From owner-freebsd-stable@FreeBSD.ORG Fri Dec 2 23:32:22 2011 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FC88106564A for ; Fri, 2 Dec 2011 23:32:22 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta09.emeryville.ca.mail.comcast.net (qmta09.emeryville.ca.mail.comcast.net [76.96.30.96]) by mx1.freebsd.org (Postfix) with ESMTP id 27F428FC15 for ; Fri, 2 Dec 2011 23:32:22 +0000 (UTC) Received: from omta10.emeryville.ca.mail.comcast.net ([76.96.30.28]) by qmta09.emeryville.ca.mail.comcast.net with comcast id 4PNU1i0050cQ2SLA9PYF4D; Fri, 02 Dec 2011 23:32:15 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta10.emeryville.ca.mail.comcast.net with comcast id 4PVj1i00H1t3BNj8WPVjuV; Fri, 02 Dec 2011 23:29:44 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id E24E2102C1D; Fri, 2 Dec 2011 15:32:20 -0800 (PST) Date: Fri, 2 Dec 2011 15:32:20 -0800 From: Jeremy Chadwick To: Freddie Cash Message-ID: <20111202233220.GA43495@icarus.home.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: stable@freebsd.org Subject: Re: r228152: anyone got the None cipher working with base OpenSSH? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 23:32:22 -0000 On Fri, Dec 02, 2011 at 02:57:48PM -0800, Freddie Cash wrote: > Looking through the commit messages for stable/8 and stable/9 I noticed > that the HPN patches were applied to OpenSSH in the base install. And > reading through the commit messages I see that one has to manually enable > the None cipher. However, I cannot, for the life of me, figure out how to > do that. > > The commit message for r228152 says to put "NONE_CIPHER_ENABLED=yes" into > /etc/make.conf. But doing so still gives the following error when world is > rebuilt/reinstalled: > command-line: line 0: Bad configuration option: NoneEnabled > > Putting NONE_CIPHER_ENABLED=yes into /etc/src.conf and rebuilding world > gives the same error. > > And, running "make -DNONE_CIPHER_ENABLED all install" under > /usr/src/secure/usr.bin/ssh/ also gives the same error. > > What am I missing? What's the magic incantation to add the None cipher to > base ssh? I have been discussing this with bz@ and brooks@ privately. I would rather not go into the details of what was discussed for reasons that I ALSO would rather not go into. Just know that the ambiguity is intentional. Here is what will work for you when added to /etc/make.conf: .if ${.CURDIR:M/usr/src/secure/*} CFLAGS+=-DNONE_CIPHER_ENABLED .endif There are multiple places where this needs to get defined for it to work. I will be working on making this a src.conf variable (of a completely different name) probably on Saturday, but I do not have time today or on Sunday to do it. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |