D5915.id17255.diff
No OneTemporary
Actions

Size

8 KB

Referenced Files

None

Subscribers

None

D5915.id17255.diff
View Options

	Index: crypto/openssh/auth-pam.c
	===================================================================
	--- crypto/openssh/auth-pam.c
	+++ crypto/openssh/auth-pam.c
	@@ -98,6 +98,9 @@
	#include "ssh-gss.h"
	#endif
	#include "monitor_wrap.h"
	+#ifdef USE_BLACKLIST
	+#include "blacklist_client.h"
	+#endif

	extern ServerOptions options;
	extern Buffer loginmsg;
	@@ -794,6 +797,9 @@
	free(msg);
	return (0);
	}
	+#ifdef USE_BLACKLIST
	+ blacklist_notify(1);
	+#endif
	error("PAM: %s for %s%.100s from %.100s", msg,
	sshpam_authctxt->valid ? "" : "illegal user ",
	sshpam_authctxt->user,
	Index: crypto/openssh/auth.c
	===================================================================
	--- crypto/openssh/auth.c
	+++ crypto/openssh/auth.c
	@@ -75,6 +75,9 @@
	#include "authfile.h"
	#include "ssherr.h"
	#include "compat.h"
	+#ifdef USE_BLACKLIST
	+#include "blacklist_client.h"
	+#endif

	/* import */
	extern ServerOptions options;
	@@ -306,6 +309,10 @@
	compat20 ? "ssh2" : "ssh1",
	authctxt->info != NULL ? ": " : "",
	authctxt->info != NULL ? authctxt->info : "");
	+#ifdef USE_BLACKLIST
	+ if (!authctxt->postponed)
	+ blacklist_notify(!authenticated);
	+#endif
	free(authctxt->info);
	authctxt->info = NULL;

	@@ -640,6 +647,9 @@
	}
	#endif
	if (pw == NULL) {
	+#ifdef USE_BLACKLIST
	+ blacklist_notify(1);
	+#endif
	logit("Invalid user %.100s from %.100s",
	user, get_remote_ipaddr());
	#ifdef CUSTOM_FAILED_LOGIN
	Index: crypto/openssh/auth1.c
	===================================================================
	--- crypto/openssh/auth1.c
	+++ crypto/openssh/auth1.c
	@@ -43,6 +43,9 @@
	#endif
	#include "monitor_wrap.h"
	#include "buffer.h"
	+#ifdef USE_BLACKLIST
	+#include "blacklist_client.h"
	+#endif

	/* import */
	extern ServerOptions options;
	@@ -337,6 +340,9 @@
	char *msg;
	size_t len;

	+#ifdef USE_BLACKLIST
	+ blacklist_notify(1);
	+#endif
	error("Access denied for user %s by PAM account "
	"configuration", authctxt->user);
	len = buffer_len(&loginmsg);
	@@ -404,6 +410,9 @@
	else {
	debug("do_authentication: invalid user %s", user);
	authctxt->pw = fakepw();
	+#ifdef USE_BLACKLIST
	+ blacklist_notify(1);
	+#endif
	}

	/* Configuration may have changed as a result of Match */
	Index: crypto/openssh/auth2.c
	===================================================================
	--- crypto/openssh/auth2.c
	+++ crypto/openssh/auth2.c
	@@ -52,6 +52,9 @@
	#include "pathnames.h"
	#include "buffer.h"
	#include "canohost.h"
	+#ifdef USE_BLACKLIST
	+#include "blacklist_client.h"
	+#endif

