207679 – r295367 import of OpenSSH drops support for some ciphers

Bug 207679 - r295367 import of OpenSSH drops support for some ciphers

Summary: r295367 import of OpenSSH drops support for some ciphers

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	10.3-BETA2
Hardware:	Any Any

Importance:	Normal Affects Some People
Assignee:	Dag-Erling Smørgrav

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-03-03 14:03 UTC by mike
Modified:	2016-03-21 10:41 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	des: mfc-stable10+

Attachments
Re-add the AES-CBC ciphers to the default server proposal list (1.24 KB, patch) 2016-03-04 08:33 UTC, Dag-Erling Smørgrav	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mike 2016-03-03 14:03:11 UTC

The import of the latest version of OpenSSH into RELENG_10 drops ciphers such as aes128-cbc from the server.  I had a few lightweight clients using aes128-cbc (e.g alix boxes) to make use of the hardware crypto that broke as a result.

e.g. from a client going to a host that has r295367 applied.

 ssh -c aes128-cbc user@target.sentex.ca
no matching cipher found: client aes128-cbc server
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com


and running sshd -ddd

debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: kex_parse_kexinit:
curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[preauth]
debug2: kex_parse_kexinit:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: kex_parse_kexinit:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: kex_parse_kexinit:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: kex_parse_kexinit:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: kex_parse_kexinit:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[preauth]
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa [preauth]
debug2: kex_parse_kexinit: aes128-cbc [preauth]
debug2: kex_parse_kexinit: aes128-cbc [preauth]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[preauth]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
Unable to negotiate with xx.yy.zz.146: no matching cipher found. Their
offer: aes128-cbc [preauth]
debug1: do_cleanup [preauth]

Comment 1 Dag-Erling Smørgrav freebsd_committer

2016-03-04 08:33:06 UTC

Created attachment 167706 [details]
Re-add the AES-CBC ciphers to the default server proposal list

The ciphers weren't actually dropped, just removed from the default proposal list.  The attached patch re-adds a few of them at the bottom of the proposal list.  Note that there are known weaknesses in the ssh protocol when using AES-CBC, but no known practical exploits (yet).

Comment 2 commit-hook freebsd_committer

2016-03-11 00:23:30 UTC

A commit references this bug:

Author: des
Date: Fri Mar 11 00:23:11 UTC 2016
New revision: 296634
URL: https://svnweb.freebsd.org/changeset/base/296634

Log:
  Re-add AES-CBC ciphers to the default cipher list on the server.

  PR:		207679

Changes:
  head/crypto/openssh/FREEBSD-upgrade
  head/crypto/openssh/myproposal.h
  head/crypto/openssh/sshd_config.5

Comment 3 commit-hook freebsd_committer

2016-03-12 23:53:35 UTC

A commit references this bug:

Author: des
Date: Sat Mar 12 23:53:20 UTC 2016
New revision: 296781
URL: https://svnweb.freebsd.org/changeset/base/296781

Log:
  MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
  MFH (r296634): re-add aes-cbc to server-side default cipher list
  MFH (r296651, r296657): fix gcc build of pam_ssh

