From 1765946ba9c88737335b0cd1d018c7c60842adf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Mon, 23 Nov 2015 12:48:13 +0000 Subject: [PATCH] Retire the NONE cipher option. --- crypto/openssh/README.hpn | 25 ------------ crypto/openssh/cipher.c | 14 +------ crypto/openssh/kex.c | 26 +------------ crypto/openssh/kex.h | 5 --- crypto/openssh/myproposal.h | 5 --- crypto/openssh/openbsd-compat/bsd-misc.h | 1 - crypto/openssh/packet.c | 26 ------------- crypto/openssh/packet.h | 7 ---- crypto/openssh/pathnames.h | 5 +-- crypto/openssh/readconf.c | 41 -------------------- crypto/openssh/readconf.h | 5 --- crypto/openssh/servconf.c | 15 ------- crypto/openssh/servconf.h | 5 --- crypto/openssh/ssh.c | 9 ----- crypto/openssh/sshconnect2.c | 34 ---------------- crypto/openssh/sshd.c | 6 --- secure/lib/libssh/Makefile | 4 -- secure/usr.bin/ssh/Makefile | 4 -- secure/usr.sbin/sshd/Makefile | 4 -- share/mk/src.opts.mk | 1 - tools/build/options/WITH_OPENSSH_NONE_CIPHER | 9 ----- 21 files changed, 4 insertions(+), 247 deletions(-) delete mode 100644 tools/build/options/WITH_OPENSSH_NONE_CIPHER diff --git a/crypto/openssh/README.hpn b/crypto/openssh/README.hpn index 674827fb6b4d..f8afbc1ab945 100644 --- a/crypto/openssh/README.hpn +++ b/crypto/openssh/README.hpn @@ -1,14 +1,5 @@ Notes: -NONE CIPHER: - To use the NONE option you must have the NoneEnabled switch set on the server - and you MUST have *both* NoneEnabled and NoneSwitch set to yes on the client. - The NONE feature works with ALL ssh subsystems (as far as we can tell) - as long as there is no tty allocated. - If a user uses the -T switch to prevent a tty being created the NONE cipher - will be disabled. - - PERFORMANCE: The performance increase will only be as good as the network and TCP stack tuning on the reciever side of the connection allows. As a rule of thumb a @@ -93,22 +84,6 @@ HPN SPECIFIC CONFIGURATION OPTIONS: the throughput will be no more than n/RTT. The minimum buffer size is 1KB. Default is the current system wide TCP receive buffer size. -- NoneEnabled=[yes/no] client/server - Enable or disable the use of the None cipher. Care must always be used when - enabling this as it will allow users to send data in the clear. However, it - is important to note that authentication information remains encrypted even - if this option is enabled. Set to no by default. - -- NoneSwitch=[yes/no] client - Switch the encryption cipher being used to the None cipher after - authentication takes place. NoneEnabled must be enabled on both the client - and server side of the connection. When the connection switches to the NONE - cipher a warning is sent to STDERR. The connection attempt will fail with an - error if a client requests a NoneSwitch from the server that does not - explicitly have NoneEnabled set to yes. - Note: The NONE cipher cannot be used in interactive (shell) sessions and it - will fail silently. Set to no by default. - CREDITS: diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c index 532b31acff50..53d9b4fb7131 100644 --- a/crypto/openssh/cipher.c +++ b/crypto/openssh/cipher.c @@ -36,7 +36,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include @@ -225,12 +224,7 @@ ciphers_valid(const char *names) for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; (p = strsep(&cp, CIPHER_SEP))) { c = cipher_by_name(p); -#ifdef NONE_CIPHER_ENABLED - if (c == NULL || (c->number != SSH_CIPHER_SSH2 && - c->number != SSH_CIPHER_NONE)) { -#else - if (c == NULL || (c->number != SSH_CIPHER_SSH2)) { -#endif + if (c == NULL || c->number != SSH_CIPHER_SSH2) { debug("bad cipher %s [%s]", p, names); free(cipher_list); return 0; @@ -485,9 +479,6 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) } switch (c->number) { -#ifdef NONE_CIPHER_ENABLED - case SSH_CIPHER_NONE: -#endif case SSH_CIPHER_SSH2: case SSH_CIPHER_DES: case SSH_CIPHER_BLOWFISH: @@ -527,9 +518,6 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) return; switch (c->number) { -#ifdef NONE_CIPHER_ENABLED - case SSH_CIPHER_NONE: -#endif case SSH_CIPHER_SSH2: case SSH_CIPHER_DES: case SSH_CIPHER_BLOWFISH: diff --git a/crypto/openssh/kex.c b/crypto/openssh/kex.c index 2536ada964da..74e2b8682e12 100644 --- a/crypto/openssh/kex.c +++ b/crypto/openssh/kex.c @@ -24,7 +24,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include @@ -146,13 +145,8 @@ kex_names_valid(const char *names) return 1; } -/* put algorithm proposal into buffer. */ -#ifndef NONE_CIPHER_ENABLED +/* put algorithm proposal into buffer */ static void -#else -/* Also used in sshconnect2.c. */ -void -#endif kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) { u_int i; @@ -466,9 +460,6 @@ kex_choose_conf(Kex *kex) int nenc, nmac, ncomp; u_int mode, ctos, need, dh_need, authlen; int first_kex_follows, type; -#ifdef NONE_CIPHER_ENABLED - int auth_flag; -#endif my = kex_buf2prop(&kex->my, NULL); peer = kex_buf2prop(&kex->peer, &first_kex_follows); @@ -492,10 +483,6 @@ kex_choose_conf(Kex *kex) } /* Algorithm Negotiation */ -#ifdef NONE_CIPHER_ENABLED - auth_flag = packet_get_authentication_state(); - debug ("AUTH STATE is %d", auth_flag); -#endif for (mode = 0; mode < MODE_MAX; mode++) { newkeys = xcalloc(1, sizeof(*newkeys)); kex->newkeys[mode] = newkeys; @@ -510,17 +497,6 @@ kex_choose_conf(Kex *kex) if (authlen == 0) choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); -#ifdef NONE_CIPHER_ENABLED - debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); - if (strcmp(newkeys->enc.name, "none") == 0) { - debug("Requesting NONE. Authflag is %d", auth_flag); - if (auth_flag == 1) - debug("None requested post authentication."); - else - fatal("Pre-authentication none cipher requests " - "are not allowed."); - } -#endif debug("kex: %s %s %s %s", ctos ? "client->server" : "server->client", newkeys->enc.name, diff --git a/crypto/openssh/kex.h b/crypto/openssh/kex.h index 0d5c3627d611..c85680eea4dd 100644 --- a/crypto/openssh/kex.h +++ b/crypto/openssh/kex.h @@ -1,5 +1,4 @@ /* $OpenBSD: kex.h,v 1.62 2014/01/27 18:58:14 markus Exp $ */ -/* $FreeBSD$ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -149,10 +148,6 @@ struct Kex { int kex_names_valid(const char *); char *kex_alg_list(char); -#ifdef NONE_CIPHER_ENABLED -void kex_prop2buf(Buffer *, char *[PROPOSAL_MAX]); -#endif - Kex *kex_setup(char *[PROPOSAL_MAX]); void kex_finish(Kex *); diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h index db25064be0b1..3a0f5aeabd6a 100644 --- a/crypto/openssh/myproposal.h +++ b/crypto/openssh/myproposal.h @@ -1,5 +1,4 @@ /* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */ -/* $FreeBSD$ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -110,10 +109,6 @@ "chacha20-poly1305@openssh.com," \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" -#ifdef NONE_CIPHER_ENABLED -#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \ - ",none" -#endif #define KEX_DEFAULT_MAC \ "hmac-md5-etm@openssh.com," \ diff --git a/crypto/openssh/openbsd-compat/bsd-misc.h b/crypto/openssh/openbsd-compat/bsd-misc.h index c96cc7b850cc..e4fa8057c58c 100644 --- a/crypto/openssh/openbsd-compat/bsd-misc.h +++ b/crypto/openssh/openbsd-compat/bsd-misc.h @@ -20,7 +20,6 @@ #define _BSD_MISC_H #include "includes.h" -__RCSID("$FreeBSD$"); char *ssh_get_progname(char *); diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c index a4642371b814..ff70e60e08bc 100644 --- a/crypto/openssh/packet.c +++ b/crypto/openssh/packet.c @@ -202,9 +202,6 @@ struct session_state { }; static struct session_state *active_state, *backup_state; -#ifdef NONE_CIPHER_ENABLED -static int rekey_requested = 