Author: lidl Date: Tue Jun 7 16:18:09 2016 New Revision: 301551 URL: https://svnweb.freebsd.org/changeset/base/301551
Log: Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 Added: head/crypto/openssh/blacklist.c (contents, props changed) head/crypto/openssh/blacklist_client.h (contents, props changed) Modified: head/crypto/openssh/auth-pam.c head/crypto/openssh/auth.c head/crypto/openssh/auth1.c head/crypto/openssh/auth2.c head/crypto/openssh/packet.c head/crypto/openssh/sshd.c head/secure/usr.sbin/sshd/Makefile Modified: head/crypto/openssh/auth-pam.c ============================================================================== --- head/crypto/openssh/auth-pam.c Tue Jun 7 15:20:53 2016 (r301550) +++ head/crypto/openssh/auth-pam.c Tue Jun 7 16:18:09 2016 (r301551) @@ -98,6 +98,9 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#ifdef USE_BLACKLIST +#include "blacklist_client.h" +#endif extern ServerOptions options; extern Buffer loginmsg; @@ -794,6 +797,9 @@ sshpam_query(void *ctx, char **name, cha free(msg); return (0); } +#ifdef USE_BLACKLIST + blacklist_notify(1); +#endif error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, Modified: head/crypto/openssh/auth.c ============================================================================== --- head/crypto/openssh/auth.c Tue Jun 7 15:20:53 2016 (r301550) +++ head/crypto/openssh/auth.c Tue Jun 7 16:18:09 2016 (r301551) @@ -75,6 +75,9 @@ __RCSID("$FreeBSD$"); #include "authfile.h" #include "ssherr.h" #include "compat.h" +#ifdef USE_BLACKLIST +#include "blacklist_client.h" +#endif /* import */ extern ServerOptions options; @@ -306,6 +309,10 @@ auth_log(Authctxt *authctxt, int authent compat20 ? "ssh2" : "ssh1", authctxt->info != NULL ? ": " : "", authctxt->info != NULL ? authctxt->info : ""); +#ifdef USE_BLACKLIST + if (!authctxt->postponed) + blacklist_notify(!authenticated); +#endif free(authctxt->info); authctxt->info = NULL; @@ -640,6 +647,9 @@ getpwnamallow(const char *user) } #endif if (pw == NULL) { +#ifdef USE_BLACKLIST + blacklist_notify(1); +#endif logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN Modified: head/crypto/openssh/auth1.c ============================================================================== --- head/crypto/openssh/auth1.c Tue Jun 7 15:20:53 2016 (r301550) +++ head/crypto/openssh/auth1.c Tue Jun 7 16:18:09 2016 (r301551) @@ -43,6 +43,9 @@ #endif #include "monitor_wrap.h" #include "buffer.h" +#ifdef USE_BLACKLIST +#include "blacklist_client.h" +#endif /* import */ extern ServerOptions options; @@ -337,6 +340,9 @@ do_authloop(Authctxt *authctxt) char *msg; size_t len; +#ifdef USE_BLACKLIST + blacklist_notify(1); +#endif error("Access denied for user %s by PAM account " "configuration", authctxt->user); len = buffer_len(&loginmsg); @@ -404,6 +410,9 @@ do_authentication(Authctxt *authctxt) else { debug("do_authentication: invalid user %s", user); authctxt->pw = fakepw(); +#ifdef USE_BLACKLIST + blacklist_notify(1); +#endif } /* Configuration may have changed as a result of Match */ Modified: head/crypto/openssh/auth2.c ============================================================================== --- head/crypto/openssh/auth2.c Tue Jun 7 15:20:53 2016 (r301550) +++ head/crypto/openssh/auth2.c Tue Jun 7 16:18:09 2016 (r301551) @@ -52,6 +52,9 @@ __RCSID("$FreeBSD$"); #include "pathnames.h" #include "buffer.h" #include "canohost.h" +#ifdef USE_BLACKLIST +#include "blacklist_client.h" +#endif #ifdef GSSAPI #include "ssh-gss.h" @@ -248,6 +251,9 @@ input_userauth_request(int type, u_int32 } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); +#ifdef USE_BLACKLIST + blacklist_notify(1); +#endif #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_INVALID_USER)); #endif Added: head/crypto/openssh/blacklist.