  PR:		207679
  Security:       CVE-2016-3115

Changes:
_U  stable/10/
  stable/10/crypto/openssh/ChangeLog
  stable/10/crypto/openssh/FREEBSD-upgrade
  stable/10/crypto/openssh/Makefile.in
  stable/10/crypto/openssh/README
  stable/10/crypto/openssh/README.platform
  stable/10/crypto/openssh/auth-bsdauth.c
  stable/10/crypto/openssh/auth-krb5.c
  stable/10/crypto/openssh/auth-options.c
  stable/10/crypto/openssh/auth-pam.c
  stable/10/crypto/openssh/auth.h
  stable/10/crypto/openssh/auth2-pubkey.c
  stable/10/crypto/openssh/authfd.c
  stable/10/crypto/openssh/authfd.h
  stable/10/crypto/openssh/authfile.c
  stable/10/crypto/openssh/channels.c
  stable/10/crypto/openssh/cipher.c
  stable/10/crypto/openssh/clientloop.c
  stable/10/crypto/openssh/clientloop.h
  stable/10/crypto/openssh/config.h
  stable/10/crypto/openssh/configure.ac
  stable/10/crypto/openssh/contrib/redhat/openssh.spec
  stable/10/crypto/openssh/contrib/ssh-copy-id
  stable/10/crypto/openssh/contrib/ssh-copy-id.1
  stable/10/crypto/openssh/contrib/suse/openssh.spec
  stable/10/crypto/openssh/defines.h
  stable/10/crypto/openssh/dh.h
  stable/10/crypto/openssh/includes.h
  stable/10/crypto/openssh/kex.c
  stable/10/crypto/openssh/kex.h
  stable/10/crypto/openssh/kexc25519s.c
  stable/10/crypto/openssh/kexdhs.c
  stable/10/crypto/openssh/kexecdhs.c
  stable/10/crypto/openssh/kexgexs.c
  stable/10/crypto/openssh/key.c
  stable/10/crypto/openssh/key.h
  stable/10/crypto/openssh/krl.c
  stable/10/crypto/openssh/krl.h
  stable/10/crypto/openssh/loginrec.c
  stable/10/crypto/openssh/misc.c
  stable/10/crypto/openssh/monitor.c
  stable/10/crypto/openssh/monitor_wrap.c
  stable/10/crypto/openssh/monitor_wrap.h
  stable/10/crypto/openssh/mux.c
  stable/10/crypto/openssh/myproposal.h
  stable/10/crypto/openssh/opacket.c
  stable/10/crypto/openssh/opacket.h
  stable/10/crypto/openssh/openbsd-compat/bsd-misc.c
  stable/10/crypto/openssh/openbsd-compat/bsd-misc.h
  stable/10/crypto/openssh/openbsd-compat/bsd-poll.h
  stable/10/crypto/openssh/openbsd-compat/glob.c
  stable/10/crypto/openssh/openbsd-compat/glob.h
  stable/10/crypto/openssh/openbsd-compat/openbsd-compat.h
  stable/10/crypto/openssh/openbsd-compat/port-solaris.c
  stable/10/crypto/openssh/openbsd-compat/port-solaris.h
  stable/10/crypto/openssh/openbsd-compat/realpath.c
  stable/10/crypto/openssh/packet.c
  stable/10/crypto/openssh/packet.h
  stable/10/crypto/openssh/platform-pledge.c
  stable/10/crypto/openssh/platform.h
  stable/10/crypto/openssh/readconf.c
  stable/10/crypto/openssh/readconf.h
  stable/10/crypto/openssh/readpass.c
  stable/10/crypto/openssh/regress/Makefile
  stable/10/crypto/openssh/regress/agent-ptrace.sh
  stable/10/crypto/openssh/regress/cert-file.sh
  stable/10/crypto/openssh/regress/check-perm.c
  stable/10/crypto/openssh/regress/dhgex.sh
  stable/10/crypto/openssh/regress/hostkey-rotate.sh
  stable/10/crypto/openssh/regress/keys-command.sh
  stable/10/crypto/openssh/regress/keyscan.sh
  stable/10/crypto/openssh/regress/limit-keytype.sh
  stable/10/crypto/openssh/regress/principals-command.sh
  stable/10/crypto/openssh/regress/proxy-connect.sh
  stable/10/crypto/openssh/regress/rekey.sh
  stable/10/crypto/openssh/regress/setuid-allowed.c
  stable/10/crypto/openssh/regress/sftp-chroot.sh
