Revert r301551, which added blacklistd(8) to sshd(8).

This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation
2016-06-24 23:22:42 +00:00 · 2016-06-24 23:22:42 +00:00 · faebc97a1c
commit faebc97a1c
parent be0319fd19
10 changed files with 0 additions and 153 deletions
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@ -98,9 +98,6 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif

 extern ServerOptions options;
 extern Buffer loginmsg;
@ -797,9 +794,6 @@ sshpam_query(void *ctx, char **name, char **info,
 				free(msg);
 				return (0);
 			}
-#ifdef USE_BLACKLIST
-			blacklist_notify(1);
-#endif
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user,
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@ -75,9 +75,6 @@ __RCSID("$FreeBSD$");
 #include "authfile.h"
 #include "ssherr.h"
 #include "compat.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif

 /* import */
 extern ServerOptions options;
@ -309,10 +306,6 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 	    compat20 ? "ssh2" : "ssh1",
 	    authctxt->info != NULL ? ": " : "",
 	    authctxt->info != NULL ? authctxt->info : "");
-#ifdef USE_BLACKLIST
-	if (!authctxt->postponed)
-		blacklist_notify(!authenticated);
-#endif
 	free(authctxt->info);
 	authctxt->info = NULL;

@ -647,9 +640,6 @@ getpwnamallow(const char *user)
 	}
 #endif
 	if (pw == NULL) {
-#ifdef USE_BLACKLIST
-		blacklist_notify(1);
-#endif
 		logit("Invalid user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@ -43,9 +43,6 @@
 #endif
 #include "monitor_wrap.h"
 #include "buffer.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif

 /* import */
 extern ServerOptions options;
@ -340,9 +337,6 @@ do_authloop(Authctxt *authctxt)
 			char *msg;
 			size_t len;

-#ifdef USE_BLACKLIST
-			blacklist_notify(1);
-#endif
 			error("Access denied for user %s by PAM account "
 			    "configuration", authctxt->user);
 			len = buffer_len(&loginmsg);
@ -410,9 +404,6 @@ do_authentication(Authctxt *authctxt)
 	else {
 		debug("do_authentication: invalid user %s", user);
 		authctxt->pw = fakepw();
-#ifdef USE_BLACKLIST
-		blacklist_notify(1);
-#endif
 	}

 	/* Configuration may have changed as a result of Match */
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@ -52,9 +52,6 @@ __RCSID("$FreeBSD$");
 #include "pathnames.h"
 #include "buffer.h"
 #include "canohost.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif

 #ifdef GSSAPI
 #include "ssh-gss.h"
@ -251,9 +248,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		} else {
 			logit("input_userauth_request: invalid user %s", user);
 			authctxt->pw = fakepw();
-#ifdef USE_BLACKLIST
-			blacklist_notify(1);
-#endif
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
--- a/crypto/openssh/blacklist.c
+++ b/crypto/openssh/blacklist.c
@ -1,64 +0,0 @@
-/*-
- * Copyright (c) 2015 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Christos Zoulas.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <ctype.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "ssh.h"
-#include "packet.h"
-#include "log.h"
-#include "blacklist_client.h"
-#include <blacklist.h>
-
-static struct blacklist *blstate;
-
-void
-blacklist_init(void)
-{
-	blstate = blacklist_open();
-}
-
-void
-blacklist_notify(int action)
-{
-	int fd;
-	if (blstate == NULL)
-		blacklist_init();
-	if (blstate == NULL)
-		return;
-	fd = packet_get_connection_in();
-	if (!packet_connection_is_on_socket()) {
-		fprintf(stderr, "packet_connection_is_on_socket: false "
-			"(fd = %d)\n", fd);
-	}
-	(void)blacklist_r(blstate, action, fd, "ssh");
-}
--- a/crypto/openssh/blacklist_client.h
+++ b/crypto/openssh/blacklist_client.h
@ -1,31 +0,0 @@
-/*-
- * Copyright (c) 2015 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Christos Zoulas.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-void blacklist_notify(int);
-void blacklist_init(void);
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@ -86,9 +86,6 @@ __RCSID("$FreeBSD$");
 #include "packet.h"
 #include "ssherr.h"
 #include "sshbuf.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif

 #ifdef PACKET_DEBUG
 #define DBG(x) x
@ -2074,9 +2071,6 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
 	case SSH_ERR_NO_KEX_ALG_MATCH:
 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
 		if (ssh && ssh->kex && ssh->kex->failed_choice) {
-#ifdef USE_BLACKLIST
-			blacklist_notify(1);
-#endif
 			fatal("Unable to negotiate with %.200s port %d: %s. "
 			    "Their offer: %s", ssh_remote_ipaddr(ssh),
 			    ssh_remote_port(ssh), ssh_err(r),
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@ -135,9 +135,6 @@ __RCSID("$FreeBSD$");
 #include "ssh-sandbox.h"
 #include "version.h"
 #include "ssherr.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif

 #ifdef LIBWRAP
 #include <tcpd.h>
@ -391,9 +388,6 @@ grace_alarm_handler(int sig)
 		kill(0, SIGTERM);
 	}

-#ifdef USE_BLACKLIST
-	blacklist_notify(1);
-#endif
 	/* Log error and exit. */
 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
 }
@ -655,10 +649,6 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();

-#ifdef USE_BLACKLIST
-	blacklist_init();
-#endif
-
 	/* Demote the child */
 	if (getuid() == 0 || geteuid() == 0) {
 		/* Change our root directory */
@ -1282,9 +1272,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 	for (i = 0; i < options.max_startups; i++)
 		startup_pipes[i] = -1;

-#ifdef USE_BLACKLIST
-	blacklist_init();
-#endif
 	/*
 	 * Stay listening for connections until the system crashes or
 	 * the daemon is killed with a signal.
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@ -40,13 +40,6 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
 LIBADD+=	bsm
 .endif

-.if ${MK_BLACKLIST_SUPPORT} != "no"
-CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
-SRCS+= blacklist.c
-LIBADD+= blacklist
-LDFLAGS+=-L${LIBBLACKLISTDIR}
-.endif
-
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -include krb5_config.h
 SRCS+=	krb5_config.h
--- a/secure/usr.sbin/sshd/Makefile.depend
+++ b/secure/usr.sbin/sshd/Makefile.depend
@ -17,7 +17,6 @@ DIRDEPS = \
 	kerberos5/lib/libroken \
 	kerberos5/lib/libwind \
 	lib/${CSU_DIR} \
-	lib/libblacklist \
 	lib/libbsm \
 	lib/libc \
 	lib/libcom_err \