aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorKurt Lidl <lidl@FreeBSD.org>2017-05-17 14:28:01 +0000
committerKurt Lidl <lidl@FreeBSD.org>2017-05-17 14:28:01 +0000
commit668f1559efca4489fb7a580a00a92075bf3d2d3a (patch)
tree0e66a851b24e049d3ab8581ef556e6ccd263acd1 /crypto
parent96c3e37273b1f352f4f22d3edcbc7b2e1c63ca47 (diff)
downloadsrc-668f1559efca4489fb7a580a00a92075bf3d2d3a.tar.gz
src-668f1559efca4489fb7a580a00a92075bf3d2d3a.zip
MFC r318242: Refine and update blacklist support in sshd
Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Relnotes: yes Sponsored by: The FreeBSD Foundation
Notes
Notes: svn path=/stable/11/; revision=318402
Diffstat (limited to 'crypto')
-rw-r--r--crypto/openssh/auth-pam.c3
-rw-r--r--crypto/openssh/auth.c4
-rw-r--r--crypto/openssh/auth1.c5
-rw-r--r--crypto/openssh/auth2.c5
-rw-r--r--crypto/openssh/blacklist.c6
-rw-r--r--crypto/openssh/blacklist_client.h12
-rw-r--r--crypto/openssh/packet.c2
-rw-r--r--crypto/openssh/sshd.c2
8 files changed, 23 insertions, 16 deletions
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index bbd18e596951..aa83913c1050 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -795,7 +795,8 @@ sshpam_query(void *ctx, char **name, char **info,
free(msg);
return (0);
}
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+ sshpam_authctxt->user);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index c5dac04d6a5b..4a7c8ed8ba2a 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -296,7 +296,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
else {
authmsg = authenticated ? "Accepted" : "Failed";
if (authenticated)
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
}
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
@@ -644,7 +644,7 @@ getpwnamallow(const char *user)
}
#endif
if (pw == NULL) {
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
#ifdef CUSTOM_FAILED_LOGIN
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 71eb0c21b260..189954425ac2 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -338,7 +338,7 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
@@ -364,6 +364,7 @@ do_authloop(Authctxt *authctxt)
if (authenticated)
return;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
if (++authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
@@ -406,7 +407,7 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
}
/* Configuration may have changed as a result of Match */
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index ee3c5dd87ce1..8f9817ac78ea 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -249,7 +249,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
@@ -389,8 +388,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
/* Allow initial try of "none" auth without failure penalty */
if (!partial && !authctxt->server_caused_failure &&
- (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
authctxt->failures++;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
+ }
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
diff --git a/crypto/openssh/blacklist.c b/crypto/openssh/blacklist.c
index 4c9d91dec164..b4f5d3e128c1 100644
--- a/crypto/openssh/blacklist.c
+++ b/crypto/openssh/blacklist.c
@@ -46,8 +46,8 @@
#include "log.h"
#include "misc.h"
#include "servconf.h"
-#include "blacklist_client.h"
#include <blacklist.h>
+#include "blacklist_client.h"
static struct blacklist *blstate = NULL;
@@ -88,10 +88,10 @@ blacklist_init(void)
}
void
-blacklist_notify(int action)
+blacklist_notify(int action, const char *msg)
{
if (blstate != NULL && packet_connection_is_on_socket())
(void)blacklist_r(blstate, action,
- packet_get_connection_in(), "ssh");
+ packet_get_connection_in(), msg);
}
diff --git a/crypto/openssh/blacklist_client.h b/crypto/openssh/blacklist_client.h
index 9479bb27be46..af5a2a6d3c1d 100644
--- a/crypto/openssh/blacklist_client.h
+++ b/crypto/openssh/blacklist_client.h
@@ -34,22 +34,26 @@
#ifndef BLACKLIST_CLIENT_H
#define BLACKLIST_CLIENT_H
+#ifndef BLACKLIST_API_ENUM
enum {
BLACKLIST_AUTH_OK = 0,
- BLACKLIST_AUTH_FAIL
+ BLACKLIST_AUTH_FAIL,
+ BLACKLIST_ABUSIVE_BEHAVIOR,
+ BLACKLIST_BAD_USER
};
+#endif
#ifdef USE_BLACKLIST
void blacklist_init(void);
-void blacklist_notify(int);
+void blacklist_notify(int, const char *);
#define BLACKLIST_INIT() blacklist_init()
-#define BLACKLIST_NOTIFY(x) blacklist_notify(x)
+#define BLACKLIST_NOTIFY(x,msg) blacklist_notify(x,msg)
#else
#define BLACKLIST_INIT()
-#define BLACKLIST_NOTIFY(x)
+#define BLACKLIST_NOTIFY(x,msg)
#endif
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
index be4b4b6e22d9..5d745a0ea445 100644
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@@ -2072,7 +2072,7 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
fatal("Unable to negotiate with %.200s port %d: %s. "
"Their offer: %s", ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh), ssh_err(r),
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index 38b772d10855..448b64b30436 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -389,7 +389,7 @@ grace_alarm_handler(int sig)
kill(0, SIGTERM);
}
- BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());