freebsd-nq/contrib/blacklist/diff/ssh.diff
Ed Maste e3a90f49ad blacklist: update to NetBSD snapshot on 20191106
Cursory review:	cem
MFC after:	3 months
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D22259
2019-11-06 16:21:35 +00:00

151 lines
3.9 KiB
Diff

--- /dev/null 2015-01-22 23:10:33.000000000 -0500
+++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500
@@ -0,0 +1,32 @@
+#include "namespace.h"
+#include "includes.h"
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "pfilter.h"
+#include <blacklist.h>
+
+static struct blacklist *blstate;
+
+void
+pfilter_init(void)
+{
+ blstate = blacklist_open();
+}
+
+void
+pfilter_notify(int a)
+{
+ int fd;
+ if (blstate == NULL)
+ pfilter_init();
+ if (blstate == NULL)
+ return;
+ // XXX: 3?
+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
+ (void)blacklist_r(blstate, a, fd, "ssh");
+ if (a == 0) {
+ blacklist_close(blstate);
+ blstate = NULL;
+ }
+}
--- /dev/null 2015-01-20 21:14:44.000000000 -0500
+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500
@@ -0,0 +1,3 @@
+
+void pfilter_notify(int);
+void pfilter_init(void);
Index: bin/sshd/Makefile
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
retrieving revision 1.10
diff -u -u -r1.10 Makefile
--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10
+++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000
@@ -15,7 +15,7 @@
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
- roaming_common.c roaming_serv.c sandbox-rlimit.c
+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
COPTS.auth-options.c= -Wno-pointer-sign
COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix
@@ -68,3 +68,6 @@
LDADD+= -lwrap
DPADD+= ${LIBWRAP}
+
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c
--- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400
+++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400
@@ -103,6 +103,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "pfilter.h"
extern ServerOptions options;
extern Buffer loginmsg;
@@ -526,6 +527,7 @@
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
else
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+ pfilter_notify(1);
buffer_free(&buffer);
pthread_exit(NULL);
@@ -804,6 +806,7 @@
free(msg);
return (0);
}
+ pfilter_notify(1);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
diff -ru openssh-7.7p1/auth2.c dist/auth2.c
--- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.000000000 -0400
+++ dist/auth2.c 2018-05-23 11:57:31.022197317 -0400
@@ -51,6 +51,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "buffer.h"
+#include "pfilter.h"
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -242,6 +243,7 @@
} else {
/* Invalid user, fake password information */
authctxt->pw = fakepw();
+ pfilter_notify(1);
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
Only in dist: pfilter.c
Only in dist: pfilter.h
diff -ru openssh-7.7p1/sshd.c dist/sshd.c
--- openssh-7.7p1/sshd.c 2018-04-02 01:38:28.000000000 -0400
+++ dist/sshd.c 2018-05-23 11:59:39.573197347 -0400
@@ -122,6 +122,7 @@
#include "auth-options.h"
#include "version.h"
#include "ssherr.h"
+#include "pfilter.h"
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
@@ -346,6 +347,7 @@
static void
grace_alarm_handler(int sig)
{
+ pfilter_notify(1);
if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
kill(pmonitor->m_pid, SIGALRM);
@@ -1835,6 +1837,8 @@
if (test_flag)
exit(0);
+ pfilter_init();
+
/*
* Clear out any supplemental groups we may have inherited. This
* prevents inadvertent creation of files with bad modes (in the
@@ -2280,6 +2284,9 @@
{
struct ssh *ssh = active_state; /* XXX */
+ if (i == 255)
+ pfilter_notify(1);
+
if (the_authctxt) {
do_cleanup(ssh, the_authctxt);
if (use_privsep && privsep_is_preauth &&