  stable/10/crypto/openssh/regress/unittests/sshkey/test_file.c
  stable/10/crypto/openssh/regress/unittests/sshkey/test_fuzz.c
  stable/10/crypto/openssh/regress/unittests/sshkey/test_sshkey.c
  stable/10/crypto/openssh/roaming.h
  stable/10/crypto/openssh/roaming_client.c
  stable/10/crypto/openssh/roaming_common.c
  stable/10/crypto/openssh/roaming_dummy.c
  stable/10/crypto/openssh/roaming_serv.c
  stable/10/crypto/openssh/sandbox-pledge.c
  stable/10/crypto/openssh/sandbox-seccomp-filter.c
  stable/10/crypto/openssh/sandbox-solaris.c
  stable/10/crypto/openssh/sandbox-systrace.c
  stable/10/crypto/openssh/scp.1
  stable/10/crypto/openssh/scp.c
  stable/10/crypto/openssh/servconf.c
  stable/10/crypto/openssh/serverloop.c
  stable/10/crypto/openssh/session.c
  stable/10/crypto/openssh/sftp-client.c
  stable/10/crypto/openssh/sftp-client.h
  stable/10/crypto/openssh/sftp-server-main.c
  stable/10/crypto/openssh/sftp-server.c
  stable/10/crypto/openssh/sftp.1
  stable/10/crypto/openssh/sftp.c
  stable/10/crypto/openssh/ssh-add.c
  stable/10/crypto/openssh/ssh-agent.1
  stable/10/crypto/openssh/ssh-agent.c
  stable/10/crypto/openssh/ssh-dss.c
  stable/10/crypto/openssh/ssh-ecdsa.c
  stable/10/crypto/openssh/ssh-keygen.1
  stable/10/crypto/openssh/ssh-keygen.c
  stable/10/crypto/openssh/ssh-keyscan.1
  stable/10/crypto/openssh/ssh-keyscan.c
  stable/10/crypto/openssh/ssh-keysign.8
  stable/10/crypto/openssh/ssh-keysign.c
  stable/10/crypto/openssh/ssh-pkcs11-client.c
  stable/10/crypto/openssh/ssh-pkcs11-helper.c
  stable/10/crypto/openssh/ssh-pkcs11.c
  stable/10/crypto/openssh/ssh-rsa.c
  stable/10/crypto/openssh/ssh.1
  stable/10/crypto/openssh/ssh.c
  stable/10/crypto/openssh/ssh.h
  stable/10/crypto/openssh/ssh2.h
  stable/10/crypto/openssh/ssh_api.c
  stable/10/crypto/openssh/ssh_config
  stable/10/crypto/openssh/ssh_config.5
  stable/10/crypto/openssh/ssh_namespace.h
  stable/10/crypto/openssh/sshbuf-getput-basic.c
  stable/10/crypto/openssh/sshbuf.c
  stable/10/crypto/openssh/sshbuf.h
  stable/10/crypto/openssh/sshconnect.c
  stable/10/crypto/openssh/sshconnect.h
  stable/10/crypto/openssh/sshconnect1.c
  stable/10/crypto/openssh/sshconnect2.c
  stable/10/crypto/openssh/sshd.8
  stable/10/crypto/openssh/sshd.c
  stable/10/crypto/openssh/sshd_config
  stable/10/crypto/openssh/sshd_config.5
  stable/10/crypto/openssh/ssherr.c
  stable/10/crypto/openssh/sshkey.c
  stable/10/crypto/openssh/sshkey.h
  stable/10/crypto/openssh/sshlogin.c
  stable/10/crypto/openssh/uidswap.c
  stable/10/crypto/openssh/version.h
  stable/10/crypto/openssh/xmalloc.c
  stable/10/crypto/openssh/xmalloc.h
  stable/10/lib/libpam/modules/pam_ssh/Makefile
  stable/10/lib/libpam/modules/pam_ssh/pam_ssh.c
  stable/10/secure/lib/libssh/Makefile
  stable/10/secure/libexec/sftp-server/Makefile
  stable/10/secure/libexec/ssh-keysign/Makefile
  stable/10/secure/libexec/ssh-pkcs11-helper/Makefile
  stable/10/secure/usr.bin/scp/Makefile
  stable/10/secure/usr.bin/sftp/Makefile
  stable/10/secure/usr.bin/ssh/Makefile
  stable/10/secure/usr.bin/ssh-add/Makefile
  stable/10/secure/usr.bin/ssh-agent/Makefile
  stable/10/secure/usr.bin/ssh-keygen/Makefile
  stable/10/secure/usr.bin/ssh-keyscan/Makefile
  stable/10/secure/usr.sbin/sshd/Makefile

