aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorKurt Lidl <lidl@FreeBSD.org>2016-09-06 14:52:14 +0000
committerKurt Lidl <lidl@FreeBSD.org>2016-09-06 14:52:14 +0000
commitabdc647393e656ed9e9a27028fca1366447e8cd6 (patch)
tree3aab3829188eccde1796fccf737fbcc22a82ab6b /crypto
parent3b36f93116fdbc159f157991b0d4d863437a0f6b (diff)
downloadsrc-abdc647393e656ed9e9a27028fca1366447e8cd6.tar.gz
src-abdc647393e656ed9e9a27028fca1366447e8cd6.zip
MFC r305065: Add refactored blacklist support to sshd
Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Approved by: des Sponsored by: The FreeBSD Foundation
Notes
Notes: svn path=/stable/11/; revision=305476
Diffstat (limited to 'crypto')
-rw-r--r--crypto/openssh/auth-pam.c2
-rw-r--r--crypto/openssh/auth.c7
-rw-r--r--crypto/openssh/auth1.c3
-rw-r--r--crypto/openssh/auth2.c2
-rw-r--r--crypto/openssh/blacklist.c97
-rw-r--r--crypto/openssh/blacklist_client.h57
-rw-r--r--crypto/openssh/packet.c2
-rw-r--r--crypto/openssh/servconf.c10
-rw-r--r--crypto/openssh/servconf.h1
-rw-r--r--crypto/openssh/sshd.c5
-rw-r--r--crypto/openssh/sshd_config1
-rw-r--r--crypto/openssh/sshd_config.59
12 files changed, 195 insertions, 1 deletions
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index 8425af1ea33a..bbd18e596951 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -98,6 +98,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "blacklist_client.h"
extern ServerOptions options;
extern Buffer loginmsg;
@@ -794,6 +795,7 @@ sshpam_query(void *ctx, char **name, char **info,
free(msg);
return (0);
}
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index ba908801a169..1259385f8af9 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -75,6 +75,7 @@ __RCSID("$FreeBSD$");
#include "authfile.h"
#include "ssherr.h"
#include "compat.h"
+#include "blacklist_client.h"
/* import */
extern ServerOptions options;
@@ -292,8 +293,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
authmsg = "Postponed";
else if (partial)
authmsg = "Partial";
- else
+ else {
authmsg = authenticated ? "Accepted" : "Failed";
+ BLACKLIST_NOTIFY(authenticated ?
+ BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
+ }
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
authmsg,
@@ -640,6 +644,7 @@ getpwnamallow(const char *user)
}
#endif
if (pw == NULL) {
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
#ifdef CUSTOM_FAILED_LOGIN
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 5073c49bb37d..71eb0c21b260 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -43,6 +43,7 @@
#endif
#include "monitor_wrap.h"
#include "buffer.h"
+#include "blacklist_client.h"
/* import */
extern ServerOptions options;
@@ -337,6 +338,7 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
@@ -404,6 +406,7 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
}
/* Configuration may have changed as a result of Match */
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index 1d9aab037dd6..ee3c5dd87ce1 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -52,6 +52,7 @@ __RCSID("$FreeBSD$");
#include "pathnames.h"
#include "buffer.h"
#include "canohost.h"
+#include "blacklist_client.h"
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -248,6 +249,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
diff --git a/crypto/openssh/blacklist.c b/crypto/openssh/blacklist.c
new file mode 100644
index 000000000000..4c9d91dec164
--- /dev/null
+++ b/crypto/openssh/blacklist.c
@@ -0,0 +1,97 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <unistd.h>
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "misc.h"
+#include "servconf.h"
+#include "blacklist_client.h"
+#include <blacklist.h>
+
+static struct blacklist *blstate = NULL;
+
+/* import */
+extern ServerOptions options;
+
+/* internal definition from bl.h */
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
+
+/* impedence match vsyslog() to sshd's internal logging levels */
+void
+im_log(int priority, const char *message, va_list args)
+{
+ LogLevel imlevel;
+
+ switch (priority) {
+ case LOG_ERR:
+ imlevel = SYSLOG_LEVEL_ERROR;
+ break;
+ case LOG_DEBUG:
+ imlevel = SYSLOG_LEVEL_DEBUG1;
+ break;
+ case LOG_INFO:
+ imlevel = SYSLOG_LEVEL_INFO;
+ break;
+ default:
+ imlevel = SYSLOG_LEVEL_DEBUG2;
+ }
