From owner-svn-src-head@freebsd.org  Fri Jun 24 23:22:44 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BD5AB8077D;
 Fri, 24 Jun 2016 23:22:44 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id EB88224B2;
 Fri, 24 Jun 2016 23:22:43 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u5ONMhmM034366;
 Fri, 24 Jun 2016 23:22:43 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u5ONMgqN034358;
 Fri, 24 Jun 2016 23:22:42 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <201606242322.u5ONMgqN034358@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber <gjb@FreeBSD.org>
Date: Fri, 24 Jun 2016 23:22:42 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r302182 - in head: crypto/openssh secure/usr.sbin/sshd
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2016 23:22:44 -0000

Author: gjb
Date: Fri Jun 24 23:22:42 2016
New Revision: 302182
URL: https://svnweb.freebsd.org/changeset/base/302182

Log:
  Revert r301551, which added blacklistd(8) to sshd(8).
  
  This change has functional impact, and other concerns raised
  by the OpenSSH maintainer.
  
  Requested by:	des
  PR:		210479 (related)
  Approved by:	re (marius)
  Sponsored by:	The FreeBSD Foundation

Deleted:
  head/crypto/openssh/blacklist.c
  head/crypto/openssh/blacklist_client.h
Modified:
  head/crypto/openssh/auth-pam.c
  head/crypto/openssh/auth.c
  head/crypto/openssh/auth1.c
  head/crypto/openssh/auth2.c
  head/crypto/openssh/packet.c
  head/crypto/openssh/sshd.c
  head/secure/usr.sbin/sshd/Makefile
  head/secure/usr.sbin/sshd/Makefile.depend

Modified: head/crypto/openssh/auth-pam.c
==============================================================================
--- head/crypto/openssh/auth-pam.c	Fri Jun 24 22:49:32 2016	(r302181)
+++ head/crypto/openssh/auth-pam.c	Fri Jun 24 23:22:42 2016	(r302182)
@@ -98,9 +98,6 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
 
 extern ServerOptions options;
 extern Buffer loginmsg;
@@ -797,9 +794,6 @@ sshpam_query(void *ctx, char **name, cha
 				free(msg);
 				return (0);
 			}
-#ifdef USE_BLACKLIST
-			blacklist_notify(1);
-#endif
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user,

Modified: head/crypto/openssh/auth.c
==============================================================================
--- head/crypto/openssh/auth.c	Fri Jun 24 22:49:32 2016	(r302181)
+++ head/crypto/openssh/auth.c	Fri Jun 24 23:22:42 2016	(r302182)
@@ -75,9 +75,6 @@ __RCSID("$FreeBSD$");
 #include "authfile.h"
 #include "ssherr.h"
 #include "compat.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
 
 /* import */
 extern ServerOptions options;
@@ -309,10 +306,6 @@ auth_log(Authctxt *authctxt, int authent
 	    compat20 ? "ssh2" : "ssh1",
 	    authctxt->info != NULL ? ": " : "",
 	    authctxt->info != NULL ? authctxt->info : "");
-#ifdef USE_BLACKLIST
-	if (!authctxt->postponed)
-		blacklist_notify(!authenticated);
-#endif
 	free(authctxt->info);
 	authctxt->info = NULL;
 
@@ -647,9 +640,6 @@ getpwnamallow(const char *user)
 	}
 #endif
 	if (pw == NULL) {
-#ifdef USE_BLACKLIST
-		blacklist_notify(1);
-#endif
 		logit("Invalid user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN

Modified: head/crypto/openssh/auth1.c
==============================================================================
--- head/crypto/openssh/auth1.c	Fri Jun 24 22:49:32 2016	(r302181)
+++ head/crypto/openssh/auth1.c	Fri Jun 24 23:22:42 2016	(r302182)
@@ -43,9 +43,6 @@
 #endif
 #include "monitor_wrap.h"
 #include "buffer.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
 
 /* import */
 extern ServerOptions options;
@@ -340,9 +337,6 @@ do_authloop(Authctxt *authctxt)
 			char *msg;
 			size_t len;
 
-#ifdef USE_BLACKLIST
-			blacklist_notify(1);
-#endif
 			error("Access denied for user %s by PAM account "
 			    "configuration", authctxt->user);
 			len = buffer_len(&loginmsg);
@@ -410,9 +404,6 @@ do_authentication(Authctxt *authctxt)
 	else {
 		debug("do_authentication: invalid user %s", user);
 		authctxt->pw = fakepw();
-#ifdef USE_BLACKLIST
-		blacklist_notify(1);
-#endif
 	}
 
