D49503.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D49503.diff
View Options

	diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
	--- a/crypto/openssh/auth-pam.c
	+++ b/crypto/openssh/auth-pam.c
	@@ -937,8 +937,8 @@
	sshbuf_free(buffer);
	return (0);
	}
	- BLACKLIST_NOTIFY(NULL, BLACKLIST_BAD_USER,
	- sshpam_authctxt->user);
	+ BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL,
	+ "PAM illegal user");
	error("PAM: %s for %s%.100s from %.100s", msg,
	sshpam_authctxt->valid ? "" : "illegal user ",
	sshpam_authctxt->user, sshpam_rhost);
	diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
	--- a/crypto/openssh/auth.c
	+++ b/crypto/openssh/auth.c
	@@ -289,7 +289,8 @@
	else {
	authmsg = authenticated ? "Accepted" : "Failed";
	if (authenticated)
	- BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh");
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK,
	+ "Authenticated");
	}

	if ((extra = format_method_key(authctxt)) == NULL) {
	@@ -338,6 +339,7 @@
	{
	Authctxt authctxt = (Authctxt )ssh->authctxt;

	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded");
	error("maximum authentication attempts exceeded for "
	"%s%.100s from %.200s port %d ssh2",
	authctxt->valid ? "" : "invalid user ",
	@@ -498,7 +500,7 @@
	aix_restoreauthdb();
	#endif
	if (pw == NULL) {
	- BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user);
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Invalid user");
	logit("Invalid user %.100s from %.100s port %d",
	user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
	#ifdef CUSTOM_FAILED_LOGIN
	diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
	--- a/crypto/openssh/auth2.c
	+++ b/crypto/openssh/auth2.c
	@@ -52,7 +52,6 @@
	#include "dispatch.h"
	#include "pathnames.h"
	#include "ssherr.h"
	-#include "blacklist_client.h"
	#ifdef GSSAPI
	#include "ssh-gss.h"
	#endif
	@@ -443,10 +442,8 @@
	} else {
	/* Allow initial try of "none" auth without failure penalty */
	if (!partial && !authctxt->server_caused_failure &&
	- (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)) {
	+ (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0))
	authctxt->failures++;
	- BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
	- }
	if (authctxt->failures >= options.max_authtries) {
	#ifdef SSH_AUDIT_EVENTS
	mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES);
	diff --git a/crypto/openssh/blacklist.c b/crypto/openssh/blacklist.c
	--- a/crypto/openssh/blacklist.c
	+++ b/crypto/openssh/blacklist.c
	@@ -50,6 +50,7 @@
	#include "blacklist_client.h"

	static struct blacklist *blstate = NULL;
	+extern struct ssh *the_active_state;

	/* import */
	extern ServerOptions options;
	@@ -57,7 +58,7 @@
	/* internal definition from bl.h */
	struct blacklist bl_create(bool, char , void ()(int, const char , va_list));

	-/* impedence match vsyslog() to sshd's internal logging levels */
	+/* impedance match vsyslog() to sshd's internal logging levels */
	void
	im_log(int priority, const char *message, va_list args)
	{
	@@ -82,7 +83,6 @@
	void
	blacklist_init(void)
	{
	-
	if (options.use_blacklist)
	blstate = bl_create(false, NULL, im_log);
	}
	@@ -90,8 +90,17 @@
	void
	blacklist_notify(struct ssh ssh, int action, const char msg)
	{
	-
	- if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
	+ if (ssh == NULL)
	+ ssh = the_active_state;
	+ if (ssh == NULL)
	+ return;
	+ if (blstate == NULL)
	+ return;
	+ if (ssh_packet_connection_is_on_socket(ssh))
	(void)blacklist_r(blstate, action,
	- ssh_packet_get_connection_in(ssh), msg);
	+ ssh_packet_get_connection_in(ssh), msg);
	+ if (action == 0) {
	+ blacklist_close(blstate);
	+ blstate = NULL;
	+ }
	}
	diff --git a/crypto/openssh/blacklist_client.h b/crypto/openssh/blacklist_client.h
	--- a/crypto/openssh/blacklist_client.h
	+++ b/crypto/openssh/blacklist_client.h
	@@ -57,5 +57,4 @@