+ do_log(imlevel, message, args);
+}
+
+void
+blacklist_init(void)
+{
+
+ if (options.use_blacklist)
+ blstate = bl_create(false, NULL, im_log);
+}
+
+void
+blacklist_notify(int action)
+{
+
+ if (blstate != NULL && packet_connection_is_on_socket())
+ (void)blacklist_r(blstate, action,
+ packet_get_connection_in(), "ssh");
+}
diff --git a/crypto/openssh/blacklist_client.h b/crypto/openssh/blacklist_client.h
new file mode 100644
index 000000000000..9479bb27be46
--- /dev/null
+++ b/crypto/openssh/blacklist_client.h
@@ -0,0 +1,57 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+enum {
+ BLACKLIST_AUTH_OK = 0,
+ BLACKLIST_AUTH_FAIL
+};
+
+#ifdef USE_BLACKLIST
+void blacklist_init(void);
+void blacklist_notify(int);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x) blacklist_notify(x)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x)
+
+#endif
+
+
+#endif /* BLACKLIST_CLIENT_H */
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
index f3b3ce9cf250..be4b4b6e22d9 100644
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@@ -86,6 +86,7 @@ __RCSID("$FreeBSD$");
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
+#include "blacklist_client.h"
#ifdef PACKET_DEBUG
#define DBG(x) x
@@ -2071,6 +2072,7 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
fatal("Unable to negotiate with %.200s port %d: %s. "
"Their offer: %s", ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh), ssh_err(r),
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 6fb8be5bfd5a..66d24cefd4e2 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
options->fingerprint_hash = -1;
+ options->use_blacklist = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -360,6 +361,8 @@ fill_default_server_options(ServerOptions *options)
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->use_blacklist == -1)
+ options->use_blacklist = 0;
assemble_algorithms(options);
@@ -437,6 +440,7 @@ typedef enum {
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash,
+ sUseBlacklist,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -579,6 +583,7 @@ static struct {
{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
{ "noneenabled", sUnsupported, SSHCFG_ALL },
{ "hpndisabled", sDeprecated, SSHCFG_ALL },
{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
@@ -1861,6 +1866,10 @@ process_server_config_line(ServerOptions *options, char *line,
options->fingerprint_hash = value;
break;
+ case sUseBlacklist:
+ intptr = &options->use_blacklist;
+ goto parse_flag;
+
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -2304,6 +2313,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
index f4137af7d666..8c37a63dd4f4 100644
--- a/crypto/openssh/servconf.h
+++ b/crypto/openssh/servconf.h
@@ -195,6 +195,7 @@ typedef struct {
char *auth_methods[MAX_AUTH_METHODS];
int fingerprint_hash;
+ int use_blacklist;
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index dd7fcdda3e94..38b772d10855 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -135,6 +135,7 @@ __RCSID("$FreeBSD$");
#include "ssh-sandbox.h"
#include "version.h"
#include "ssherr.h"
+#include "blacklist_client.h"
#ifdef LIBWRAP
#include <tcpd.h>
@@ -388,6 +389,8 @@ grace_alarm_handler(int sig)
kill(0, SIGTERM);
}
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -2251,6 +2254,8 @@ main(int ac, char **av)
buffer_init(&loginmsg);
auth_debug_reset();
+ BLACKLIST_INIT();
+
if (use_privsep) {
if (privsep_preauth(authctxt) == 1)
goto authenticated;
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 6ea0b0885732..a842e6efef9a 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -120,6 +120,7 @@
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
+#UseBlacklist no
#VersionAddendum FreeBSD-20160310
# no default banner path
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 78531214a1f9..54c95ad74220 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1537,6 +1537,15 @@ for authentication using
.Cm TrustedUserCAKeys .
For more details on certificates, see the CERTIFICATES section in
.Xr ssh-keygen 1 .
+.It Cm UseBlacklist
+Specifies whether
+.Xr sshd 8
+attempts to send authentication success and failure messages
+to the
+.Xr blacklistd 8
+daemon.
+The default is
+.Dq no .
.It Cm UseDNS
Specifies whether
.Xr sshd 8