0; -#endif static struct session_state * alloc_session_state(void) @@ -1316,7 +1313,6 @@ packet_read_poll2(u_int32_t *seqnr_p) buffer_ptr(&active_state->input), block_size, 0, 0) != 0) fatal("Decryption integrity check failed"); cp = buffer_ptr(&active_state->incoming_packet); - active_state->packlen = get_u32(cp); if (active_state->packlen < 1 + 4 || active_state->packlen > PACKET_MAX_SIZE) { @@ -1943,26 +1939,12 @@ packet_send_ignore(int nbytes) } } -#ifdef NONE_CIPHER_ENABLED -void -packet_request_rekeying(void) -{ - rekey_requested = 1; -} -#endif - #define MAX_PACKETS (1U<<31) int packet_need_rekeying(void) { if (datafellows & SSH_BUG_NOREKEY) return 0; -#ifdef NONE_CIPHER_ENABLED - if (rekey_requested == 1) { - rekey_requested = 0; - return 1; - } -#endif return (active_state->p_send.packets > MAX_PACKETS) || (active_state->p_read.packets > MAX_PACKETS) || @@ -2074,11 +2056,3 @@ packet_restore_state(void) add_recv_bytes(len); } } - -#ifdef NONE_CIPHER_ENABLED -int -packet_get_authentication_state(void) -{ - return (active_state->after_authentication); -} -#endif diff --git a/crypto/openssh/packet.h b/crypto/openssh/packet.h index 524b920d52a9..f8edf851c210 100644 --- a/crypto/openssh/packet.h +++ b/crypto/openssh/packet.h @@ -1,5 +1,4 @@ /* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -39,9 +38,6 @@ void packet_set_interactive(int, int, int); int packet_is_interactive(void); void packet_set_server(void); void packet_set_authenticated(void); -#ifdef NONE_CIPHER_ENABLED -int packet_get_authentication_state(void); -#endif void packet_start(u_char); void packet_put_char(int ch); @@ -119,9 +115,6 @@ do { \ } while (0) int packet_need_rekeying(void); -#ifdef NONE_CIPHER_ENABLED -void packet_request_rekeying(void); -#endif void packet_set_rekey_limits(u_int32_t, time_t); time_t packet_get_rekey_timeout(void); diff --git a/crypto/openssh/pathnames.h b/crypto/openssh/pathnames.h index e53d67a19a78..ec89fc66650b 100644 --- a/crypto/openssh/pathnames.h +++ b/crypto/openssh/pathnames.h @@ -1,5 +1,4 @@ /* $OpenBSD: pathnames.h,v 1.24 2013/12/06 13:39:49 markus Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -122,7 +121,7 @@ * Default location of askpass */ #ifndef _PATH_SSH_ASKPASS_DEFAULT -#define _PATH_SSH_ASKPASS_DEFAULT "/usr/local/bin/ssh-askpass" +#define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" #endif /* Location of ssh-keysign for hostbased authentication */ @@ -137,7 +136,7 @@ /* xauth for X11 forwarding */ #ifndef _PATH_XAUTH -#define _PATH_XAUTH "/usr/local/bin/xauth" +#define _PATH_XAUTH "/usr/X11R6/bin/xauth" #endif /* UNIX domain socket for X11 server; displaynum will replace %u */ diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index d5e9a4503f0b..700a79b50ce9 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -154,9 +154,6 @@ typedef enum { oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oIgnoredUnknownOption, oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, -#ifdef NONE_CIPHER_ENABLED - oNoneEnabled, oNoneSwitch, -#endif oVersionAddendum, oDeprecated, oUnsupported } OpCodes; @@ -274,10 +271,6 @@ static struct { { "hpnbuffersize", oHPNBufferSize }, { "tcprcvbufpoll", oTcpRcvBufPoll }, { "tcprcvbuf", oTcpRcvBuf }, -#ifdef NONE_CIPHER_ENABLED - { "noneenabled", oNoneEnabled }, - { "noneswitch", oNoneSwitch }, -#endif { "versionaddendum", oVersionAddendum }, { NULL, oBadOption } @@ -1375,31 +1368,6 @@ process_config_line(Options *options, struct passwd *pw, const char *host, intptr = &options->tcp_rcv_buf; goto parse_int; -#ifdef NONE_CIPHER_ENABLED - case oNoneEnabled: - intptr = &options->none_enabled; - goto parse_flag; - - /* - * We check to see if the command comes from the command line or not. - * If it does then enable it otherwise fail. NONE must never be a - * default configuration. - */ - case oNoneSwitch: - if (strcmp(filename,"command-line") == 0) { - intptr = &options->none_switch; - goto parse_flag; - } else { - debug("NoneSwitch directive found in %.200s.", - filename); - error("NoneSwitch is found in %.200s.