From 70951739503fef6ff99a71f0515ee1eba2dbf895 Mon Sep 17 00:00:00 2001 From: gjb Date: Fri, 24 Jun 2016 23:22:42 +0000 Subject: [PATCH] Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation --- crypto/openssh/auth-pam.c | 6 --- crypto/openssh/auth.c | 10 ----- crypto/openssh/auth1.c | 9 ---- crypto/openssh/auth2.c | 6 --- crypto/openssh/blacklist.c | 64 ---------------------------- crypto/openssh/blacklist_client.h | 31 -------------- crypto/openssh/packet.c | 6 --- crypto/openssh/sshd.c | 13 ------ secure/usr.sbin/sshd/Makefile | 7 --- secure/usr.sbin/sshd/Makefile.depend | 1 - 10 files changed, 153 deletions(-) delete mode 100644 crypto/openssh/blacklist.c delete mode 100644 crypto/openssh/blacklist_client.h diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c index 53b9dbe47e5e..8425af1ea33a 100644 --- a/crypto/openssh/auth-pam.c +++ b/crypto/openssh/auth-pam.c @@ -98,9 +98,6 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" -#ifdef USE_BLACKLIST -#include "blacklist_client.h" -#endif extern ServerOptions options; extern Buffer loginmsg; @@ -797,9 +794,6 @@ sshpam_query(void *ctx, char **name, char **info, free(msg); return (0); } -#ifdef USE_BLACKLIST - blacklist_notify(1); -#endif error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c index c23b55d6a0cb..ba908801a169 100644 --- a/crypto/openssh/auth.c +++ b/crypto/openssh/auth.c @@ -75,9 +75,6 @@ __RCSID("$FreeBSD$"); #include "authfile.h" #include "ssherr.h" #include "compat.h" -#ifdef USE_BLACKLIST -#include "blacklist_client.h" -#endif /* import */ extern ServerOptions options; @@ -309,10 +306,6 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, compat20 ? "ssh2" : "ssh1", authctxt->info != NULL ? ": " : "", authctxt->info != NULL ? authctxt->info : ""); -#ifdef USE_BLACKLIST - if (!authctxt->postponed) - blacklist_notify(!authenticated); -#endif free(authctxt->info); authctxt->info = NULL; @@ -647,9 +640,6 @@ getpwnamallow(const char *user) } #endif if (pw == NULL) { -#ifdef USE_BLACKLIST - blacklist_notify(1); -#endif logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 539e56c64196..5073c49bb37d 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -43,9 +43,6 @@ #endif #include "monitor_wrap.h" #include "buffer.h" -#ifdef USE_BLACKLIST -#include "blacklist_client.h" -#endif /* import */ extern ServerOptions options; @@ -340,9 +337,6 @@ do_authloop(Authctxt *authctxt) char *msg; size_t len; -#ifdef USE_BLACKLIST - blacklist_notify(1); -#endif error("Access denied for user %s by PAM account " "configuration", authctxt->user); len = buffer_len(&loginmsg); @@ -410,9 +404,6 @@ do_authentication(Authctxt *authctxt) else { debug("do_authentication: invalid user %s", user); authctxt->pw = fakepw(); -#ifdef USE_BLACKLIST - blacklist_notify(1); -#endif } /* Configuration may have changed as a result of Match */ diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index eec196a9b584..1d9aab037dd6 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -52,9 +52,6 @@ __RCSID("$FreeBSD$"); #include "pathnames.h" #include "buffer.h" #include "canohost.h" -#ifdef USE_BLACKLIST -#include "blacklist_client.h" -#endif #ifdef GSSAPI #include "ssh-gss.h" @@ -251,9 +248,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); -#ifdef USE_BLACKLIST - blacklist_notify(1); -#endif #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_INVALID_USER)); #endif diff --git a/crypto/openssh/blacklist.c b/crypto/openssh/blacklist.c deleted file mode 100644 index d172945c001f..000000000000 --- a/crypto/openssh/blacklist.c +++ /dev/null @@ -1,64 +0,0 @@ -/*- - * Copyright (c) 2015 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Christos Zoulas. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include -#include -#include - -#include "ssh.h" -#include "packet.h" -#include "log.h" -#include "blacklist_client.h" -#include - -static struct blacklist *blstate; - -void -blacklist_init(void) -{ - blstate = blacklist_open(); -} - -void -blacklist_notify(int action) -{ - int fd; - if (blstate == NULL) - blacklist_init(); - if (blstate == NULL) - return; - fd = packet_get_connection_in(); - if (!packet_connection_is_on_socket()) { - fprintf(stderr, "packet_connection_is_on_socket: false " - "(fd = %d)\n", fd); - } - (void)blacklist_r(blstate, action, fd, "ssh"); -} diff --git a/crypto/openssh/blacklist_client.h b/crypto/openssh/blacklist_client.h deleted file mode 100644 index e63554dd5a71..000000000000 --- a/crypto/openssh/blacklist_client.h +++ /dev/null @@ -1,31 +0,0 @@ -/*- - * Copyright (c) 2015 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Christos Zoulas. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -void blacklist_notify(int); -void blacklist_init(void); diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c index 9e1165a9b2bb..f3b3ce9cf250 100644 --- a/crypto/openssh/packet.c +++ b/crypto/openssh/packet.c @@ -86,9 +86,6 @@ __RCSID("$FreeBSD$"); #include "packet.h" #include "ssherr.h" #include "sshbuf.h" -#ifdef USE_BLACKLIST -#include "blacklist_client.h" -#endif #ifdef PACKET_DEBUG #define DBG(x) x @@ -2074,9 +2071,6 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r) case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh && ssh->kex && ssh->kex->failed_choice) { -#ifdef USE_BLACKLIST - blacklist_notify(1); -#endif fatal("Unable to negotiate with %.200s port %d: %s. " "Their offer: %s", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ssh_err(r), diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index d11592917e1e..dd7fcdda3e94 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -135,9 +135,6 @@ __RCSID("$FreeBSD$"); #include "ssh-sandbox.h" #include "version.h" #include "ssherr.h" -#ifdef USE_BLACKLIST -#include "blacklist_client.h" -#endif #ifdef LIBWRAP #include @@ -391,9 +388,6 @@ grace_alarm_handler(int sig) kill(0, SIGTERM); } -#ifdef USE_BLACKLIST - blacklist_notify(1); -#endif /* Log error and exit. */ sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } @@ -655,10 +649,6 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); -#ifdef USE_BLACKLIST - blacklist_init(); -#endif - /* Demote the child */ if (getuid() == 0 || geteuid() == 0) { /* Change our root directory */ @@ -1282,9 +1272,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) for (i = 0; i < options.max_startups; i++) startup_pipes[i] = -1; -#ifdef USE_BLACKLIST - blacklist_init(); -#endif /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index bab29015b85e..f9589a37ae37 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -40,13 +40,6 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR LIBADD+= bsm .endif -.if ${MK_BLACKLIST_SUPPORT} != "no" -CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include -SRCS+= blacklist.c -LIBADD+= blacklist -LDFLAGS+=-L${LIBBLACKLISTDIR} -.endif - .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h SRCS+= krb5_config.h diff --git a/secure/usr.sbin/sshd/Makefile.depend b/secure/usr.sbin/sshd/Makefile.depend index 220aae36c11c..d24b0bef5d55 100644 --- a/secure/usr.sbin/sshd/Makefile.depend +++ b/secure/usr.sbin/sshd/Makefile.depend @@ -17,7 +17,6 @@ DIRDEPS = \ kerberos5/lib/libroken \ kerberos5/lib/libwind \ lib/${CSU_DIR} \ - lib/libblacklist \ lib/libbsm \ lib/libc \ lib/libcom_err \