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/crypto/openssh/blacklist.c Tue Jun 7 16:18:09 2016 (r301551) @@ -0,0 +1,64 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <ctype.h> +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "blacklist_client.h" +#include <blacklist.h> + +static struct blacklist *blstate; + +void +blacklist_init(void) +{ + blstate = blacklist_open(); +} + +void +blacklist_notify(int action) +{ + int fd; + if (blstate == NULL) + blacklist_init(); + if (blstate == NULL) + return; + fd = packet_get_connection_in(); + if (!packet_connection_is_on_socket()) { + fprintf(stderr, "packet_connection_is_on_socket: false " + "(fd = %d)\n", fd); + } + (void)blacklist_r(blstate, action, fd, "ssh"); +} Added: head/crypto/openssh/blacklist_client.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/crypto/openssh/blacklist_client.h Tue Jun 7 16:18:09 2016 (r301551) @@ -0,0 +1,31 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +void blacklist_notify(int); +void blacklist_init(void); Modified: head/crypto/openssh/packet.c ============================================================================== --- head/crypto/openssh/packet.c Tue Jun 7 15:20:53 2016 (r301550) +++ head/crypto/openssh/packet.c Tue Jun 7 16:18:09 2016 (r301551) @@ -86,6 +86,9 @@ __RCSID("$FreeBSD$"); #include "packet.h" #include "ssherr.h" #include "sshbuf.h" +#ifdef USE_BLACKLIST +#include "blacklist_client.h" +#endif #ifdef PACKET_DEBUG #define DBG(x) x @@ -2071,6 +2074,9 @@ sshpkt_fatal(struct ssh *ssh, const char case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh && ssh->kex && ssh->kex->failed_choice) { +#ifdef USE_BLACKLIST + blacklist_notify(1); +#endif fatal("Unable to negotiate with %.200s port %d: %s. " "Their offer: %s", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ssh_err(r), Modified: head/crypto/openssh/sshd.c ============================================================================== --- head/crypto/openssh/sshd.c Tue Jun 7 15:20:53 2016 (r301550) +++ head/crypto/openssh/sshd.c Tue Jun 7 16:18:09 2016 (r301551) @@ -135,6 +135,9 @@ __RCSID("$FreeBSD$"); #include "ssh-sandbox.h" #include "version.h" #include "ssherr.h" +#ifdef USE_BLACKLIST +#include "blacklist_client.h" +#endif #ifdef LIBWRAP #include <tcpd.h> @@ -388,6 +391,9 @@ grace_alarm_handler(int sig) kill(0, SIGTERM); } +#ifdef USE_BLACKLIST + blacklist_notify(1); +#endif /* Log error and exit. */ sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } @@ -649,6 +655,10 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); +#ifdef USE_BLACKLIST + blacklist_init(); +#endif + /* Demote the child */ if (getuid() == 0 || geteuid() == 0) { /* Change our root directory */ @@ -1272,6 +1282,9 @@ server_accept_loop(int *sock_in, int *so for (i = 0; i < options.max_startups; i++) startup_pipes[i] = -1; +#ifdef USE_BLACKLIST + blacklist_init(); +#endif /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. Modified: head/secure/usr.sbin/sshd/Makefile ============================================================================== --- head/secure/usr.sbin/sshd/Makefile Tue Jun 7 15:20:53 2016 (r301550) +++ head/secure/usr.sbin/sshd/Makefile Tue Jun 7 16:18:09 2016 (r301551) @@ -40,6 +40,13 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT LIBADD+= bsm .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include +SRCS+= blacklist.c +LIBADD+= blacklist +LDFLAGS+=-L${LIBBLACKLISTDIR} +.endif + .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h SRCS+= krb5_config.h _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