	#endif

	-
	#endif /* BLACKLIST_CLIENT_H */
	diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
	--- a/crypto/openssh/monitor.c
	+++ b/crypto/openssh/monitor.c
	@@ -98,6 +98,8 @@
	#include "sk-api.h"
	#include "srclimit.h"

	+#include "blacklist_client.h"
	+
	#ifdef GSSAPI
	static Gssctxt *gsscontext = NULL;
	#endif
	@@ -347,16 +349,24 @@
	}
	}
	if (authctxt->failures > options.max_authtries) {
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
	+ "Too many authentication attempts");
	/* Shouldn't happen */
	fatal_f("privsep child made too many authentication "
	"attempts");
	}
	}

	- if (!authctxt->valid)
	+ if (!authctxt->valid) {
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
	+ "Authenticated invalid user");
	fatal_f("authenticated invalid user");
	- if (strcmp(auth_method, "unknown") == 0)
	+ }
	+ if (strcmp(auth_method, "unknown") == 0) {
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
	+ "Authentication method name unknown");
	fatal_f("authentication method name unknown");
	+ }

	debug_f("user %s authenticated by privileged process", authctxt->user);
	auth_attempted = 0;
	diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
	--- a/crypto/openssh/packet.c
	+++ b/crypto/openssh/packet.c
	@@ -96,7 +96,6 @@
	#include "packet.h"
	#include "ssherr.h"
	#include "sshbuf.h"
	-#include "blacklist_client.h"

	#ifdef PACKET_DEBUG
	#define DBG(x) x
	@@ -2022,7 +2021,6 @@
	case SSH_ERR_NO_KEX_ALG_MATCH:
	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
	if (ssh->kex && ssh->kex->failed_choice) {
	- BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
	ssh_packet_clear_keys(ssh);
	errno = oerrno;
	logdie("Unable to negotiate with %s: %s. "
	diff --git a/crypto/openssh/sshd-session.c b/crypto/openssh/sshd-session.c
	--- a/crypto/openssh/sshd-session.c
	+++ b/crypto/openssh/sshd-session.c
	@@ -109,6 +109,7 @@
	#include "sk-api.h"
	#include "srclimit.h"
	#include "dh.h"
	+
	#include "blacklist_client.h"

	/* Re-exec fds */
	@@ -204,6 +205,8 @@
	static void
	grace_alarm_handler(int sig)
	{
	+ BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
	+ "Grace period expired");
	/*
	* Try to kill any processes that we have spawned, E.g. authorized
	* keys command helpers or privsep children.
	@@ -1220,6 +1223,8 @@
	ssh_signal(SIGCHLD, SIG_DFL);
	ssh_signal(SIGINT, SIG_DFL);

	+ BLACKLIST_INIT();
	+
	/*
	* Register our connection. This turns encryption off because we do
	* not have a key.
	@@ -1296,8 +1301,10 @@
	}

	if ((r = kex_exchange_identification(ssh, -1,
	- options.version_addendum)) != 0)
	+ options.version_addendum)) != 0) {
	+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
	sshpkt_fatal(ssh, r, "banner exchange");
	+ }

	ssh_packet_set_nonblocking(ssh);

	@@ -1317,8 +1324,6 @@
	fatal("sshbuf_new loginmsg failed");
	auth_debug_reset();

	- BLACKLIST_INIT();
	-
	if (privsep_preauth(ssh) == 1)
	goto authenticated;

	@@ -1517,7 +1522,10 @@
	audit_event(the_active_state, SSH_CONNECTION_ABANDON);
	#endif
	/* Override default fatal exit value when auth was attempted */
	- if (i == 255 && auth_attempted)
	+ if (i == 255 && auth_attempted) {
	+ BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
	+ "Fatal exit");
	_exit(EXIT_AUTH_ATTEMPTED);
	+ }
	_exit(i);
	}

File Metadata

Mime Type: text/plain
Expires: Tue, May 26, 3:35 AM (19 h, 54 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 33523434
Default Alt Text: D49503.diff (6 KB)

D49503.diffNo OneTemporaryActions

D49503.diffView Options

File Metadata

Event Timeline

D49503.diff
No OneTemporary
Actions

D49503.diff
View Options