The recently-committed addition of the HPN patches to the base system OpenSSH introduced the ability to make use of the "None" cipher: http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/README.hpn However, enabling use of it requires a somewhat "hackish" addition to /etc/make.conf like the following: .if ${.CURDIR:M/usr/src/secure/*} CFLAGS+=-DNONE_CIPHER_ENABLED .endif The below patch adds the ability to enable this cipher by simply adding WITH_OPENSSH_NONE_CIPHER to one's /etc/src.conf. The below patch was tested on RELENG_8 (with buildworld); may require minor adjustments for application to the 9.x source. Patch and situation itself was initially discussed with bz@ and brooks@ privately. Desire for this is also justified via the user community: http://lists.freebsd.org/pipermail/freebsd-stable/2011-December/064727.html Fix: Apply the below patch. Patch will also be available for download at the below URL, once I get a PR number. http://jdc.parodius.com/freebsd/{prnum}/ Committer should be aware that the src.conf.5 man page will need to be rebuilt prior to commit. I believe src/tools/build/options/makeman is for this purpose. How-To-Repeat: n/a
Responsible Changed From-To: freebsd-bugs->brooks Grab this one since I committed the work it improves.
Brooks, Any word on this? It's been over 3 months, patch is included. Any political things going on which are blocking this being committed to HEAD, and then MFC'd (I absolutely need it MFC'd to RELENG_8, not to mention that's where I wrote it for -- I don't use RELENG_9). Thanks, and sorry for the bother!
Author: bz Date: Thu Jan 17 01:51:04 2013 New Revision: 245527 URL: http://svnweb.freebsd.org/changeset/base/245527 Log: Add a src.conf(5) option to allow users to compile in the "NONE cipher", which, only after authentication, disables crypto, and only for sessions without a terminal. Submitted by: Jeremy Chadwick (freebsd jdc.parodius.com) PR: bin/163095 MFC after: 10 days Added: head/tools/build/options/WITH_OPENSSH_NONE_CIPHER (contents, props changed) Modified: head/secure/lib/libssh/Makefile head/secure/usr.bin/ssh/Makefile head/secure/usr.sbin/sshd/Makefile head/share/mk/bsd.own.mk Modified: head/secure/lib/libssh/Makefile ============================================================================== --- head/secure/lib/libssh/Makefile Thu Jan 17 01:28:55 2013 (r245526) +++ head/secure/lib/libssh/Makefile Thu Jan 17 01:51:04 2013 (r245527) @@ -38,6 +38,10 @@ DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBHX5 LDADD+= -lgssapi -lkrb5 -lhx509 -lasn1 -lcom_err -lmd -lroken .endif +.if ${MK_OPENSSH_NONE_CIPHER} != "no" +CFLAGS+= -DNONE_CIPHER_ENABLED +.endif + NO_LINT= DPADD+= ${LIBCRYPTO} ${LIBCRYPT} Modified: head/secure/usr.bin/ssh/Makefile ============================================================================== --- head/secure/usr.bin/ssh/Makefile Thu Jan 17 01:28:55 2013 (r245526) +++ head/secure/usr.bin/ssh/Makefile Thu Jan 17 01:51:04 2013 (r245527) @@ -25,6 +25,10 @@ DPADD+= ${LIBGSSAPI} LDADD+= -lgssapi .endif +.if ${MK_OPENSSH_NONE_CIPHER} != "no" +CFLAGS+= -DNONE_CIPHER_ENABLED +.endif + DPADD+= ${LIBCRYPT} ${LIBCRYPTO} LDADD+= -lcrypt -lcrypto Modified: head/secure/usr.sbin/sshd/Makefile ============================================================================== --- head/secure/usr.sbin/sshd/Makefile Thu Jan 17 01:28:55 2013 (r245526) +++ head/secure/usr.sbin/sshd/Makefile Thu Jan 17 01:51:04 2013 (r245527) @@ -40,6 +40,10 @@ DPADD+= ${LIBGSSAPI_KRB5} ${LIBGSSAPI} LDADD+= -lgssapi_krb5 -lgssapi -lkrb5 -lasn1 .endif +.if ${MK_OPENSSH_NONE_CIPHER} != "no" +CFLAGS+= -DNONE_CIPHER_ENABLED +.endif + DPADD+= ${LIBCRYPTO} ${LIBCRYPT} LDADD+= -lcrypto -lcrypt Modified: head/share/mk/bsd.own.mk ============================================================================== --- head/share/mk/bsd.own.mk Thu Jan 17 01:28:55 2013 (r245526) +++ head/share/mk/bsd.own.mk Thu Jan 17 01:51:04 2013 (r245527) @@ -360,6 +360,7 @@ __DEFAULT_NO_OPTIONS = \ NMTREE \ NAND \ OFED \ + OPENSSH_NONE_CIPHER \ SHARED_TOOLCHAIN # Added: head/tools/build/options/WITH_OPENSSH_NONE_CIPHER ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tools/build/options/WITH_OPENSSH_NONE_CIPHER Thu Jan 17 01:51:04 2013 (r245527) @@ -0,0 +1,9 @@ +.\" $FreeBSD$ +Set to include the "None" cipher support in OpenSSH and its libraries. +Additional adjustments may need to be done to system configuration +files, such as +.Xr sshd_config 5 , +to enable this cipher. +Please see +.Pa /usr/src/crypto/openssh/README.hpn +for full details. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched Grab from brooks and update status; Committed to HEAD in r245527.
