freebsd stable - Dec 2011 - r228152: anyone got the None cipher working with base OpenSSH?

Looking through the commit messages for stable/8 and stable/9 I noticed
that the HPN patches were applied to OpenSSH in the base install.  And
reading through the commit messages I see that one has to manually enable
the None cipher.  However, I cannot, for the life of me, figure out how to
do that.

The commit message for r228152 says to put "NONE_CIPHER_ENABLED=yes"
into
/etc/make.conf.  But doing so still gives the following error when world is
rebuilt/reinstalled:
command-line: line 0: Bad configuration option: NoneEnabled

Putting NONE_CIPHER_ENABLED=yes into /etc/src.conf and rebuilding world
gives the same error.

And, running "make -DNONE_CIPHER_ENABLED all install" under
/usr/src/secure/usr.bin/ssh/ also gives the same error.

What am I missing?  What's the magic incantation to add the None cipher to
base ssh?

-- 
Freddie Cash
fjwcash@gmail.com

On Fri, Dec 02, 2011 at 02:57:48PM -0800, Freddie Cash
wrote:
> Looking through the commit messages for stable/8 and stable/9 I noticed
> that the HPN patches were applied to OpenSSH in the base install.  And
> reading through the commit messages I see that one has to manually enable
> the None cipher.  However, I cannot, for the life of me, figure out how to
> do that.
> 
> The commit message for r228152 says to put
"NONE_CIPHER_ENABLED=yes" into
> /etc/make.conf.  But doing so still gives the following error when world is
> rebuilt/reinstalled:
> command-line: line 0: Bad configuration option: NoneEnabled
> 
> Putting NONE_CIPHER_ENABLED=yes into /etc/src.conf and rebuilding world
> gives the same error.
> 
> And, running "make -DNONE_CIPHER_ENABLED all install" under
> /usr/src/secure/usr.bin/ssh/ also gives the same error.
> 
> What am I missing?  What's the magic incantation to add the None cipher
to
> base ssh?
I have been discussing this with bz@ and brooks@ privately.  I would
rather not go into the details of what was discussed for reasons that I
ALSO would rather not go into.  Just know that the ambiguity is
intentional.

Here is what will work for you when added to /etc/make.conf:

.if ${.CURDIR:M/usr/src/secure/*}
  CFLAGS+=-DNONE_CIPHER_ENABLED
.endif

There are multiple places where this needs to get defined for it to
work.

I will be working on making this a src.conf variable (of a completely
different name) probably on Saturday, but I do not have time today or on
Sunday to do it.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, US |
| Making life hard for others since 1977.               PGP 4BD6C0CB |

On 2. Dec 2011, at 22:57 , Freddie Cash wrote:
> Looking through the commit messages for stable/8 and stable/9 I noticed
> that the HPN patches were applied to OpenSSH in the base install.  And
> reading through the commit messages I see that one has to manually enable
> the None cipher.  However, I cannot, for the life of me, figure out how to
> do that.
> 
> The commit message for r228152 says to put
"NONE_CIPHER_ENABLED=yes" into
> /etc/make.conf.
No, that's not what the commit message says.  Read more carefully;-)

However Jeremy's suggestion might be working better for the moment.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
         Stop bit received. Insert coin for new address family.

On Fri, Dec 02, 2011 at 02:57:48PM -0800, Freddie Cash
wrote:
> What am I missing?  What's the magic incantation to add the None cipher
to
> base ssh?
Follow-up to this situation: I've submit a PR to have this addressed,
which includes a patch (only tested on RELENG_8 at this point) that
adds the WITH_OPENSSH_NONE_CIPHER src.conf knob.

http://www.freebsd.org/cgi/query-pr.cgi?pr=163095

Read PR for patch download URL.  :-)  HTH!

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, US |
| Making life hard for others since 1977.               PGP 4BD6C0CB |