Page MenuHomeFreeBSD
Files F141147267

D5915.id15084.diff
No OneTemporary
Actions

D5915.id15084.diff
View Options

Index: crypto/openssh/auth-pam.c
===================================================================
--- crypto/openssh/auth-pam.c
+++ crypto/openssh/auth-pam.c
@@ -98,6 +98,9 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
extern ServerOptions options;
extern Buffer loginmsg;
@@ -794,6 +797,9 @@
free(msg);
return (0);
}
+#ifdef USE_BLACKLIST
+ blacklist_notify(1);
+#endif
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
Index: crypto/openssh/auth.c
===================================================================
--- crypto/openssh/auth.c
+++ crypto/openssh/auth.c
@@ -75,6 +75,9 @@
#include "authfile.h"
#include "ssherr.h"
#include "compat.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
/* import */
extern ServerOptions options;
@@ -306,6 +309,10 @@
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
+#ifdef USE_BLACKLIST
+ if (!authctxt->postponed)
+ blacklist_notify(!authenticated);
+#endif
free(authctxt->info);
authctxt->info = NULL;
@@ -640,6 +647,9 @@
}
#endif
if (pw == NULL) {
+#ifdef USE_BLACKLIST
+ blacklist_notify(1);
+#endif
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
#ifdef CUSTOM_FAILED_LOGIN
Index: crypto/openssh/auth1.c
===================================================================
--- crypto/openssh/auth1.c
+++ crypto/openssh/auth1.c
@@ -43,6 +43,9 @@
#endif
#include "monitor_wrap.h"
#include "buffer.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
/* import */
extern ServerOptions options;
@@ -337,6 +340,9 @@
char *msg;
size_t len;
+#ifdef USE_BLACKLIST
+ blacklist_notify(1);
+#endif
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
@@ -404,6 +410,9 @@
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
+#ifdef USE_BLACKLIST
+ blacklist_notify(1);
+#endif
}
/* Configuration may have changed as a result of Match */
Index: crypto/openssh/auth2.c
===================================================================
--- crypto/openssh/auth2.c
+++ crypto/openssh/auth2.c
@@ -52,6 +52,9 @@
#include "pathnames.h"
#include "buffer.h"
#include "canohost.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -248,6 +251,9 @@
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
+#ifdef USE_BLACKLIST
+ blacklist_notify(1);
+#endif
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
Index: crypto/openssh/blacklist.c
===================================================================
--- /dev/null
+++ crypto/openssh/blacklist.c
@@ -0,0 +1,31 @@
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "blacklist_client.h"
+#include <blacklist.h>
+
+static struct blacklist *blstate;
+
+void
+blacklist_init(void)
+{
+ blstate = blacklist_open();
+}
+
+void
+blacklist_notify(int a)
+{
+ int fd;
+ if (blstate == NULL)
+ blacklist_init();
+ if (blstate == NULL)
+ return;
+ // XXX: 3?
+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
+ (void)blacklist_r(blstate, a, fd, "ssh");
+}
Index: crypto/openssh/blacklist_client.h
===================================================================
--- /dev/null
+++ crypto/openssh/blacklist_client.h
@@ -0,0 +1,3 @@
+
+void blacklist_notify(int);
+void blacklist_init(void);
Index: crypto/openssh/packet.c
===================================================================
--- crypto/openssh/packet.c
+++ crypto/openssh/packet.c
@@ -86,6 +86,9 @@
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
#ifdef PACKET_DEBUG
#define DBG(x) x
@@ -2071,6 +2074,9 @@
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
+#ifdef USE_BLACKLIST
+ blacklist_notify(1);
+#endif
fatal("Unable to negotiate with %.200s port %d: %s. "
"Their offer: %s", ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh), ssh_err(r),
Index: crypto/openssh/sshd.c
===================================================================
--- crypto/openssh/sshd.c
+++ crypto/openssh/sshd.c
@@ -135,6 +135,9 @@
#include "ssh-sandbox.h"
#include "version.h"
#include "ssherr.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
#ifdef LIBWRAP
#include <tcpd.h>
@@ -388,6 +391,9 @@
kill(0, SIGTERM);
}
+#ifdef USE_BLACKLIST
+ blacklist_notify(1);
+#endif
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -649,6 +655,10 @@
/* Demote the private keys to public keys. */
demote_sensitive_data();
+#ifdef USE_BLACKLIST
+ blacklist_init();
+#endif
+
/* Demote the child */
if (getuid() == 0 || geteuid() == 0) {
/* Change our root directory */
@@ -1272,6 +1282,9 @@
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
+#ifdef USE_BLACKLIST
+ blacklist_init();
+#endif
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.
Index: secure/usr.sbin/sshd/Makefile
===================================================================
--- secure/usr.sbin/sshd/Makefile
+++ secure/usr.sbin/sshd/Makefile
@@ -39,6 +39,13 @@
LIBADD+= bsm
.endif
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${.CURDIR}/../../../contrib/blacklist/include
+SRCS+= blacklist.c
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
.if ${MK_KERBEROS_SUPPORT} != "no"
CFLAGS+= -include krb5_config.h
SRCS+= krb5_config.h

File Metadata

Mime Type
text/plain
Expires
Fri, Jan 2, 12:30 PM (9 h, 18 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
27456787
Default Alt Text
D5915.id15084.diff (5 KB)

Event Timeline