Responsible Changed From-To: brooks->bz Grab from brooks and update status; Committed to HEAD in r245527.
Author: bz Date: Thu Jan 17 09:34:00 2013 New Revision: 245547 URL: http://svnweb.freebsd.org/changeset/base/245547 Log: Regen after adding WITH_OPENSSH_NONE_CIPHER in r245527. PR: bin/163095 MFC after: 10 days Modified: head/share/man/man5/src.conf.5 Modified: head/share/man/man5/src.conf.5 ============================================================================== --- head/share/man/man5/src.conf.5 Thu Jan 17 08:59:11 2013 (r245546) +++ head/share/man/man5/src.conf.5 Thu Jan 17 09:34:00 2013 (r245547) @@ -1,7 +1,7 @@ .\" DO NOT EDIT-- this file is automatically generated. .\" from FreeBSD: head/tools/build/options/makeman 236279 2012-05-30 02:37:20Z gjb .\" $FreeBSD$ -.Dd January 14, 2013 +.Dd January 17, 2013 .Dt SRC.CONF 5 .Os .Sh NAME @@ -805,7 +805,7 @@ Set to not build NLS catalogs. Set to not build NLS catalog support for .Xr csh 1 . .It Va WITH_NMTREE -.\" from FreeBSD: head/tools/build/options/WITH_NMTREE 245241 2013-01-09 21:07:08Z brooks +.\" from FreeBSD: head/tools/build/options/WITH_NMTREE 245435 2013-01-14 20:38:32Z brooks Set to install .Xr nmtree 8 as @@ -835,6 +835,16 @@ Infiniband software stack. .It Va WITHOUT_OPENSSH .\" from FreeBSD: head/tools/build/options/WITHOUT_OPENSSH 156932 2006-03-21 07:50:50Z ru Set to not build OpenSSH. +.It Va WITH_OPENSSH_NONE_CIPHER +.\" from FreeBSD: head/tools/build/options/WITH_OPENSSH_NONE_CIPHER 245527 2013-01-17 01:51:04Z bz +Set to include the "None" cipher support in OpenSSH and its libraries. +Additional adjustments may need to be done to system configuration +files, such as +.Xr sshd_config 5 , +to enable this cipher. +Please see +.Pa /usr/src/crypto/openssh/README.hpn +for full details. .It Va WITHOUT_OPENSSL .\" from FreeBSD: head/tools/build/options/WITHOUT_OPENSSL 156932 2006-03-21 07:50:50Z ru Set to not build OpenSSL. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Responsible Changed From-To: bz->gnn I shall not use bugzilla (at least until we will have a CLI).
Could we please consider turning this option on by default? As described by the commit details here, the none cipher is only enabled on a running sshd or ssh client if additional configuration is added to the configuration file. Turning this on by default would allow system administrators to use this by simply changing their sshd configuration file, rather than having to rebuild world or install ssh from ports. Note that since this was committed, the option defaults code has moved to share/mk/src.opts.mk: https://svnweb.freebsd.org/base/head/share/mk/src.opts.mk?view=markup
*** Bug 163127 has been marked as a duplicate of this bug. ***
The NONE cipher has been removed.