 	/* Configuration may have changed as a result of Match */

Modified: head/crypto/openssh/auth2.c
==============================================================================
--- head/crypto/openssh/auth2.c	Fri Jun 24 22:49:32 2016	(r302181)
+++ head/crypto/openssh/auth2.c	Fri Jun 24 23:22:42 2016	(r302182)
@@ -52,9 +52,6 @@ __RCSID("$FreeBSD$");
 #include "pathnames.h"
 #include "buffer.h"
 #include "canohost.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -251,9 +248,6 @@ input_userauth_request(int type, u_int32
 		} else {
 			logit("input_userauth_request: invalid user %s", user);
 			authctxt->pw = fakepw();
-#ifdef USE_BLACKLIST
-			blacklist_notify(1);
-#endif
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif

Modified: head/crypto/openssh/packet.c
==============================================================================
--- head/crypto/openssh/packet.c	Fri Jun 24 22:49:32 2016	(r302181)
+++ head/crypto/openssh/packet.c	Fri Jun 24 23:22:42 2016	(r302182)
@@ -86,9 +86,6 @@ __RCSID("$FreeBSD$");
 #include "packet.h"
 #include "ssherr.h"
 #include "sshbuf.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
 
 #ifdef PACKET_DEBUG
 #define DBG(x) x
@@ -2074,9 +2071,6 @@ sshpkt_fatal(struct ssh *ssh, const char
 	case SSH_ERR_NO_KEX_ALG_MATCH:
 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
 		if (ssh && ssh->kex && ssh->kex->failed_choice) {
-#ifdef USE_BLACKLIST
-			blacklist_notify(1);
-#endif
 			fatal("Unable to negotiate with %.200s port %d: %s. "
 			    "Their offer: %s", ssh_remote_ipaddr(ssh),
 			    ssh_remote_port(ssh), ssh_err(r),

Modified: head/crypto/openssh/sshd.c
==============================================================================
--- head/crypto/openssh/sshd.c	Fri Jun 24 22:49:32 2016	(r302181)
+++ head/crypto/openssh/sshd.c	Fri Jun 24 23:22:42 2016	(r302182)
@@ -135,9 +135,6 @@ __RCSID("$FreeBSD$");
 #include "ssh-sandbox.h"
 #include "version.h"
 #include "ssherr.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
 
 #ifdef LIBWRAP
 #include <tcpd.h>
@@ -391,9 +388,6 @@ grace_alarm_handler(int sig)
 		kill(0, SIGTERM);
 	}
 
-#ifdef USE_BLACKLIST
-	blacklist_notify(1);
-#endif
 	/* Log error and exit. */
 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
 }
@@ -655,10 +649,6 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
 
-#ifdef USE_BLACKLIST
-	blacklist_init();
-#endif
-
 	/* Demote the child */
 	if (getuid() == 0 || geteuid() == 0) {
 		/* Change our root directory */
@@ -1282,9 +1272,6 @@ server_accept_loop(int *sock_in, int *so
 	for (i = 0; i < options.max_startups; i++)
 		startup_pipes[i] = -1;
 
-#ifdef USE_BLACKLIST
-	blacklist_init();
-#endif
 	/*
 	 * Stay listening for connections until the system crashes or
 	 * the daemon is killed with a signal.

Modified: head/secure/usr.sbin/sshd/Makefile
==============================================================================
--- head/secure/usr.sbin/sshd/Makefile	Fri Jun 24 22:49:32 2016	(r302181)
+++ head/secure/usr.sbin/sshd/Makefile	Fri Jun 24 23:22:42 2016	(r302182)
@@ -40,13 +40,6 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT
 LIBADD+=	bsm
 .endif
 
-.if ${MK_BLACKLIST_SUPPORT} != "no"
-CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
-SRCS+= blacklist.c
-LIBADD+= blacklist
-LDFLAGS+=-L${LIBBLACKLISTDIR}
-.endif
-
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -include krb5_config.h
 SRCS+=	krb5_config.h

Modified: head/secure/usr.sbin/sshd/Makefile.depend
==============================================================================
--- head/secure/usr.sbin/sshd/Makefile.depend	Fri Jun 24 22:49:32 2016	(r302181)
+++ head/secure/usr.sbin/sshd/Makefile.depend	Fri Jun 24 23:22:42 2016	(r302182)
@@ -17,7 +17,6 @@ DIRDEPS = \
 	kerberos5/lib/libroken \
 	kerberos5/lib/libwind \
 	lib/${CSU_DIR} \
-	lib/libblacklist \
 	lib/libbsm \
 	lib/libc \
 	lib/libcom_err \