openssh: fix linkOpenSSL=false by linking libxcrypt

[tomfitzhenry]

Description of changes

Fixes openssh to build when linkOpenssl=false. This needed libxcrypt. Possibly this broke after #181764 but wasn't caught by Hydra, since Hydra wasn't building openssh with linkOpenssl=false. I've added a test to cover this functionality.

For more context on glibc/libxcrypt, see https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html .

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[tomfitzhenry]

Seeking review from @mweinelt re the introduction of libxcrypt, for when linkOpenssl = false. Does this sound reasonable? Prior to this PR, setting linkOpenssl = false would fail at link time looking for the crypt symbol.

[mweinelt]

I won't speak to the idea of creating opensshMinimal, but apparently what you found checks out. Either OpenSSL provides the crypto primitives or it falls back to lib(x)crypt.

[tomfitzhenry]

In hindsight I'm skeptical of introducing opensshMinimal, since:

• it would have few users, and those users are free/able to define their own openssh package
• offering a package introduce maintenance/compatibility burden. We can always add opensshMinimal if there's more demand. When in doubt, leave it out.

I'll remove this package from the PR, but keep the test, covering linkOpenssl=false behavior.

[tomfitzhenry]

And I'm skeptical of the value of withZlib too. I had added that parameter so it could be set to false for opensshMinimal (so it was minimal), but since I'm not going to add opensshMinimal, there's less of a need for withZlib. zlib functionality likely occurs post-auth so doesn't have as large an attack surface as, say, OpenSSL/PAM.

I'll remove the zlib parameter too.

[tomfitzhenry]

PR updated to just fix linkOpenssl=false, and add a test covering that. Much simpler now.

[LeSuisse]

Changes look good. Built and tested on Linux x86_64 and aarch64, all tests are passing and nixpkgs-review does not show new failures.