D52749.diff
No OneTemporary
Actions

Size

5 KB

Referenced Files

None

Subscribers

None

D52749.diff
View Options

	diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
	--- a/crypto/openssh/auth-pam.c
	+++ b/crypto/openssh/auth-pam.c
	@@ -937,8 +937,8 @@
	sshbuf_free(buffer);
	return (0);
	}
	- BLACKLIST_NOTIFY(NULL, BLACKLIST_BAD_USER,
	- sshpam_authctxt->user);
	+ BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL,
	+ "PAM illegal user");
	error("PAM: %s for %s%.100s from %.100s", msg,
	sshpam_authctxt->valid ? "" : "illegal user ",
	sshpam_authctxt->user, sshpam_rhost);
	diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
	--- a/crypto/openssh/auth.c
	+++ b/crypto/openssh/auth.c
	@@ -289,7 +289,8 @@
	else {
	authmsg = authenticated ? "Accepted" : "Failed";
	if (authenticated)
	- BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh");
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK,
	+ "Authenticated");
	}

	if ((extra = format_method_key(authctxt)) == NULL) {
	@@ -338,6 +339,7 @@
	{
	Authctxt authctxt = (Authctxt )ssh->authctxt;

	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded");
	error("maximum authentication attempts exceeded for "
	"%s%.100s from %.200s port %d ssh2",
	authctxt->valid ? "" : "invalid user ",
	@@ -498,7 +500,7 @@
	aix_restoreauthdb();
	#endif
	if (pw == NULL) {
	- BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user);
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Invalid user");
	logit("Invalid user %.100s from %.100s port %d",
	user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
	#ifdef CUSTOM_FAILED_LOGIN
	diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
	--- a/crypto/openssh/auth2.c
	+++ b/crypto/openssh/auth2.c
	@@ -52,7 +52,6 @@
	#include "dispatch.h"
	#include "pathnames.h"
	#include "ssherr.h"
	-#include "blacklist_client.h"
	#ifdef GSSAPI
	#include "ssh-gss.h"
	#endif
	@@ -443,10 +442,8 @@
	} else {
	/* Allow initial try of "none" auth without failure penalty */
	if (!partial && !authctxt->server_caused_failure &&
	- (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)) {
	+ (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0))
	authctxt->failures++;
	- BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
	- }
	if (authctxt->failures >= options.max_authtries) {
	#ifdef SSH_AUDIT_EVENTS
	mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES);
	diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
	--- a/crypto/openssh/monitor.c
	+++ b/crypto/openssh/monitor.c
	@@ -85,6 +85,8 @@
	#include "misc.h"
	#include "servconf.h"
	#include "monitor.h"
	+#include "blacklist_client.h"
	+
	#ifdef GSSAPI
	#include "ssh-gss.h"
	#endif
	@@ -353,16 +355,24 @@
	}
	}
	if (authctxt->failures > options.max_authtries) {
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
	+ "Too many authentication attempts");
	/* Shouldn't happen */
	fatal_f("privsep child made too many authentication "
	"attempts");
	}
	}

	- if (!authctxt->valid)
	+ if (!authctxt->valid) {
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
	+ "Authenticated invalid user");
	fatal_f("authenticated invalid user");
	- if (strcmp(auth_method, "unknown") == 0)
	+ }
	+ if (strcmp(auth_method, "unknown") == 0) {
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
	+ "Authentication method name unknown");
	fatal_f("authentication method name unknown");
	+ }

	debug_f("user %s authenticated by privileged process", authctxt->user);
	auth_attempted = 0;
	diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
	--- a/crypto/openssh/packet.c
	+++ b/crypto/openssh/packet.c
	@@ -96,7 +96,6 @@
	#include "packet.h"
	#include "ssherr.h"
	#include "sshbuf.h"
	-#include "blacklist_client.h"

	#ifdef PACKET_DEBUG
	#define DBG(x) x
	@@ -2022,7 +2021,6 @@
	case SSH_ERR_NO_KEX_ALG_MATCH:
	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
	if (ssh->kex && ssh->kex->failed_choice) {
	- BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
	ssh_packet_clear_keys(ssh);
	errno = oerrno;
	logdie("Unable to negotiate with %s: %s. "
	diff --git a/crypto/openssh/sshd-session.c b/crypto/openssh/sshd-session.c
	--- a/crypto/openssh/sshd-session.c
	+++ b/crypto/openssh/sshd-session.c
	@@ -217,6 +217,8 @@
	static void
	grace_alarm_handler(int sig)
	{
	+ BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
	+ "Grace period expired");
	/*
	* Try to kill any processes that we have spawned, E.g. authorized
	* keys command helpers or privsep children.
	@@ -1201,6 +1203,8 @@
	ssh_signal(SIGCHLD, SIG_DFL);
	ssh_signal(SIGINT, SIG_DFL);

	+ BLACKLIST_INIT();
	+
	/*
	* Register our connection. This turns encryption off because we do
	* not have a key.
	@@ -1277,8 +1281,10 @@
	}

	if ((r = kex_exchange_identification(ssh, -1,
	- options.version_addendum)) != 0)
	+ options.version_addendum)) != 0) {
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
	sshpkt_fatal(ssh, r, "banner exchange");
	+ }

	ssh_packet_set_nonblocking(ssh);

	@@ -1298,8 +1304,6 @@
	fatal("sshbuf_new loginmsg failed");
	auth_debug_reset();

	- BLACKLIST_INIT();
	-
	if (privsep_preauth(ssh) != 1)
	fatal("privsep_preauth failed");

	@@ -1425,7 +1429,10 @@
	audit_event(the_active_state, SSH_CONNECTION_ABANDON);
	#endif
	/* Override default fatal exit value when auth was attempted */
	- if (i == 255 && auth_attempted)
	+ if (i == 255 && auth_attempted) {
	+ BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
	+ "Fatal exit");
	_exit(EXIT_AUTH_ATTEMPTED);
	+ }
	_exit(i);
	}

File Metadata

Mime Type: text/plain
Expires: Sun, Feb 1, 8:19 AM (1 h, 57 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28318504
Default Alt Text: D52749.diff (5 KB)

D52749.diffNo OneTemporaryActions

D52749.diffView Options

File Metadata

Event Timeline

D52749.diff
No OneTemporary
Actions

D52749.diff
View Options