From owner-svn-src-stable-11@freebsd.org Wed Feb 22 04:15:40 2017 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC753CE94EC; Wed, 22 Feb 2017 04:15:40 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9893F1235; Wed, 22 Feb 2017 04:15:40 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v1M4Fd43051597; Wed, 22 Feb 2017 04:15:39 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v1M4FdmW051596; Wed, 22 Feb 2017 04:15:39 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201702220415.v1M4FdmW051596@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Wed, 22 Feb 2017 04:15:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r314072 - stable/11/crypto/openssh X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 04:15:40 -0000 Author: lidl Date: Wed Feb 22 04:15:39 2017 New Revision: 314072 URL: https://svnweb.freebsd.org/changeset/base/314072 Log: MFC r313965: Only notify blacklistd for successful logins in auth.c Before this change, every pass through auth.c resulted in a call to blacklist_notify(). In a normal remote login, there would be a failed login flagged for the printing of the "xxx login:" prompt, before the remote user could enter a password. If the user successfully entered a good password, then a good login would be flagged, and everything would be OK. If the user entered an incorrect password, there would be another failed login flagged in auth1.c (or auth2.c) for the actual bad password attempt. Finally, when sshd got around to issuing the second "xxx login:" prompt, there would be yet another failed login notice sent to blacklistd. So, if there was a 3 bad logins limit set (the default), the system would actually block the address after the first bad password attempt. Reported by: Rick Adams Reviewed by: des Sponsored by: The FreeBSD Foundation Modified: stable/11/crypto/openssh/auth.c Directory Properties: stable/11/ (props changed) Modified: stable/11/crypto/openssh/auth.c ============================================================================== --- stable/11/crypto/openssh/auth.c Wed Feb 22 03:49:46 2017 (r314071) +++ stable/11/crypto/openssh/auth.c Wed Feb 22 04:15:39 2017 (r314072) @@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent authmsg = "Partial"; else { authmsg = authenticated ? "Accepted" : "Failed"; - BLACKLIST_NOTIFY(authenticated ? - BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL); + if (authenticated) + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK); } authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",