Module Name: src
Committed By: christos
Date: Wed Feb 5 20:14:30 UTC 2025
Modified Files:
src/external/bsd/blocklist/bin: blocklistd.c blocklistd.conf.5
src/external/bsd/blocklist/lib: libblocklist.3
Log Message:
PR/20: robohack:
BLOCKLIST_BAD_USER (BL_BADUSER internally) was actually unimplemented
and as such unusable, and despite being documented as such it still
gained some users and has lead to confusion.
This change proposes that it be implemented as a failure with a count of
one for "nfails".
To provide a meaningful distinction BLOCKLIST_AUTH_FAIL is also now
be implemented with a count of two for "nfails" -- which seems
appropriate as an "authentication failure" sounds, to my ear at least,
as something more important than a "bad user" failure.
This allows for "bad user" reports (which, say in the case of sshd,
could be caused by a legitimate user making a typo) to be recorded as
failures, but perhaps not to immediately cause them to be locked
out (depending on the current configuration of course).
I think "invalid" should probably have been used here instead of "bad",
but that would now be an API change, as opposed to a minor usage change
and improvement.
BTW, I think the hinted at concept of the blocklist daemon having a list
of disallowed users is not a viable way to go -- it violates the
possibility that several different client daemons might have differing
concepts and policies about whether attempts to use a given username is
really violating some rule. Also we shouldn't conflate the concept of
"username" here with local Unix user names, as they may not be related
at all.
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blocklist/bin/blocklistd.c
cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blocklist/bin/blocklistd.conf.5
cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blocklist/lib/libblocklist.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
