). In Visual Studio 2019 version 16.5 and later, you can use a secure, FIPS-compliant cryptographic connection to your Linux system for remote development. |
| 17 | + |
| 18 | +To set up a secure, FIPS-compliant connection between Visual Studio and your remote Linux system, follow this guide. It's applicable when you build CMake or MSBuild Linux projects in Visual Studio. This article is the FIPS-compliant version of the connection instructions in [Connect to your remote Linux computer](connect-to-your-remote-linux-computer.md). |
| 19 | + |
| 20 | +## Prepare a FIPS-compliant connection |
| 21 | + |
| 22 | +Some preparation is required to use a FIPS-compliant, cryptographically secure ssh connection between Visual Studio and your remote Linux system. For FIPS-140-2 compliance, Visual Studio only supports RSA keys. |
| 23 | + |
| 24 | +The examples in this article use Ubuntu 18.04 LTS with OpenSSH server version 7.6. However, the instructions should be the same for any distro using a moderately recent version of OpenSSH. |
| 25 | + |
| 26 | +### To set up the SSH server on the remote system |
| 27 | + |
| 28 | +1. On the Linux system, install and start the OpenSSH server: |
| 29 | + |
| 30 | + ```bash |
| 31 | + sudo apt install openssh-server |
| 32 | + sudo service ssh start |
| 33 | + ``` |
| 34 | + |
| 35 | +1. If you’d like the ssh server to start automatically when the system boots, enable it using systemctl: |
| 36 | + |
| 37 | + ```bash |
| 38 | + sudo systemctl enable ssh |
| 39 | + ``` |
| 40 | + |
| 41 | +1. Open */etc/ssh/sshd_config* as root. Edit (or add, if they don’t exist) the following lines: |
| 42 | + |
| 43 | + ```config |
| 44 | + Ciphers aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc |
| 45 | + HostKeyAlgorithms ssh-rsa |
| 46 | + KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 |
| 47 | + MACs hmac-sha2-256,hmac-sha1 |
| 48 | + ``` |
| 49 | + |
| 50 | + > [!NOTE] |
| 51 | + > ssh-rsa is the only FIPS compliant host key algorithm VS supports. aes*-ctr is also FIPS compliant, but the implementation in Visual Studio isn't approved. ecdh-* key exchange algorithms are FIPS compliant but Visual Studio doesn't support them. |
| 52 | +
|
| 53 | + Some other relevant security options you may want to consider are `PermitRootLogin`, `PasswordAuthentication`, and `PermitEmptyPasswords`. For more information, see the man page for sshd_config or the article [SSH Server Configuration](https://www.ssh.com/ssh/sshd_config). |
| 54 | + |
| 55 | +1. After saving and closing sshd_config, restart the ssh server to apply the new configuration: |
| 56 | + |
| 57 | + ```bash |
| 58 | + sudo service ssh restart |
| 59 | + ``` |
| 60 | + |
| 61 | +Next, you'll create an RSA key pair on your Windows computer. Then you'll copy the public key to the remote Linux system for use by ssh. |
| 62 | + |
| 63 | +### To create and use an RSA key file |
| 64 | + |
| 65 | +1. On the Windows machine, generate a public/private RSA key pair by using this command: |
| 66 | + |
| 67 | + ```cmd |
| 68 | + ssh-keygen -t rsa -b 4096 |
| 69 | + ``` |
| 70 | + |
| 71 | + The command creates a public key and a private key. By default, the keys are saved to *%USERPROFILE%\\.ssh\\id_rsa* and *%USERPROFILE%\\.ssh\\id_rsa.pub*. (In Powershell, use `$env:USERPROFILE` instead of the cmd macro `%USERPROFILE%`) If you change the key name, use the changed name in the steps that follow. We recommend you use a passphrase for increased security. |
| 72 | + |
| 73 | +1. From Windows, copy the public key to the Linux machine: |
| 74 | + |
| 75 | + ```cmd |
| 76 | + scp -p %USERPROFILE%\.ssh\id_rsa.pub user@hostname |
| 77 | + ``` |
| 78 | + |
| 79 | +1. On the Linux system, add the key to the list of authorized keys, and ensure the file has the correct permissions: |
| 80 | + |
| 81 | + ```bash |
| 82 | + cat ~/id_rsa.pub >> ~/.ssh/authorized_keys |
| 83 | + chmod 600 ~/.ssh/authorized_keys |
| 84 | + ``` |
| 85 | + |
| 86 | +1. Now, you can test to see if the new key works in ssh. Use it to sign in from Windows: |
| 87 | + |
| 88 | + ```cmd |
| 89 | + ssh -i %USERPROFILE%\.ssh\id_rsa user@hostname |
| 90 | + ``` |
| 91 | +
|
| 92 | +You've successfully set up ssh, created and deployed encryption keys, and tested your connection. Now you're ready to set up the Visual Studio connection. |
| 93 | +
|
| 94 | +## Connect to the remote system in Visual Studio |
| 95 | +
|
| 96 | +1. In Visual Studio, choose **Tools > Options** on the menu bar to open the **Options** dialog. Then select **Cross Platform > Connection Manager** to open the Connection Manager dialog. |
