svn commit: r318402 - stable/11/crypto/openssh

Kurt Lidl lidl at FreeBSD.org
Wed May 17 14:28:03 UTC 2017 

Author: lidl
Date: Wed May 17 14:28:01 2017
New Revision: 318402
URL: https://svnweb.freebsd.org/changeset/base/318402

Log:
  MFC r318242: Refine and update blacklist support in sshd
  
  Adjust notification points slightly to catch all auth failures, rather
  than just the ones caused by bad usernames.  Modify notification point
  for bad usernames to send new type of BLACKLIST_BAD_USER.  (Support in
  libblacklist will be forthcoming soon.)  Add guards to allow library
  headers to expose the enum of action values.
  
  Reviewed by:	des
  Relnotes:	yes
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/crypto/openssh/auth-pam.c
  stable/11/crypto/openssh/auth.c
  stable/11/crypto/openssh/auth1.c
  stable/11/crypto/openssh/auth2.c
  stable/11/crypto/openssh/blacklist.c
  stable/11/crypto/openssh/blacklist_client.h
  stable/11/crypto/openssh/packet.c
  stable/11/crypto/openssh/sshd.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/crypto/openssh/auth-pam.c
==============================================================================
--- stable/11/crypto/openssh/auth-pam.c	Wed May 17 13:22:13 2017	(r318401)
+++ stable/11/crypto/openssh/auth-pam.c	Wed May 17 14:28:01 2017	(r318402)
@@ -795,7 +795,8 @@ sshpam_query(void *ctx, char **name, cha
 				free(msg);
 				return (0);
 			}
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+			BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+			    sshpam_authctxt->user);
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user,

Modified: stable/11/crypto/openssh/auth.c
==============================================================================
--- stable/11/crypto/openssh/auth.c	Wed May 17 13:22:13 2017	(r318401)
+++ stable/11/crypto/openssh/auth.c	Wed May 17 14:28:01 2017	(r318402)
@@ -296,7 +296,7 @@ auth_log(Authctxt *authctxt, int authent
 	else {
 		authmsg = authenticated ? "Accepted" : "Failed";
 		if (authenticated)
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
 	}
 
 	authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
@@ -644,7 +644,7 @@ getpwnamallow(const char *user)
 	}
 #endif
 	if (pw == NULL) {
-		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+		BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
 		logit("Invalid user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN

Modified: stable/11/crypto/openssh/auth1.c
==============================================================================
--- stable/11/crypto/openssh/auth1.c	Wed May 17 13:22:13 2017	(r318401)
+++ stable/11/crypto/openssh/auth1.c	Wed May 17 14:28:01 2017	(r318402)
@@ -338,7 +338,7 @@ do_authloop(Authctxt *authctxt)
 			char *msg;
 			size_t len;
 
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
 			error("Access denied for user %s by PAM account "
 			    "configuration", authctxt->user);
 			len = buffer_len(&loginmsg);
@@ -364,6 +364,7 @@ do_authloop(Authctxt *authctxt)
 		if (authenticated)
 			return;
 
+		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
 		if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
@@ -406,7 +407,7 @@ do_authentication(Authctxt *authctxt)
 	else {
 		debug("do_authentication: invalid user %s", user);
 		authctxt->pw = fakepw();
-		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+		BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
 	}
 
 	/* Configuration may have changed as a result of Match */

Modified: stable/11/crypto/openssh/auth2.c
==============================================================================
--- stable/11/crypto/openssh/auth2.c	Wed May 17 13:22:13 2017	(r318401)
+++ stable/11/crypto/openssh/auth2.c	Wed May 17 14:28:01 2017	(r318402)
@@ -249,7 +249,6 @@ input_userauth_request(int type, u_int32
 		} else {
 			logit("input_userauth_request: invalid user %s", user);
 			authctxt->pw = fakepw();
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
@@ -389,8 +388,10 @@ userauth_finish(Authctxt *authctxt, int 
 
