Re: svn commit: r313965 - head/crypto/openssh

Sun, 19 Feb 2017 15:22:41 -0800 

On 2/20/17, Kurt Lidl <l...@freebsd.org> wrote:
> On 2/19/17 4:42 PM, Oliver Pinter wrote:
>> Hello!
>>
>> On 2/19/17, Kurt Lidl <l...@freebsd.org> wrote:
>>> Author: lidl
>>> Date: Sun Feb 19 20:35:39 2017
>>> New Revision: 313965
>>> URL: https://svnweb.freebsd.org/changeset/base/313965
>>>
>>> Log:
>>>   Only notify blacklistd for successful logins in auth.c
>>
>> What's the rationale behind this change?
>
> Without this change, every pass through auth.c results in a
> call to blacklist_notify().
>
> So, in a normal remote login, you'd get a failed
> login flagged for the printing of the "xxx login:" prompt,
> before the remote user could enter a password.
>
> If the user successfully entered a good password,
> you'd get a good login flagged, and everything would be OK.
>
> If the user entered an incorrect password, you'd get
> another failed login in auth1.c (or auth2.c), and finally,
> when sshd got around to issuing the second "xxx login:"
> prompt, you'd have yet another failed login notice sent
> to blacklistd.
>
> So, if you had 3 bad logins set to the limit, you'd actually
> be blocking the address after the first bad login attempt.
>
> -Kurt

Thanks for the detailed answer. Could you please include these
sentences when you MFC this change?


>
>>
>>>
>>>   Reported by:      Rick Adams
>>>   Reviewed by:      des
>>>   MFC after:        3 days
>>>   Sponsored by:     The FreeBSD Foundation
>>>
>>> Modified:
>>>   head/crypto/openssh/auth.c
>>>
>>> Modified: head/crypto/openssh/auth.c
>>> ==============================================================================
>>> --- head/crypto/openssh/auth.c      Sun Feb 19 19:56:12 2017        
>>> (r313964)
>>> +++ head/crypto/openssh/auth.c      Sun Feb 19 20:35:39 2017        
>>> (r313965)
>>> @@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent
>>>             authmsg = "Partial";
>>>     else {
>>>             authmsg = authenticated ? "Accepted" : "Failed";
>>> -           BLACKLIST_NOTIFY(authenticated ?
>>> -               BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
>>> +           if (authenticated)
>>> +                   BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
>>>     }
>>>
>>>     authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
>>> _______________________________________________
>>> svn-src-head@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/svn-src-head
>>> To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
>>>
>
>
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to