	#ifdef GSSAPI
	#include "ssh-gss.h"
	@@ -248,6 +251,9 @@
	} else {
	logit("input_userauth_request: invalid user %s", user);
	authctxt->pw = fakepw();
	+#ifdef USE_BLACKLIST
	+ blacklist_notify(1);
	+#endif
	#ifdef SSH_AUDIT_EVENTS
	PRIVSEP(audit_event(SSH_INVALID_USER));
	#endif
	Index: crypto/openssh/blacklist.c
	===================================================================
	--- /dev/null
	+++ crypto/openssh/blacklist.c
	@@ -0,0 +1,64 @@
	+/*-
	+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
	+ * All rights reserved.
	+ *
	+ * This code is derived from software contributed to The NetBSD Foundation
	+ * by Christos Zoulas.
	+ *
	+ * Redistribution and use in source and binary forms, with or without
	+ * modification, are permitted provided that the following conditions
	+ * are met:
	+ * 1. Redistributions of source code must retain the above copyright
	+ * notice, this list of conditions and the following disclaimer.
	+ * 2. Redistributions in binary form must reproduce the above copyright
	+ * notice, this list of conditions and the following disclaimer in the
	+ * documentation and/or other materials provided with the distribution.
	+ *
	+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
	+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
	+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
	+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	+ * POSSIBILITY OF SUCH DAMAGE.
	+ */
	+
	+#include <ctype.h>
	+#include <stdarg.h>
	+#include <stdio.h>
	+#include <stdlib.h>
	+#include <unistd.h>
	+
	+#include "ssh.h"
	+#include "packet.h"
	+#include "log.h"
	+#include "blacklist_client.h"
	+#include <blacklist.h>
	+
	+static struct blacklist *blstate;
	+
	+void
	+blacklist_init(void)
	+{
	+ blstate = blacklist_open();
	+}
	+
	+void
	+blacklist_notify(int action)
	+{
	+ int fd;
	+ if (blstate == NULL)
	+ blacklist_init();
	+ if (blstate == NULL)
	+ return;
	+ fd = packet_get_connection_in();
	+ if (!packet_connection_is_on_socket()) {
	+ fprintf(stderr, "packet_connection_is_on_socket: false "
	+ "(fd = %d)\n", fd);
	+ }
	+ (void)blacklist_r(blstate, action, fd, "ssh");
	+}
	Index: crypto/openssh/blacklist_client.h
	===================================================================
	--- /dev/null
	+++ crypto/openssh/blacklist_client.h
	@@ -0,0 +1,31 @@
	+/*-
	+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
	+ * All rights reserved.
	+ *
	+ * This code is derived from software contributed to The NetBSD Foundation
	+ * by Christos Zoulas.
	+ *
	+ * Redistribution and use in source and binary forms, with or without
	+ * modification, are permitted provided that the following conditions
	+ * are met:
	+ * 1. Redistributions of source code must retain the above copyright
	+ * notice, this list of conditions and the following disclaimer.
	+ * 2. Redistributions in binary form must reproduce the above copyright
	+ * notice, this list of conditions and the following disclaimer in the
	+ * documentation and/or other materials provided with the distribution.
	+ *
	+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
	+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
	+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
	+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	+ * POSSIBILITY OF SUCH DAMAGE.
	+ */
	+
	+void blacklist_notify(int);
	+void blacklist_init(void);
	Index: crypto/openssh/packet.c
	===================================================================
	--- crypto/openssh/packet.c
	+++ crypto/openssh/packet.c
	@@ -86,6 +86,9 @@
	#include "packet.h"
	#include "ssherr.h"
	#include "sshbuf.h"
	+#ifdef USE_BLACKLIST
	+#include "blacklist_client.h"
	+#endif

	#ifdef PACKET_DEBUG
	#define DBG(x) x
	@@ -2071,6 +2074,9 @@
	case SSH_ERR_NO_KEX_ALG_MATCH:
	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
	if (ssh && ssh->kex && ssh->kex->failed_choice) {
	+#ifdef USE_BLACKLIST
	+ blacklist_notify(1);
	+#endif
	fatal("Unable to negotiate with %.200s port %d: %s. "
	"Their offer: %s", ssh_remote_ipaddr(ssh),
	ssh_remote_port(ssh), ssh_err(r),
	Index: crypto/openssh/sshd.c
	===================================================================
	--- crypto/openssh/sshd.c
	+++ crypto/openssh/sshd.c
	@@ -135,6 +135,9 @@
	#include "ssh-sandbox.h"
	#include "version.h"
	#include "ssherr.h"
	+#ifdef USE_BLACKLIST
	+#include "blacklist_client.h"
	+#endif

	#ifdef LIBWRAP
	#include <tcpd.h>
	@@ -388,6 +391,9 @@
	kill(0, SIGTERM);
	}

	+#ifdef USE_BLACKLIST
	+ blacklist_notify(1);
	+#endif
	/* Log error and exit. */
	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
	}
	@@ -649,6 +655,10 @@
	/* Demote the private keys to public keys. */
	demote_sensitive_data();

	+#ifdef USE_BLACKLIST
	+ blacklist_init();
	+#endif
	+
	/* Demote the child */
	if (getuid() == 0 \|\| geteuid() == 0) {
	/* Change our root directory */
	@@ -1272,6 +1282,9 @@
	for (i = 0; i < options.max_startups; i++)
	startup_pipes[i] = -1;

	+#ifdef USE_BLACKLIST
	+ blacklist_init();
	+#endif
	/*
	* Stay listening for connections until the system crashes or
	* the daemon is killed with a signal.
	Index: secure/usr.sbin/sshd/Makefile
	===================================================================
	--- secure/usr.sbin/sshd/Makefile
	+++ secure/usr.sbin/sshd/Makefile
	@@ -40,6 +40,13 @@
	LIBADD+= bsm
	.endif

	+.if ${MK_BLACKLIST_SUPPORT} != "no"
	+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
	+SRCS+= blacklist.c
	+LIBADD+= blacklist
	+LDFLAGS+=-L${LIBBLACKLISTDIR}
	+.endif
	+
	.if ${MK_KERBEROS_SUPPORT} != "no"
	CFLAGS+= -include krb5_config.h
	SRCS+= krb5_config.h

File Metadata

Mime Type: text/plain
Expires: Fri, Apr 10, 4:52 PM (2 h, 52 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31184382
Default Alt Text: D5915.id17255.diff (8 KB)

D5915.id17255.diffNo OneTemporaryActions

D5915.id17255.diffView Options

File Metadata

Event Timeline

D5915.id17255.diff
No OneTemporary
Actions

D5915.id17255.diff
View Options