Revert r301551, which added blacklistd(8) to sshd(8).

This change has functional impact, and other concerns raised
by the OpenSSH maintainer.

Requested by:	des
PR:		210479 (related)
Approved by:	re (marius)
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
gjb 2016-06-24 23:22:42 +00:00
parent 889a34531d
commit 7095173950
10 changed files with 0 additions and 153 deletions

View File

@ -98,9 +98,6 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
extern ServerOptions options;
extern Buffer loginmsg;
@ -797,9 +794,6 @@ sshpam_query(void *ctx, char **name, char **info,
free(msg);
return (0);
}
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,

View File

@ -75,9 +75,6 @@ __RCSID("$FreeBSD$");
#include "authfile.h"
#include "ssherr.h"
#include "compat.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
/* import */
extern ServerOptions options;
@ -309,10 +306,6 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
#ifdef USE_BLACKLIST
if (!authctxt->postponed)
blacklist_notify(!authenticated);
#endif
free(authctxt->info);
authctxt->info = NULL;
@ -647,9 +640,6 @@ getpwnamallow(const char *user)
}
#endif
if (pw == NULL) {
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
#ifdef CUSTOM_FAILED_LOGIN

View File

@ -43,9 +43,6 @@
#endif
#include "monitor_wrap.h"
#include "buffer.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
/* import */
extern ServerOptions options;
@ -340,9 +337,6 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
@ -410,9 +404,6 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
}
/* Configuration may have changed as a result of Match */

View File

@ -52,9 +52,6 @@ __RCSID("$FreeBSD$");
#include "pathnames.h"
#include "buffer.h"
#include "canohost.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
#ifdef GSSAPI
#include "ssh-gss.h"
@ -251,9 +248,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif

View File

@ -1,64 +0,0 @@
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Christos Zoulas.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <ctype.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include "ssh.h"
#include "packet.h"
#include "log.h"
#include "blacklist_client.h"
#include <blacklist.h>
static struct blacklist *blstate;
void
blacklist_init(void)
{
blstate = blacklist_open();
}
void
blacklist_notify(int action)
{
int fd;
if (blstate == NULL)
blacklist_init();
if (blstate == NULL)
return;
fd = packet_get_connection_in();
if (!packet_connection_is_on_socket()) {
fprintf(stderr, "packet_connection_is_on_socket: false "
"(fd = %d)\n", fd);
}
(void)blacklist_r(blstate, action, fd, "ssh");
}

View File

@ -1,31 +0,0 @@
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Christos Zoulas.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
void blacklist_notify(int);
void blacklist_init(void);

View File

@ -86,9 +86,6 @@ __RCSID("$FreeBSD$");
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
#ifdef PACKET_DEBUG
#define DBG(x) x
@ -2074,9 +2071,6 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
fatal("Unable to negotiate with %.200s port %d: %s. "
"Their offer: %s", ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh), ssh_err(r),

View File

@ -135,9 +135,6 @@ __RCSID("$FreeBSD$");
#include "ssh-sandbox.h"
#include "version.h"
#include "ssherr.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
#ifdef LIBWRAP
#include <tcpd.h>
@ -391,9 +388,6 @@ grace_alarm_handler(int sig)
kill(0, SIGTERM);
}
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@ -655,10 +649,6 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
#ifdef USE_BLACKLIST
blacklist_init();
#endif
/* Demote the child */
if (getuid() == 0 || geteuid() == 0) {
/* Change our root directory */
@ -1282,9 +1272,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
#ifdef USE_BLACKLIST
blacklist_init();
#endif
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.

View File

@ -40,13 +40,6 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
LIBADD+= bsm
.endif
.if ${MK_BLACKLIST_SUPPORT} != "no"
CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
SRCS+= blacklist.c
LIBADD+= blacklist
LDFLAGS+=-L${LIBBLACKLISTDIR}
.endif
.if ${MK_KERBEROS_SUPPORT} != "no"
CFLAGS+= -include krb5_config.h
SRCS+= krb5_config.h

View File

@ -17,7 +17,6 @@ DIRDEPS = \
kerberos5/lib/libroken \
kerberos5/lib/libwind \
lib/${CSU_DIR} \
lib/libblacklist \
lib/libbsm \
lib/libc \
lib/libcom_err \