Index: crypto/openssh/auth-pam.c =================================================================== --- crypto/openssh/auth-pam.c +++ crypto/openssh/auth-pam.c @@ -98,6 +98,7 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "blacklist_client.h" extern ServerOptions options; extern Buffer loginmsg; @@ -794,6 +795,7 @@ free(msg); return (0); } + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, Index: crypto/openssh/auth.c =================================================================== --- crypto/openssh/auth.c +++ crypto/openssh/auth.c @@ -75,6 +75,7 @@ #include "authfile.h" #include "ssherr.h" #include "compat.h" +#include "blacklist_client.h" /* import */ extern ServerOptions options; @@ -288,9 +289,11 @@ strcmp(method, "password") == 0) authlog = logit; - if (authctxt->postponed) + if (authctxt->postponed) { authmsg = "Postponed"; - else if (partial) + BLACKLIST_NOTIFY((authenticated ? + BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL)); + } else if (partial) authmsg = "Partial"; else authmsg = authenticated ? "Accepted" : "Failed"; @@ -640,6 +643,7 @@ } #endif if (pw == NULL) { + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN Index: crypto/openssh/auth1.c =================================================================== --- crypto/openssh/auth1.c +++ crypto/openssh/auth1.c @@ -43,6 +43,7 @@ #endif #include "monitor_wrap.h" #include "buffer.h" +#include "blacklist_client.h" /* import */ extern ServerOptions options; @@ -337,6 +338,7 @@ char *msg; size_t len; + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); error("Access denied for user %s by PAM account " "configuration", authctxt->user); len = buffer_len(&loginmsg); @@ -404,6 +406,7 @@ else { debug("do_authentication: invalid user %s", user); authctxt->pw = fakepw(); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); } /* Configuration may have changed as a result of Match */ Index: crypto/openssh/auth2.c =================================================================== --- crypto/openssh/auth2.c +++ crypto/openssh/auth2.c @@ -52,6 +52,7 @@ #include "pathnames.h" #include "buffer.h" #include "canohost.h" +#include "blacklist_client.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -248,6 +249,7 @@ } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_INVALID_USER)); #endif Index: crypto/openssh/blacklist.c =================================================================== --- /dev/null +++ crypto/openssh/blacklist.c @@ -0,0 +1,82 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * Copyright (c) 2016 The FreeBSD Foundation, Inc. + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl + * under sponsorship from the FreeBSD Foundation. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include +#include +#include +#include +#include +#include +#include + +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "misc.h" +#include "servconf.h" +#include "blacklist_client.h" +#include + +static struct blacklist *blstate = NULL; + +/* import */ +extern ServerOptions options; + +/* internal definition from bl.h */ +struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); + +void +blacklist_init(void) +{ + + if (options.use_blacklist) + blstate = bl_create(false, NULL, do_log /*vsyslog*/); +} + +void +blacklist_notify(int action) +{ + int fd; + + if (blstate == NULL) + return; + + fd = packet_get_connection_in(); + if (!packet_connection_is_on_socket()) { + logit("packet_connection_is_on_socket: false " + "(fd = %d)\n", fd); + } + (void)blacklist_r(blstate, action, fd, "ssh"); +} Index: crypto/openssh/blacklist_client.h =================================================================== --- /dev/null +++ crypto/openssh/blacklist_client.h @@ -0,0 +1,57 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * Copyright (c) 2016 The FreeBSD Foundation, Inc. + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl + * under sponsorship from the FreeBSD Foundation. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef BLACKLIST_CLIENT_H +#define BLACKLIST_CLIENT_H + +enum { + BLACKLIST_AUTH_OK = 0, + BLACKLIST_AUTH_FAIL +}; + +#ifdef USE_BLACKLIST +void blacklist_init(void); +void blacklist_notify(int); + +#define BLACKLIST_INIT() blacklist_init() +#define BLACKLIST_NOTIFY(x) blacklist_notify(x) + +#else + +#define BLACKLIST_INIT() +#define BLACKLIST_NOTIFY(x) + +#endif + + +#endif /* BLACKLIST_CLIENT_H */ Index: crypto/openssh/packet.c =================================================================== --- crypto/openssh/packet.c +++ crypto/openssh/packet.c @@ -86,6 +86,7 @@ #include "packet.h" #include "ssherr.h" #include "sshbuf.h" +#include "blacklist_client.h" #ifdef PACKET_DEBUG #define DBG(x) x @@ -2071,6 +2072,7 @@ case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh && ssh->kex && ssh->kex->failed_choice) { + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); fatal("Unable to negotiate with %.200s port %d: %s. " "Their offer: %s", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ssh_err(r), Index: crypto/openssh/servconf.h =================================================================== --- crypto/openssh/servconf.h +++ crypto/openssh/servconf.h @@ -155,6 +155,7 @@ int max_authtries; int max_sessions; char *banner; /* SSH-2 banner message */ + int use_blacklist; int use_dns; int client_alive_interval; /* * poke the client this often to Index: crypto/openssh/servconf.c =================================================================== --- crypto/openssh/servconf.c +++ crypto/openssh/servconf.c @@ -151,6 +151,7 @@ options->max_authtries = -1; options->max_sessions = -1; options->banner = NULL; + options->use_blacklist = -1; options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; @@ -331,6 +332,8 @@ options->max_authtries = DEFAULT_AUTH_FAIL_MAX; if (options->max_sessions == -1) options->max_sessions = DEFAULT_SESSIONS_MAX; + if (options->use_blacklist == -1) + options->use_blacklist = 0; if (options->use_dns == -1) options->use_dns = 1; if (options->client_alive_interval == -1) @@ -418,7 +421,7 @@ sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, - sBanner, sUseDNS, sHostbasedAuthentication, + sBanner, sUseBlacklist, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, @@ -544,6 +547,7 @@ { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, + { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, @@ -1359,6 +1363,10 @@ multistate_ptr = multistate_gatewayports; goto parse_multistate; + case sUseBlacklist: + intptr = &options->use_blacklist; + goto parse_flag; + case sUseDNS: intptr = &options->use_dns; goto parse_flag; @@ -2295,6 +2303,7 @@ dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); + dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); Index: crypto/openssh/sshd.c =================================================================== --- crypto/openssh/sshd.c +++ crypto/openssh/sshd.c @@ -135,6 +135,7 @@ #include "ssh-sandbox.h" #include "version.h" #include "ssherr.h" +#include "blacklist_client.h" #ifdef LIBWRAP #include @@ -388,6 +389,8 @@ kill(0, SIGTERM); } + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); + /* Log error and exit. */ sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } @@ -651,6 +654,7 @@ /* Demote the child */ if (getuid() == 0 || geteuid() == 0) { + BLACKLIST_INIT(); /* Change our root directory */ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, @@ -1272,6 +1276,8 @@ for (i = 0; i < options.max_startups; i++) startup_pipes[i] = -1; + BLACKLIST_INIT(); + /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. Index: crypto/openssh/sshd_config =================================================================== --- crypto/openssh/sshd_config +++ crypto/openssh/sshd_config @@ -115,6 +115,7 @@ #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 +#UseBlacklist no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 Index: crypto/openssh/sshd_config.5 =================================================================== --- crypto/openssh/sshd_config.5 +++ crypto/openssh/sshd_config.5 @@ -1543,6 +1543,15 @@ .Cm TrustedUserCAKeys . For more details on certificates, see the CERTIFICATES section in .Xr ssh-keygen 1 . +.It Cm UseBlacklist +Specifies whether +.Xr sshd 8 +should attempt to send authentication success and failure messages +to the +.Xr blacklistd 8 +daemon. +The default is +.Dq no . .It Cm UseDNS Specifies whether .Xr sshd 8 Index: secure/usr.sbin/sshd/Makefile =================================================================== --- secure/usr.sbin/sshd/Makefile +++ secure/usr.sbin/sshd/Makefile @@ -40,6 +40,13 @@ LIBADD+= bsm .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include +SRCS+= blacklist.c +LIBADD+= blacklist +LDFLAGS+=-L${LIBBLACKLISTDIR} +.endif + .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h SRCS+= krb5_config.h Index: secure/usr.sbin/sshd/Makefile.depend =================================================================== --- secure/usr.sbin/sshd/Makefile.depend +++ secure/usr.sbin/sshd/Makefile.depend @@ -17,6 +17,7 @@ kerberos5/lib/libroken \ kerberos5/lib/libwind \ lib/${CSU_DIR} \ + lib/libblacklist \ lib/libbsm \ lib/libc \ lib/libcom_err \