Comment 4 commit-hook freebsd_committer

2016-03-14 13:06:15 UTC

A commit references this bug:

Author: des
Date: Mon Mar 14 13:05:13 UTC 2016
New revision: 296853
URL: https://svnweb.freebsd.org/changeset/base/296853

Log:
  MFS (r296781):
    MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
    MFH (r296634): re-add aes-cbc to server-side default cipher list
    MFH (r296651, r296657): fix gcc build of pam_ssh

  PR:		207679
  Security:	CVE-2016-3115
  Approved by:	re (marius)

Changes:
_U  releng/10.3/
  releng/10.3/crypto/openssh/ChangeLog
  releng/10.3/crypto/openssh/FREEBSD-upgrade
  releng/10.3/crypto/openssh/Makefile.in
  releng/10.3/crypto/openssh/README
  releng/10.3/crypto/openssh/README.platform
  releng/10.3/crypto/openssh/auth-bsdauth.c
  releng/10.3/crypto/openssh/auth-krb5.c
  releng/10.3/crypto/openssh/auth-options.c
  releng/10.3/crypto/openssh/auth-pam.c
  releng/10.3/crypto/openssh/auth.h
  releng/10.3/crypto/openssh/auth2-pubkey.c
  releng/10.3/crypto/openssh/authfd.c
  releng/10.3/crypto/openssh/authfd.h
  releng/10.3/crypto/openssh/authfile.c
  releng/10.3/crypto/openssh/channels.c
  releng/10.3/crypto/openssh/cipher.c
  releng/10.3/crypto/openssh/clientloop.c
  releng/10.3/crypto/openssh/clientloop.h
  releng/10.3/crypto/openssh/config.h
  releng/10.3/crypto/openssh/configure.ac
  releng/10.3/crypto/openssh/contrib/redhat/openssh.spec
  releng/10.3/crypto/openssh/contrib/ssh-copy-id
  releng/10.3/crypto/openssh/contrib/ssh-copy-id.1
  releng/10.3/crypto/openssh/contrib/suse/openssh.spec
  releng/10.3/crypto/openssh/defines.h
  releng/10.3/crypto/openssh/dh.h
  releng/10.3/crypto/openssh/includes.h
  releng/10.3/crypto/openssh/kex.c
  releng/10.3/crypto/openssh/kex.h
  releng/10.3/crypto/openssh/kexc25519s.c
  releng/10.3/crypto/openssh/kexdhs.c
  releng/10.3/crypto/openssh/kexecdhs.c
  releng/10.3/crypto/openssh/kexgexs.c
  releng/10.3/crypto/openssh/key.c
  releng/10.3/crypto/openssh/key.h
  releng/10.3/crypto/openssh/krl.c
  releng/10.3/crypto/openssh/krl.h
  releng/10.3/crypto/openssh/loginrec.c
  releng/10.3/crypto/openssh/misc.c
  releng/10.3/crypto/openssh/monitor.c
  releng/10.3/crypto/openssh/monitor_wrap.c
  releng/10.3/crypto/openssh/monitor_wrap.h
  releng/10.3/crypto/openssh/mux.c
  releng/10.3/crypto/openssh/myproposal.h
  releng/10.3/crypto/openssh/opacket.c
  releng/10.3/crypto/openssh/opacket.h
  releng/10.3/crypto/openssh/openbsd-compat/bsd-misc.c
  releng/10.3/crypto/openssh/openbsd-compat/bsd-misc.h
  releng/10.3/crypto/openssh/openbsd-compat/bsd-poll.h
  releng/10.3/crypto/openssh/openbsd-compat/glob.c
  releng/10.3/crypto/openssh/openbsd-compat/glob.h
  releng/10.3/crypto/openssh/openbsd-compat/openbsd-compat.h
  releng/10.3/crypto/openssh/openbsd-compat/port-solaris.c
  releng/10.3/crypto/openssh/openbsd-compat/port-solaris.h
  releng/10.3/crypto/openssh/openbsd-compat/realpath.c
  releng/10.3/crypto/openssh/packet.c
  releng/10.3/crypto/openssh/packet.h
  releng/10.3/crypto/openssh/platform-pledge.c
  releng/10.3/crypto/openssh/platform.h
  releng/10.3/crypto/openssh/readconf.c
  releng/10.3/crypto/openssh/readconf.h
  releng/10.3/crypto/openssh/readpass.c
  releng/10.3/crypto/openssh/regress/Makefile
  releng/10.3/crypto/openssh/regress/agent-ptrace.sh
  releng/10.3/crypto/openssh/regress/cert-file.sh
  releng/10.3/crypto/openssh/regress/check-perm.c
  releng/10.3/crypto/openssh/regress/dhgex.sh
  releng/10.3/crypto/openssh/regress/hostkey-rotate.sh
  releng/10.3/crypto/openssh/regress/keys-command.sh
  releng/10.3/crypto/openssh/regress/keyscan.sh
  releng/10.3/crypto/openssh/regress/limit-keytype.sh
  releng/10.3/crypto/openssh/regress/principals-command.sh