| 97 | +
|
| 98 | + If you haven't set up a connection in Visual Studio before, when you build your project for the first time, Visual Studio opens the Connection Manager dialog for you. |
| 99 | +
|
| 100 | +1. In the Connection Manager dialog, choose the **Add** button to add a new connection. |
| 101 | +
|
| 102 | +  |
| 103 | +
|
| 104 | + The **Connect to Remote System** window is displayed. |
| 105 | +
|
| 106 | +  |
| 107 | +
|
| 108 | +1. In the **Connect to Remote System** dialog, enter the connection details of your remote machine. |
| 109 | +
|
| 110 | + | Entry | Description |
| 111 | + | ----- | --- |
| 112 | + | **Host Name** | Name or IP address of your target device |
| 113 | + | **Port** | Port that the SSH service is running on, typically 22 |
| 114 | + | **User name** | User to authenticate as |
| 115 | + | **Authentication type** | Choose Private Key for a FIPS-compliant connection |
| 116 | + | **Private key file** | Private key file created for ssh connection |
| 117 | + | **Passphrase** | Passphrase used with private key selected above |
| 118 | +
|
| 119 | + Change the authentication type to **Private Key**. Enter the path to your private key in the **Private key file** field. You can use the **Browse** button to navigate to your private key file instead. Then, enter the passphrase used to encrypt your private key file in the **Passphrase** field. |
| 120 | +
|
| 121 | +1. Choose the **Connect** button to attempt a connection to the remote computer. |
| 122 | +
|
| 123 | + If the connection succeeds, Visual Studio configures IntelliSense to use the remote headers. For more information, see [IntelliSense for headers on remote systems](configure-a-linux-project.md#remote_intellisense). |
| 124 | +
|
| 125 | + If the connection fails, the entry boxes that need to be changed are outlined in red. |
| 126 | +
|
| 127 | +  |
| 128 | +
|
| 129 | + For more information on troubleshooting your connection, see [Connect to your remote Linux computer](connect-to-your-remote-linux-computer.md). |
| 130 | +
|
| 131 | +## Optional: Enable or disable FIPS mode |
| 132 | +
|
| 133 | +It's possible to enable FIPS mode globally in Windows. |
| 134 | +
|
| 135 | +1. To enable FIPS mode, press **Windows+R** to open the Run dialog, and then run gpedit.msc. |
| 136 | +
|
| 137 | +1. Expand **Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies** and select **Security Options**. |
| 138 | +
|
| 139 | +1. Under **Policy**, select **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing**, and then press **Enter** to open its dialog box. |
| 140 | +
|
| 141 | +1. In the **Local Security Setting** tab, select **Enabled** or **Disabled**, and then choose **OK** to save your changes. |
| 142 | +
|
| 143 | +> [!WARNING] |
| 144 | +> The System cryptography security option may cause some applications to break or behave unexpectedly. For more information, see the blog post [Why We’re Not Recommending "FIPS mode" Anymore](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/why-we-8217-re-not-recommending-8220-fips-mode-8221-anymore/ba-p/701037). |
| 145 | +
|
| 146 | +## Additional resources |
| 147 | +
|
| 148 | +[Microsoft documentation on FIPS 140 validation](/windows/security/threat-protection/fips-140-validation) |
| 149 | +
|
| 150 | +[FIPS 140-2: Security Requirements for Cryptographic Modules](https://csrc.nist.gov/publications/detail/fips/140/2/final) (from NIST) |
| 151 | +
|
| 152 | +[Cryptographic Algorithm Validation Program: Validation Notes](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/Validation-Notes) (from NIST) |
| 153 | +
|
| 154 | +Microsoft blog post on [Why We’re Not Recommending "FIPS mode" Anymore](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/why-we-8217-re-not-recommending-8220-fips-mode-8221-anymore/ba-p/701037) |
| 155 | +
|
| 156 | +[SSH Server Configuration](https://www.ssh.com/ssh/sshd_config) |
| 157 | +
|
| 158 | +## See Also |
| 159 | +
|
| 160 | +[Configure a Linux project](configure-a-linux-project.md)\ |
| 161 | +[Configure a Linux CMake project](cmake-linux-project.md)\ |
| 162 | +[Connect to your remote Linux computer](connect-to-your-remote-linux-computer.md)\ |
| 163 | +[Deploy, run, and debug your Linux project](deploy-run-and-debug-your-linux-project.md)\ |
| 164 | +[Configure CMake debugging sessions](../build/configure-cmake-debugging-sessions.md) |
| 165 | +
|
| 166 | +::: moniker-end |
0 commit comments