 		/* Allow initial try of "none" auth without failure penalty */
 		if (!partial && !authctxt->server_caused_failure &&
-		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
 			authctxt->failures++;
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
+		}
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));

Modified: stable/11/crypto/openssh/blacklist.c
==============================================================================
--- stable/11/crypto/openssh/blacklist.c	Wed May 17 13:22:13 2017	(r318401)
+++ stable/11/crypto/openssh/blacklist.c	Wed May 17 14:28:01 2017	(r318402)
@@ -46,8 +46,8 @@
 #include "log.h"
 #include "misc.h"
 #include "servconf.h"
-#include "blacklist_client.h"
 #include <blacklist.h>
+#include "blacklist_client.h"
 
 static struct blacklist *blstate = NULL;
 
@@ -88,10 +88,10 @@ blacklist_init(void)
 }
 
 void
-blacklist_notify(int action)
+blacklist_notify(int action, const char *msg)
 {
 
 	if (blstate != NULL && packet_connection_is_on_socket())
 		(void)blacklist_r(blstate, action,
-		packet_get_connection_in(), "ssh");
+		packet_get_connection_in(), msg);
 }

Modified: stable/11/crypto/openssh/blacklist_client.h
==============================================================================
--- stable/11/crypto/openssh/blacklist_client.h	Wed May 17 13:22:13 2017	(r318401)
+++ stable/11/crypto/openssh/blacklist_client.h	Wed May 17 14:28:01 2017	(r318402)
@@ -34,22 +34,26 @@
 #ifndef BLACKLIST_CLIENT_H
 #define BLACKLIST_CLIENT_H
 
+#ifndef BLACKLIST_API_ENUM
 enum {
 	BLACKLIST_AUTH_OK = 0,
-	BLACKLIST_AUTH_FAIL
+	BLACKLIST_AUTH_FAIL,
+	BLACKLIST_ABUSIVE_BEHAVIOR,
+	BLACKLIST_BAD_USER
 };
+#endif
 
 #ifdef USE_BLACKLIST
 void blacklist_init(void);
-void blacklist_notify(int);
+void blacklist_notify(int, const char *);
 
 #define BLACKLIST_INIT() blacklist_init()
-#define BLACKLIST_NOTIFY(x) blacklist_notify(x)
+#define BLACKLIST_NOTIFY(x,msg) blacklist_notify(x,msg)
 
 #else
 
 #define BLACKLIST_INIT()
-#define BLACKLIST_NOTIFY(x)
+#define BLACKLIST_NOTIFY(x,msg)
 
 #endif
 

Modified: stable/11/crypto/openssh/packet.c
==============================================================================
--- stable/11/crypto/openssh/packet.c	Wed May 17 13:22:13 2017	(r318401)
+++ stable/11/crypto/openssh/packet.c	Wed May 17 14:28:01 2017	(r318402)
@@ -2072,7 +2072,7 @@ sshpkt_fatal(struct ssh *ssh, const char
 	case SSH_ERR_NO_KEX_ALG_MATCH:
 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
 		if (ssh && ssh->kex && ssh->kex->failed_choice) {
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
 			fatal("Unable to negotiate with %.200s port %d: %s. "
 			    "Their offer: %s", ssh_remote_ipaddr(ssh),
 			    ssh_remote_port(ssh), ssh_err(r),

Modified: stable/11/crypto/openssh/sshd.c
==============================================================================
--- stable/11/crypto/openssh/sshd.c	Wed May 17 13:22:13 2017	(r318401)
+++ stable/11/crypto/openssh/sshd.c	Wed May 17 14:28:01 2017	(r318402)
@@ -389,7 +389,7 @@ grace_alarm_handler(int sig)
 		kill(0, SIGTERM);
 	}
 
-	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
 
 	/* Log error and exit. */
 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());

More information about the svn-src-stable-11 mailing list