  releng/10.3/crypto/openssh/regress/proxy-connect.sh
  releng/10.3/crypto/openssh/regress/rekey.sh
  releng/10.3/crypto/openssh/regress/setuid-allowed.c
  releng/10.3/crypto/openssh/regress/sftp-chroot.sh
  releng/10.3/crypto/openssh/regress/unittests/sshkey/test_file.c
  releng/10.3/crypto/openssh/regress/unittests/sshkey/test_fuzz.c
  releng/10.3/crypto/openssh/regress/unittests/sshkey/test_sshkey.c
  releng/10.3/crypto/openssh/roaming.h
  releng/10.3/crypto/openssh/roaming_client.c
  releng/10.3/crypto/openssh/roaming_common.c
  releng/10.3/crypto/openssh/roaming_dummy.c
  releng/10.3/crypto/openssh/roaming_serv.c
  releng/10.3/crypto/openssh/sandbox-pledge.c
  releng/10.3/crypto/openssh/sandbox-seccomp-filter.c
  releng/10.3/crypto/openssh/sandbox-solaris.c
  releng/10.3/crypto/openssh/sandbox-systrace.c
  releng/10.3/crypto/openssh/scp.1
  releng/10.3/crypto/openssh/scp.c
  releng/10.3/crypto/openssh/servconf.c
  releng/10.3/crypto/openssh/serverloop.c
  releng/10.3/crypto/openssh/session.c
  releng/10.3/crypto/openssh/sftp-client.c
  releng/10.3/crypto/openssh/sftp-client.h
  releng/10.3/crypto/openssh/sftp-server-main.c
  releng/10.3/crypto/openssh/sftp-server.c
  releng/10.3/crypto/openssh/sftp.1
  releng/10.3/crypto/openssh/sftp.c
  releng/10.3/crypto/openssh/ssh-add.c
  releng/10.3/crypto/openssh/ssh-agent.1
  releng/10.3/crypto/openssh/ssh-agent.c
  releng/10.3/crypto/openssh/ssh-dss.c
  releng/10.3/crypto/openssh/ssh-ecdsa.c
  releng/10.3/crypto/openssh/ssh-keygen.1
  releng/10.3/crypto/openssh/ssh-keygen.c
  releng/10.3/crypto/openssh/ssh-keyscan.1
  releng/10.3/crypto/openssh/ssh-keyscan.c
  releng/10.3/crypto/openssh/ssh-keysign.8
  releng/10.3/crypto/openssh/ssh-keysign.c
  releng/10.3/crypto/openssh/ssh-pkcs11-client.c
  releng/10.3/crypto/openssh/ssh-pkcs11-helper.c
  releng/10.3/crypto/openssh/ssh-pkcs11.c
  releng/10.3/crypto/openssh/ssh-rsa.c
  releng/10.3/crypto/openssh/ssh.1
  releng/10.3/crypto/openssh/ssh.c
  releng/10.3/crypto/openssh/ssh.h
  releng/10.3/crypto/openssh/ssh2.h
  releng/10.3/crypto/openssh/ssh_api.c
  releng/10.3/crypto/openssh/ssh_config
  releng/10.3/crypto/openssh/ssh_config.5
  releng/10.3/crypto/openssh/ssh_namespace.h
  releng/10.3/crypto/openssh/sshbuf-getput-basic.c
  releng/10.3/crypto/openssh/sshbuf.c
  releng/10.3/crypto/openssh/sshbuf.h
  releng/10.3/crypto/openssh/sshconnect.c
  releng/10.3/crypto/openssh/sshconnect.h
  releng/10.3/crypto/openssh/sshconnect1.c
  releng/10.3/crypto/openssh/sshconnect2.c
  releng/10.3/crypto/openssh/sshd.8
  releng/10.3/crypto/openssh/sshd.c
  releng/10.3/crypto/openssh/sshd_config
  releng/10.3/crypto/openssh/sshd_config.5
  releng/10.3/crypto/openssh/ssherr.c
  releng/10.3/crypto/openssh/sshkey.c
  releng/10.3/crypto/openssh/sshkey.h
  releng/10.3/crypto/openssh/sshlogin.c
  releng/10.3/crypto/openssh/uidswap.c
  releng/10.3/crypto/openssh/version.h
  releng/10.3/crypto/openssh/xmalloc.c
  releng/10.3/crypto/openssh/xmalloc.h
  releng/10.3/lib/libpam/modules/pam_ssh/Makefile
  releng/10.3/lib/libpam/modules/pam_ssh/pam_ssh.c
  releng/10.3/secure/lib/libssh/Makefile
  releng/10.3/secure/libexec/sftp-server/Makefile
  releng/10.3/secure/libexec/ssh-keysign/Makefile
  releng/10.3/secure/libexec/ssh-pkcs11-helper/Makefile
  releng/10.3/secure/usr.bin/scp/Makefile
  releng/10.3/secure/usr.bin/sftp/Makefile
  releng/10.3/secure/usr.bin/ssh/Makefile
  releng/10.3/secure/usr.bin/ssh-add/Makefile
  releng/10.3/secure/usr.bin/ssh-agent/Makefile
  releng/10.3/secure/usr.bin/ssh-keygen/Makefile
  releng/10.3/secure/usr.bin/ssh-keyscan/Makefile
  releng/10.3/secure/usr.sbin/sshd/Makefile