Author: lidl
Date: Fri May 12 15:20:12 2017
New Revision: 318242
URL: https://svnweb.freebsd.org/changeset/base/318242
Log:
Refine and update blacklist support in sshd
Adjust notification points slightly to catch all auth failures,
rather than just the ones caused by bad usernames.
Modify notification point for bad usernames to send new type of
BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
Add guards to allow library headers to expose the enum of action values.
Reviewed by: des
Approved by: des
Sponsored by: The FreeBSD Foundation
Modified:
head/crypto/openssh/auth-pam.c
head/crypto/openssh/auth.c
head/crypto/openssh/auth1.c
head/crypto/openssh/auth2.c
head/crypto/openssh/blacklist.c
head/crypto/openssh/blacklist_client.h
head/crypto/openssh/packet.c
head/crypto/openssh/sshd.c
Modified: head/crypto/openssh/auth-pam.c
==============================================================================
--- head/crypto/openssh/auth-pam.c Fri May 12 15:08:23 2017
(r318241)
+++ head/crypto/openssh/auth-pam.c Fri May 12 15:20:12 2017
(r318242)
@@ -799,7 +799,8 @@ sshpam_query(void *ctx, char **name, cha
free(msg);
return (0);
}
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+ sshpam_authctxt->user);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
Modified: head/crypto/openssh/auth.c
==============================================================================
--- head/crypto/openssh/auth.c Fri May 12 15:08:23 2017 (r318241)
+++ head/crypto/openssh/auth.c Fri May 12 15:20:12 2017 (r318242)
@@ -311,7 +311,7 @@ auth_log(Authctxt *authctxt, int authent
else {
authmsg = authenticated ? "Accepted" : "Failed";
if (authenticated)
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
}
authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
@@ -664,7 +664,7 @@ getpwnamallow(const char *user)
}
#endif
if (pw == NULL) {
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
#ifdef CUSTOM_FAILED_LOGIN
Modified: head/crypto/openssh/auth1.c
==============================================================================
--- head/crypto/openssh/auth1.c Fri May 12 15:08:23 2017 (r318241)
+++ head/crypto/openssh/auth1.c Fri May 12 15:20:12 2017 (r318242)
@@ -338,7 +338,7 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
@@ -364,6 +364,7 @@ do_authloop(Authctxt *authctxt)
if (authenticated)
return;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
if (++authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
@@ -406,7 +407,7 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
}
/* Configuration may have changed as a result of Match */
Modified: head/crypto/openssh/auth2.c
==============================================================================
--- head/crypto/openssh/auth2.c Fri May 12 15:08:23 2017 (r318241)
+++ head/crypto/openssh/auth2.c Fri May 12 15:20:12 2017 (r318242)
@@ -245,7 +245,6 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
@@ -386,8 +385,10 @@ userauth_finish(Authctxt *authctxt, int
/* Allow initial try of "none" auth without failure penalty */
if (!partial && !authctxt->server_caused_failure &&
- (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
authctxt->failures++;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
+ }
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
Modified: head/crypto/openssh/blacklist.c
==============================================================================
--- head/crypto/openssh/blacklist.c Fri May 12 15:08:23 2017
(r318241)
+++ head/crypto/openssh/blacklist.c Fri May 12 15:20:12 2017
(r318242)
@@ -46,8 +46,8 @@
#include "log.h"
#include "misc.h"
#include "servconf.h"
-#include "blacklist_client.h"
#include <blacklist.h>
+#include "blacklist_client.h"
static struct blacklist *blstate = NULL;
@@ -88,10 +88,10 @@ blacklist_init(void)
}
void
-blacklist_notify(int action)
+blacklist_notify(int action, const char *msg)
{
if (blstate != NULL && packet_connection_is_on_socket())
(void)blacklist_r(blstate, action,
- packet_get_connection_in(), "ssh");
+ packet_get_connection_in(), msg);
}
Modified: head/crypto/openssh/blacklist_client.h
==============================================================================
--- head/crypto/openssh/blacklist_client.h Fri May 12 15:08:23 2017
(r318241)
+++ head/crypto/openssh/blacklist_client.h Fri May 12 15:20:12 2017
(r318242)
@@ -34,22 +34,26 @@
#ifndef BLACKLIST_CLIENT_H
#define BLACKLIST_CLIENT_H
+#ifndef BLACKLIST_API_ENUM
enum {
BLACKLIST_AUTH_OK = 0,
- BLACKLIST_AUTH_FAIL
+ BLACKLIST_AUTH_FAIL,
+ BLACKLIST_ABUSIVE_BEHAVIOR,
+ BLACKLIST_BAD_USER
};
+#endif
#ifdef USE_BLACKLIST
void blacklist_init(void);
-void blacklist_notify(int);
+void blacklist_notify(int, const char *);
#define BLACKLIST_INIT() blacklist_init()
-#define BLACKLIST_NOTIFY(x) blacklist_notify(x)
+#define BLACKLIST_NOTIFY(x,msg) blacklist_notify(x,msg)
#else
#define BLACKLIST_INIT()
-#define BLACKLIST_NOTIFY(x)
+#define BLACKLIST_NOTIFY(x,msg)
#endif
Modified: head/crypto/openssh/packet.c
==============================================================================
--- head/crypto/openssh/packet.c Fri May 12 15:08:23 2017
(r318241)
+++ head/crypto/openssh/packet.c Fri May 12 15:20:12 2017
(r318242)
@@ -2104,7 +2104,7 @@ sshpkt_fatal(struct ssh *ssh, const char
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
logdie("Unable to negotiate with %.200s port %d: %s. "
"Their offer: %s", ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh), ssh_err(r),
Modified: head/crypto/openssh/sshd.c
==============================================================================
--- head/crypto/openssh/sshd.c Fri May 12 15:08:23 2017 (r318241)
+++ head/crypto/openssh/sshd.c Fri May 12 15:20:12 2017 (r318242)
@@ -371,7 +371,7 @@ grace_alarm_handler(int sig)
kill(0, SIGTERM);
}
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
/* Log error and exit. */
sigdie("Timeout before authentication for %s port %d",
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
