git: 3d246db08333 - main - blocklist: Add back probes

Sat, 16 May 2026 15:03:14 -0700 

The branch main has been updated by jlduran:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=3d246db08333c06df343281d5aaebfd07ea08252

commit 3d246db08333c06df343281d5aaebfd07ea08252
Author:     Jose Luis Duran <[email protected]>
AuthorDate: 2026-05-16 22:00:02 +0000
Commit:     Jose Luis Duran <[email protected]>
CommitDate: 2026-05-16 22:00:02 +0000

    blocklist: Add back probes
    
    The banner exchange was moved to the sshd-auth process in upstream
    commit bb781f02d4efd178e329a62a838962bee16e3e9b.  Add it back.
    
    Add back fatal exit probe.
    
    NetBSD PR:      bin/60270 (GNATS)
    Reviewed by:    emaste
    Fixes:          2574974648c6 ("OpenSSH: Update to 10.3p1")
    Differential Revision:  https://reviews.freebsd.org/D57027
---
 crypto/openssh/sshd-auth.c    | 5 ++++-
 crypto/openssh/sshd-session.c | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/crypto/openssh/sshd-auth.c b/crypto/openssh/sshd-auth.c
index 76350a2a3501..e335bda8ee48 100644
--- a/crypto/openssh/sshd-auth.c
+++ b/crypto/openssh/sshd-auth.c
@@ -96,6 +96,7 @@
 #include "srclimit.h"
 #include "ssh-sandbox.h"
 #include "dh.h"
+#include "blocklist_client.h"
 
 /* Privsep fds */
 #define PRIVSEP_MONITOR_FD             (STDERR_FILENO + 1)
@@ -812,8 +813,10 @@ do_ssh2_kex(struct ssh *ssh)
        free(hkalgs);
 
        if ((r = kex_exchange_identification(ssh, -1,
-           options.version_addendum)) != 0)
+           options.version_addendum)) != 0) {
+               BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, "Banner exchange");
                sshpkt_fatal(ssh, r, "banner exchange");
+       }
        mm_sshkey_setcompat(ssh); /* tell monitor */
 
        if ((ssh->compat & SSH_BUG_NOREKEY))
diff --git a/crypto/openssh/sshd-session.c b/crypto/openssh/sshd-session.c
index ae41b4d7595f..26a361fe621e 100644
--- a/crypto/openssh/sshd-session.c
+++ b/crypto/openssh/sshd-session.c
@@ -1369,8 +1369,11 @@ cleanup_exit(int i)
                audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
        /* Override default fatal exit value when auth was attempted */
-       if (i == 255 && monitor_auth_attempted())
+       if (i == 255 && monitor_auth_attempted()) {
+               BLOCKLIST_NOTIFY(the_active_state, BLOCKLIST_AUTH_FAIL,
+                   "Fatal exit");
                _exit(EXIT_AUTH_ATTEMPTED);
+       }
        if (i == 255 && monitor_invalid_user())
                _exit(EXIT_INVALID_USER);
        _exit(i);

Reply via email to