Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#48044 closed defect (fixed)

openssh-6.8p1_1: none cipher disabled

Reported by: bock@… Owned by: Ionic (Mihai Moldovan)
Priority: Normal Milestone:
Component: ports Version: 2.3.3
Keywords: Cc: neverpanic (Clemens Lang), Ionic (Mihai Moldovan)
Port: openssh

Description

Hello. I tried to have working openssh with HPN, but it doesn't work.

sudo port install  openssh +hpn+kerberos5+xauth
--->  Computing dependencies for python27
--->  Fetching archive for python27
--->  Attempting to fetch python27-2.7.10_2.darwin_14.x86_64.tbz2 from http://mse.uk.packages.macports.org/sites/packages.macports.org/python27
--->  Attempting to fetch python27-2.7.10_2.darwin_14.x86_64.tbz2.rmd160 from http://mse.uk.packages.macports.org/sites/packages.macports.org/python27
--->  Installing python27 @2.7.10_2
--->  Cleaning python27
--->  Computing dependencies for python27
--->  Deactivating python27 @2.7.9_0
--->  Cleaning python27
--->  Activating python27 @2.7.10_2

To make this the default Python or Python 2 (i.e., the version run by the 'python' or 'python2' commands), run one or both of:

    sudo port select --set python python27
    sudo port select --set python2 python27

--->  Cleaning python27
--->  Computing dependencies for openssh
--->  Fetching archive for openssh
--->  Attempting to fetch openssh-6.8p1_1+hpn+kerberos5+xauth.darwin_14.x86_64.tbz2 from http://mse.uk.packages.macports.org/sites/packages.macports.org/openssh
--->  Attempting to fetch openssh-6.8p1_1+hpn+kerberos5+xauth.darwin_14.x86_64.tbz2 from http://lil.fr.packages.macports.org/openssh
--->  Attempting to fetch openssh-6.8p1_1+hpn+kerberos5+xauth.darwin_14.x86_64.tbz2 from http://nue.de.packages.macports.org/macports/packages/openssh
--->  Fetching distfiles for openssh
--->  Verifying checksums for openssh
--->  Extracting openssh
--->  Applying patches to openssh
--->  Configuring openssh
--->  Building openssh
--->  Staging openssh into destroot
--->  Creating launchd control script
###########################################################
# A startup item has been generated that will aid in
# starting openssh with launchd. It is disabled
# by default. Execute the following command to start it,
# and to cause it to launch at startup:
#
# sudo port load openssh
###########################################################
--->  Installing openssh @6.8p1_1+hpn+kerberos5+xauth
--->  Activating openssh @6.8p1_1+hpn+kerberos5+xauth
--->  Cleaning openssh
--->  Updating database of binaries
--->  Scanning binaries for linking errors
--->  No broken files found.

bock@wax-air(/Users/bock)> sudo port info openssh
Password:
openssh @6.8p1_1 (net)
Variants:             gsskex, hpn, [+]kerberos5, ldns, universal, [+]xauth

Description:          OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to
                      rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet
                      unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other
                      network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods.
Homepage:             http://www.openbsd.org/openssh/

Library Dependencies: openssl, zlib, tcp_wrappers, kerberos5
Runtime Dependencies: xauth
Platforms:            darwin
License:              BSD
Maintainers:          nomaintainer@macports.org


/opt/local/bin/ssh -V
OpenSSH_6.8p1, OpenSSL 1.0.2b 11 Jun 2015

Tried to clean, uninstall, but still doesn't work. Tried to check with scp:

/opt/local/bin/scp -4 -oNoneSwitch=yes -oNoneEnabled=yes ...
command-line: line 0: Bad configuration option: noneswitch
lost connection

So port install shows that hpn is enabled, but port info openssh gives it disabled. Thank you.

Change History (8)

comment:1 Changed 5 years ago by neverpanic (Clemens Lang)

Cc: cal@… added
Keywords: openssh hpn removed
Owner: changed from macports-tickets@… to ionic@…

ionic modified that in r134753. Can you comment on that?

comment:2 Changed 5 years ago by Ionic (Mihai Moldovan)

I had to rebase all patches against 6.8p1. Maybe I did something wrong?

Looks like I also need to add -DNONE_CIPHER_ENABLED to configure.cppflags to enable the none cipher. AFAIK this was disabled in the FreeBSD port, because... it doesn't make sense to use no encryption for ssh.

comment:3 Changed 5 years ago by bock@…

Anyway, if you are planning to use NONE_CIPFER, you should enable it on server side in sshd_config, so this thing is used only for scp/rsync files. It detect automatically, if this is interactive session, none-cipher will be disabled. I have no sense to disable it here :)

comment:4 Changed 5 years ago by bock@…

So ticket can be renamed to openssh-6.8p1_1+hpn+kerberos5+xauth HPN feature NoneCipher doesn't enabled

comment:5 Changed 5 years ago by Ionic (Mihai Moldovan)

Cc: ionic@… added
Summary: openssh-6.8p1_1+hpn+kerberos5+xauth HPN doesn't workopenssh-6.8p1_1: none cipher disabled

comment:6 Changed 5 years ago by Ionic (Mihai Moldovan)

I've added a new variant none_cipher in r138082.

Don't like to enable it by default because it disables encryption which could be potential security problem, especially for companies that have a policy of encrypting everything.

comment:7 Changed 5 years ago by Ionic (Mihai Moldovan)

Resolution: fixed
Status: newclosed

comment:8 Changed 5 years ago by bock@…

/opt/local/bin/scp -4 -o NoneSwitch=yes -o NoneEnabled=yes /

WARNING: ENABLED NONE CIPHER

Nice, thank you!

Note: See TracTickets for help on using tickets.