Page MenuHomeFreeBSD
Files F111349820

D29954.id94437.diff
No OneTemporary
Actions

D29954.id94437.diff
View Options

Index: auth-pam.c
===================================================================
--- auth-pam.c
+++ auth-pam.c
@@ -105,6 +105,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "blacklist_client.h"
extern ServerOptions options;
extern struct sshbuf *loginmsg;
@@ -922,6 +923,8 @@
sshbuf_free(buffer);
return (0);
}
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+ sshpam_authctxt->user);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user, sshpam_rhost);
Index: auth.c
===================================================================
--- auth.c
+++ auth.c
@@ -76,6 +76,7 @@
#include "ssherr.h"
#include "compat.h"
#include "channels.h"
+#include "blacklist_client.h"
/* import */
extern ServerOptions options;
@@ -331,8 +332,11 @@
authmsg = "Postponed";
else if (partial)
authmsg = "Partial";
- else
+ else {
authmsg = authenticated ? "Accepted" : "Failed";
+ if (authenticated)
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
+ }
if ((extra = format_method_key(authctxt)) == NULL) {
if (authctxt->auth_method_info != NULL)
@@ -592,6 +596,7 @@
aix_restoreauthdb();
#endif
if (pw == NULL) {
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
#ifdef CUSTOM_FAILED_LOGIN
Index: auth2.c
===================================================================
--- auth2.c
+++ auth2.c
@@ -53,6 +53,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "ssherr.h"
+#include "blacklist_client.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
@@ -421,8 +422,10 @@
} else {
/* Allow initial try of "none" auth without failure penalty */
if (!partial && !authctxt->server_caused_failure &&
- (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
authctxt->failures++;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
+ }
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
Index: blacklist.c
===================================================================
--- /dev/null
+++ blacklist.c
@@ -0,0 +1,97 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <unistd.h>
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "misc.h"
+#include "servconf.h"
+#include <blacklist.h>
+#include "blacklist_client.h"
+
+static struct blacklist *blstate = NULL;
+
+/* import */
+extern ServerOptions options;
+
+/* internal definition from bl.h */
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
+
+/* impedence match vsyslog() to sshd's internal logging levels */
+void
+im_log(int priority, const char *message, va_list args)
+{
+ LogLevel imlevel;
+
+ switch (priority) {
+ case LOG_ERR:
+ imlevel = SYSLOG_LEVEL_ERROR;
+ break;
+ case LOG_DEBUG:
+ imlevel = SYSLOG_LEVEL_DEBUG1;
+ break;
+ case LOG_INFO:
+ imlevel = SYSLOG_LEVEL_INFO;
+ break;
+ default:
+ imlevel = SYSLOG_LEVEL_DEBUG2;
+ }
+ do_log(imlevel, message, args);
+}
+
+void
+blacklist_init(void)
+{
+
+ if (options.use_blacklist)
+ blstate = bl_create(false, NULL, im_log);
+}
+
+void
+blacklist_notify(int action, const char *msg)
+{
+
+ if (blstate != NULL && packet_connection_is_on_socket())
+ (void)blacklist_r(blstate, action,
+ packet_get_connection_in(), msg);
+}
Index: blacklist_client.h
===================================================================
--- /dev/null
+++ blacklist_client.h
@@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+#ifndef BLACKLIST_API_ENUM
+enum {
+ BLACKLIST_AUTH_OK = 0,
+ BLACKLIST_AUTH_FAIL,
+ BLACKLIST_ABUSIVE_BEHAVIOR,
+ BLACKLIST_BAD_USER
+};
+#endif
+
+#ifdef USE_BLACKLIST
+void blacklist_init(void);
+void blacklist_notify(int, const char *);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x,msg) blacklist_notify(x,msg)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x,msg)
+
+#endif
+
+
+#endif /* BLACKLIST_CLIENT_H */
Index: packet.c
===================================================================
--- packet.c
+++ packet.c
@@ -96,6 +96,7 @@
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
+#include "blacklist_client.h"
#ifdef PACKET_DEBUG
#define DBG(x) x
@@ -1874,6 +1875,7 @@
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
ssh_packet_clear_keys(ssh);
errno = oerrno;
logdie("Unable to negotiate with %s: %s. "
Index: servconf.h
===================================================================
--- servconf.h
+++ servconf.h
@@ -229,6 +229,7 @@
int expose_userauth_info;
u_int64_t timing_secret;
char *sk_provider;
+ int use_blacklist;
} ServerOptions;
/* Information about the incoming connection as used by Match */
Index: servconf.c
===================================================================
--- servconf.c
+++ servconf.c
@@ -196,6 +196,7 @@
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
+ options->use_blacklist = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -442,6 +443,8 @@
options->expose_userauth_info = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
+ if (options->use_blacklist == -1)
+ options->use_blacklist = 0;
assemble_algorithms(options);
@@ -519,6 +522,7 @@
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+ sUseBlacklist,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -678,6 +682,9 @@
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
+ { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
+
{ NULL, sBadOption, 0 }
};
@@ -2437,6 +2444,10 @@
*charptr = xstrdup(arg);
break;
+ case sUseBlacklist:
+ intptr = &options->use_blacklist;
+ goto parse_flag;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
@@ -2918,6 +2929,7 @@
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
+ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
Index: sshd.c
===================================================================
--- sshd.c
+++ sshd.c
@@ -125,6 +125,7 @@
#include "sk-api.h"
#include "srclimit.h"
#include "dh.h"
+#include "blacklist_client.h"
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
@@ -366,6 +367,8 @@
kill(0, SIGTERM);
}
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
+
/* Log error and exit. */
if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
cleanup_exit(255); /* don't log in privsep child */
@@ -2232,6 +2235,8 @@
fatal_f("sshbuf_new failed");
auth_debug_reset();
+ BLACKLIST_INIT();
+
if (use_privsep) {
if (privsep_preauth(ssh) == 1)
goto authenticated;
Index: sshd_config
===================================================================
--- sshd_config
+++ sshd_config
@@ -100,6 +100,7 @@
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
+#UseBlacklist no
#VersionAddendum FreeBSD-20200214
# no default banner path
Index: sshd_config.5
===================================================================
--- sshd_config.5
+++ sshd_config.5
@@ -1734,6 +1734,20 @@
.Cm TrustedUserCAKeys .
For more details on certificates, see the CERTIFICATES section in
.Xr ssh-keygen 1 .
+.It Cm UseBlacklist
+Specifies whether
+.Xr sshd 8
+attempts to send authentication success and failure messages
+to the
+.Xr blacklistd 8
+daemon.
+The default is
+.Dq no .
+For forward compatibility with an upcoming
+.Xr blacklistd
+rename, the
+.Cm UseBlocklist
+alias can be used instead.
.It Cm UseDNS
Specifies whether
.Xr sshd 8

File Metadata

Mime Type
text/plain
Expires
Mon, Mar 3, 5:10 PM (1 h, 27 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16949293
Default Alt Text
D29954.id94437.diff (11 KB)

Event Timeline