\n" - "You may only use this configuration option " - "from the command line", filename); - error("Continuing..."); - return 0; - } -#endif - case oVersionAddendum: if (s == NULL) fatal("%.200s line %d: Missing argument.", filename, @@ -1659,10 +1627,6 @@ initialize_options(Options * options) options->hpn_buffer_size = -1; options->tcp_rcv_buf_poll = -1; options->tcp_rcv_buf = -1; -#ifdef NONE_CIPHER_ENABLED - options->none_enabled = -1; - options->none_switch = -1; -#endif } /* @@ -1883,11 +1847,6 @@ fill_default_options(Options * options) options->tcp_rcv_buf *= 1024; if (options->tcp_rcv_buf_poll == -1) options->tcp_rcv_buf_poll = 1; -#ifdef NONE_CIPHER_ENABLED - /* options->none_enabled must not be set by default */ - if (options->none_switch == -1) - options->none_switch = 0; -#endif } /* diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h index 17a600374c9f..a0bac04603c6 100644 --- a/crypto/openssh/readconf.h +++ b/crypto/openssh/readconf.h @@ -1,5 +1,4 @@ /* $OpenBSD: readconf.h,v 1.101 2014/02/23 20:11:36 djm Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -165,10 +164,6 @@ typedef struct { * transfer. */ int tcp_rcv_buf; /* User switch to set tcp recv buffer. */ -#ifdef NONE_CIPHER_ENABLED - int none_enabled; /* Allow none to be used */ - int none_switch; /* Use none cipher */ -#endif } Options; #define SSH_CANONICALISE_NO 0 diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 3638710e2436..5f7caeaa7d6e 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -158,9 +158,6 @@ initialize_server_options(ServerOptions *options) options->hpn_disabled = -1; options->hpn_buffer_size = -1; options->tcp_rcv_buf_poll = -1; -#ifdef NONE_CIPHER_ENABLED - options->none_enabled = -1; -#endif } void @@ -389,9 +386,6 @@ typedef enum { sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll, -#ifdef NONE_CIPHER_ENABLED - sNoneEnabled, -#endif sDeprecated, sUnsupported } ServerOpCodes; @@ -521,9 +515,6 @@ static struct { { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, -#ifdef NONE_CIPHER_ENABLED - { "noneenabled", sNoneEnabled, SSHCFG_ALL }, -#endif { NULL, sBadOption, 0 } }; @@ -1682,12 +1673,6 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->tcp_rcv_buf_poll; goto parse_flag; -#ifdef NONE_CIPHER_ENABLED - case sNoneEnabled: - intptr = &options->none_enabled; - goto parse_flag; -#endif - case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h index 36d9966fcc44..2c37ceb45908 100644 --- a/crypto/openssh/servconf.h +++ b/crypto/openssh/servconf.h @@ -1,5 +1,4 @@ /* $OpenBSD: servconf.h,v 1.112 2014/01/29 06:18:35 djm Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -188,10 +187,6 @@ typedef struct { * kernels. */ u_int num_auth_methods; char *auth_methods[MAX_AUTH_METHODS]; - -#ifdef NONE_CIPHER_ENABLED - int none_enabled; /* Enable NONE cipher switch. */ -#endif } ServerOptions; /* Information about the incoming connection as used by Match */ diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index c9433a8acf62..443dcd640c35 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -782,15 +782,6 @@ main(int ac, char **av) break; case 'T': options.request_tty = REQUEST_TTY_NO; -#ifdef NONE_CIPHER_ENABLED - /* - * Ensure that the user does not try to backdoor a - * NONE cipher switch on an interactive session by - * explicitly disabling it if the user asks for a - * session without a tty. - */ - options.none_switch = 0; -#endif break; case 'o': line = xstrdup(optarg); diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index 37a6858793b5..ec3ad6a5f9fe 