Index: crypto/openssh/auth-pam.c =================================================================== --- crypto/openssh/auth-pam.c +++ crypto/openssh/auth-pam.c @@ -101,7 +101,7 @@ #endif #include "monitor_wrap.h" #include "srclimit.h" -#include "blacklist_client.h" +#include "blocklist_client.h" extern ServerOptions options; extern struct sshbuf *loginmsg; @@ -937,7 +937,7 @@ sshbuf_free(buffer); return (0); } - BLACKLIST_NOTIFY(NULL, BLACKLIST_BAD_USER, + BLOCKLIST_NOTIFY(NULL, BLOCKLIST_BAD_USER, sshpam_authctxt->user); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", Index: crypto/openssh/auth.c =================================================================== --- crypto/openssh/auth.c +++ crypto/openssh/auth.c @@ -75,7 +75,7 @@ #include "monitor_wrap.h" #include "ssherr.h" #include "channels.h" -#include "blacklist_client.h" +#include "blocklist_client.h" /* import */ extern ServerOptions options; @@ -289,7 +289,7 @@ else { authmsg = authenticated ? "Accepted" : "Failed"; if (authenticated) - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh"); + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_OK, "ssh"); } if ((extra = format_method_key(authctxt)) == NULL) { @@ -498,7 +498,7 @@ aix_restoreauthdb(); #endif if (pw == NULL) { - BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user); + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_BAD_USER, user); logit("Invalid user %.100s from %.100s port %d", user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); #ifdef CUSTOM_FAILED_LOGIN Index: crypto/openssh/auth2.c =================================================================== --- crypto/openssh/auth2.c +++ crypto/openssh/auth2.c @@ -52,7 +52,7 @@ #include "dispatch.h" #include "pathnames.h" #include "ssherr.h" -#include "blacklist_client.h" +#include "blocklist_client.h" #ifdef GSSAPI #include "ssh-gss.h" #endif @@ -445,7 +445,7 @@ if (!partial && !authctxt->server_caused_failure && (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { authctxt->failures++; - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh"); + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, "ssh"); } if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS Index: crypto/openssh/blacklist.c =================================================================== --- crypto/openssh/blacklist.c +++ crypto/openssh/blacklist.c @@ -47,7 +47,7 @@ #include "misc.h" #include "servconf.h" #include -#include "blacklist_client.h" +#include "blocklist_client.h" static struct blacklist *blstate = NULL; @@ -80,15 +80,15 @@ } void -blacklist_init(void) +blocklist_init(void) { - if (options.use_blacklist) + if (options.use_blocklist) blstate = bl_create(false, NULL, im_log); } void -blacklist_notify(struct ssh *ssh, int action, const char *msg) +blocklist_notify(struct ssh *ssh, int action, const char *msg) { if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh)) Index: crypto/openssh/blocklist_client.h =================================================================== --- crypto/openssh/blocklist_client.h +++ crypto/openssh/blocklist_client.h @@ -31,31 +31,31 @@ * POSSIBILITY OF SUCH DAMAGE. */ -#ifndef BLACKLIST_CLIENT_H -#define BLACKLIST_CLIENT_H +#ifndef BLOCKLIST_CLIENT_H +#define BLOCKLIST_CLIENT_H -#ifndef BLACKLIST_API_ENUM +#ifndef BLOCKLIST_API_ENUM enum { - BLACKLIST_AUTH_OK = 0, - BLACKLIST_AUTH_FAIL, - BLACKLIST_ABUSIVE_BEHAVIOR, - BLACKLIST_BAD_USER + BLOCKLIST_AUTH_OK = 0, + BLOCKLIST_AUTH_FAIL, + BLOCKLIST_ABUSIVE_BEHAVIOR, + BLOCKLIST_BAD_USER }; #endif #ifdef USE_BLACKLIST -void blacklist_init(void); -void blacklist_notify(struct ssh *, int, const char *); +void blocklist_init(void); +void blocklist_notify(struct ssh *, int, const char *); -#define BLACKLIST_INIT() blacklist_init() -#define BLACKLIST_NOTIFY(ssh,x,msg) blacklist_notify(ssh,x,msg) +#define BLOCKLIST_INIT() blocklist_init() +#define BLOCKLIST_NOTIFY(ssh,x,msg) blocklist_notify(ssh,x,msg) #else -#define BLACKLIST_INIT() -#define BLACKLIST_NOTIFY(ssh,x,msg) +#define BLOCKLIST_INIT() +#define BLOCKLIST_NOTIFY(ssh,x,msg) #endif -#endif /* BLACKLIST_CLIENT_H */ +#endif /* BLOCKLIST_CLIENT_H */ Index: crypto/openssh/packet.c =================================================================== --- crypto/openssh/packet.c +++ crypto/openssh/packet.c @@ -96,7 +96,7 @@ #include "packet.h" #include "ssherr.h" #include "sshbuf.h" -#include "blacklist_client.h" +#include "blocklist_client.h" #ifdef PACKET_DEBUG #define DBG(x) x @@ -2022,7 +2022,7 @@ case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh->kex && ssh->kex->failed_choice) { - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh"); + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, "ssh"); ssh_packet_clear_keys(ssh); errno = oerrno; logdie("Unable to negotiate with %s: %s. " Index: crypto/openssh/servconf.h =================================================================== --- crypto/openssh/servconf.h +++ crypto/openssh/servconf.h @@ -252,7 +252,7 @@ int refuse_connection; - int use_blacklist; + int use_blocklist; } ServerOptions; /* Information about the incoming connection as used by Match */ Index: crypto/openssh/servconf.c =================================================================== --- crypto/openssh/servconf.c +++ crypto/openssh/servconf.c @@ -216,7 +216,7 @@ options->unused_connection_timeout = -1; options->sshd_session_path = NULL; options->refuse_connection = -1; - options->use_blacklist = -1; + options->use_blocklist = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -503,8 +503,8 @@ options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION); if (options->refuse_connection == -1) options->refuse_connection = 0; - if (options->use_blacklist == -1) - options->use_blacklist = 0; + if (options->use_blocklist == -1) + options->use_blocklist = 0; assemble_algorithms(options); @@ -588,7 +588,7 @@ sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout, sSshdSessionPath, sRefuseConnection, - sUseBlacklist, + sUseBlocklist, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -757,8 +757,8 @@ { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL }, { "refuseconnection", sRefuseConnection, SSHCFG_ALL }, - { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, - { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */ + { "useblacklist", sUseBlocklist, SSHCFG_GLOBAL }, /* alias */ + { "useblocklist", sUseBlocklist, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -2724,8 +2724,8 @@ multistate_ptr = multistate_flag; goto parse_multistate; - case sUseBlacklist: - intptr = &options->use_blacklist; + case sUseBlocklist: + intptr = &options->use_blocklist; goto parse_flag; case sDeprecated: @@ -3277,7 +3277,7 @@ dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); dump_cfg_fmtint(sRefuseConnection, o->refuse_connection); - dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); + dump_cfg_fmtint(sUseBlocklist, o->use_blocklist); /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); Index: crypto/openssh/sshd-session.c =================================================================== --- crypto/openssh/sshd-session.c +++ crypto/openssh/sshd-session.c @@ -109,7 +109,7 @@ #include "sk-api.h" #include "srclimit.h" #include "dh.h" -#include "blacklist_client.h" +#include "blocklist_client.h" /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) @@ -1317,7 +1317,7 @@ fatal("sshbuf_new loginmsg failed"); auth_debug_reset(); - BLACKLIST_INIT(); + BLOCKLIST_INIT(); if (privsep_preauth(ssh) == 1) goto authenticated; Index: crypto/openssh/sshd_config.5 =================================================================== --- crypto/openssh/sshd_config.5 +++ crypto/openssh/sshd_config.5 @@ -2008,7 +2008,7 @@ is to never expire connections for having no open channels. This option may be useful in conjunction with .Cm ChannelTimeout . -.It Cm UseBlacklist +.It Cm UseBlocklist Specifies whether .Xr sshd 8 attempts to send authentication success and failure messages @@ -2017,11 +2017,9 @@ daemon. The default is .Cm no . -For forward compatibility with an upcoming -.Xr blacklistd -rename, the -.Cm UseBlocklist -alias can be used instead. +For backwards compatibility +.Cm UseBlacklist +is supported as an alias. .It Cm UseDNS Specifies whether .Xr sshd 8