git: 7344e6008b8b - 2026Q2 - security/openssh-portable: Fix NONE_CIPHER.

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Bryan Drewery <bdrewery_at_FreeBSD.org>
Date: Sat, 25 Apr 2026 22:06:34 UTC
The branch 2026Q2 has been updated by bdrewery:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7344e6008b8bd016fe131854b9bdb8cf51c2e2fb

commit 7344e6008b8bd016fe131854b9bdb8cf51c2e2fb
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2026-04-25 20:53:48 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2026-04-25 22:06:26 +0000

    security/openssh-portable: Fix NONE_CIPHER.
    
    Tested with:
            sshd_config:
              NoneEnabled yes
    
            # ssh -o NoneSwitch=yes -o NoneEnabled=yes -vv cmd...
    
    Note that the `none` cipher is _never enabled for interactive TTY_.
    
    PR:             292710
    Submitted by:   Andre Albsmeier
    
    (cherry picked from commit 069c72440f3ba0bb85461b621f0f9d861b842192)
---
 security/openssh-portable/Makefile              | 2 +-
 security/openssh-portable/files/extra-patch-hpn | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 29b56c1a488a..85c317597ae4 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
 DISTVERSION=	10.2p1
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index a4df93cc2186..037930f981b4 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -1287,13 +1287,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  int	 kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
 --- work/openssh/sshd-auth.c.orig	2025-04-10 22:36:29.699636000 -0700
 +++ work/openssh/sshd-auth.c	2025-04-10 22:36:33.770235000 -0700
-@@ -827,6 +827,10 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -827,6 +827,14 @@ do_ssh2_kex(struct ssh *ssh)
  	struct kex *kex;
  	int r;
  
 +#ifdef NONE_CIPHER_ENABLED
-+        if (options.none_enabled == 1)
++        if (options.none_enabled == 1) {
 +                debug ("WARNING: None cipher enabled");
++		char *old_ciphers = options.ciphers;
++		xasprintf(&options.ciphers, "%s,none", old_ciphers);
++		free(old_ciphers);
++	}
 +#endif
  	if (options.rekey_limit || options.rekey_interval)
  		ssh_packet_set_rekey_limits(ssh, options.rekey_limit,