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -25,7 +25,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include @@ -80,16 +79,6 @@ __RCSID("$FreeBSD$"); extern char *client_version_string; extern char *server_version_string; extern Options options; -#ifdef NONE_CIPHER_ENABLED -extern Kex *xxx_kex; - -/* - * tty_flag is set in ssh.c so we can use it here. If set then prevent - * the switch to the null cipher. - */ - -extern int tty_flag; -#endif /* * SSH2 key exchange @@ -422,29 +411,6 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, pubkey_cleanup(&authctxt); dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); -#ifdef NONE_CIPHER_ENABLED - /* - * If the user explicitly requests to use the none cipher enable it - * post authentication and only if the right conditions are met: both - * of the NONE switches must be true and there must be no tty allocated. - */ - if (options.none_switch == 1 && options.none_enabled == 1) { - if (!tty_flag) { - debug("Requesting none cipher re-keying..."); - myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; - myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; - kex_prop2buf(&xxx_kex->my, myproposal); - packet_request_rekeying(); - fprintf(stderr, "WARNING: enabled NONE cipher\n"); - } else { - /* Requested NONE cipher on an interactive session. */ - debug("Cannot switch to NONE cipher with tty " - "allocated"); - fprintf(stderr, "NONE cipher switch disabled given " - "a TTY is allocated\n"); - } - } -#endif debug("Authentication succeeded (%s).", authctxt.method->name); } diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index e59fb3d340c7..ab73dec038ff 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -2501,12 +2501,6 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; -#ifdef NONE_CIPHER_ENABLED - } else if (options.none_enabled == 1) { - debug ("WARNING: None cipher enabled"); - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE; -#endif } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index 725ace8d47f7..91f1587c9ef9 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -43,10 +43,6 @@ CFLAGS+= -I${SSHDIR} -include ssh_namespace.h CFLAGS+= -include krb5_config.h .endif -.if ${MK_OPENSSH_NONE_CIPHER} != "no" -CFLAGS+= -DNONE_CIPHER_ENABLED -.endif - NO_LINT= LIBADD+= crypto crypt z diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index b29ee2ebf136..a16f254e60e8 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -26,10 +26,6 @@ CFLAGS+= -include krb5_config.h LIBADD+= gssapi .endif -.if ${MK_OPENSSH_NONE_CIPHER} != "no" -CFLAGS+= -DNONE_CIPHER_ENABLED -.endif - LIBADD+= crypto .if defined(LOCALBASE) diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index 703771f6e92a..7ccc5ea26780 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -44,10 +44,6 @@ CFLAGS+= -include krb5_config.h LIBADD+= gssapi_krb5 gssapi krb5 .endif -.if ${MK_OPENSSH_NONE_CIPHER} != "no" -CFLAGS+= -DNONE_CIPHER_ENABLED -.endif - LIBADD+= crypto .if defined(LOCALBASE) diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index 7aca91435da1..a5862dccd5a6 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -184,7 +184,6 @@ __DEFAULT_NO_OPTIONS = \ NAND \ OFED \ OPENLDAP \ - OPENSSH_NONE_CIPHER \ SHARED_TOOLCHAIN \ SORT_THREADS \ SVN diff --git a/tools/build/options/WITH_OPENSSH_NONE_CIPHER b/tools/build/options/WITH_OPENSSH_NONE_CIPHER deleted file mode 100644 index 8d44cc00c7c4..000000000000 --- a/tools/build/options/WITH_OPENSSH_NONE_CIPHER +++ /dev/null @@ -1,9 +0,0 @@ -.\" $FreeBSD$ -Set to include the "None" cipher support in OpenSSH and its libraries. -Additional adjustments may need to be done to system configuration -files, such as -.Xr sshd_config 5 , -to enable this cipher. -Please see -.Pa /usr/src/crypto/openssh/README.hpn -for full details.