Add a src.conf(5) option to allow users to compile in the "NONE cipher",

which, only after authentication, disables crypto, and only for sessions
without a terminal.

Submitted by:	Jeremy Chadwick (freebsd jdc.parodius.com)
PR:		bin/163095
MFC after:	10 days

secure/lib/libssh/Makefile

@@ -38,6 +38,10 @@ DPADD+=	${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBCOM_ERR} ${LIBMD} ${
 LDADD+=	-lgssapi -lkrb5 -lhx509 -lasn1 -lcom_err -lmd -lroken
 .endif
 
+.if ${MK_OPENSSH_NONE_CIPHER} != "no"
+CFLAGS+= -DNONE_CIPHER_ENABLED
+.endif
+
 NO_LINT=
 
 DPADD+=	${LIBCRYPTO} ${LIBCRYPT}

secure/usr.bin/ssh/Makefile

@@ -25,6 +25,10 @@ DPADD+=	 ${LIBGSSAPI}
 LDADD+=	 -lgssapi
 .endif
 
+.if ${MK_OPENSSH_NONE_CIPHER} != "no"
+CFLAGS+= -DNONE_CIPHER_ENABLED
+.endif
+
 DPADD+=	${LIBCRYPT} ${LIBCRYPTO}
 LDADD+=	-lcrypt -lcrypto
 

secure/usr.sbin/sshd/Makefile

@@ -40,6 +40,10 @@ DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1}
 LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lasn1
 .endif
 
+.if ${MK_OPENSSH_NONE_CIPHER} != "no"
+CFLAGS+= -DNONE_CIPHER_ENABLED
+.endif
+
 DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
 LDADD+=	-lcrypto -lcrypt
 

share/mk/bsd.own.mk

@@ -360,6 +360,7 @@ __DEFAULT_NO_OPTIONS = \
     NMTREE \
     NAND \
     OFED \
+    OPENSSH_NONE_CIPHER \
     SHARED_TOOLCHAIN
 
 #

tools/build/options/WITH_OPENSSH_NONE_CIPHER

@@ -0,0 +1,9 @@
+.\" $FreeBSD$
+Set to include the "None" cipher support in OpenSSH and its libraries.
+Additional adjustments may need to be done to system configuration
+files, such as
+.Xr sshd_config 5 ,
+to enable this cipher.
+Please see
+.Pa /usr/src/crypto/openssh/README.hpn
+for full details.