From nobody Tue Sep 30 23:22:05 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cbvGP5VxGz69Xg7; Tue, 30 Sep 2025 23:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cbvGP3sD2z4BHp; Tue, 30 Sep 2025 23:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759274525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=L7q+/mdERkX7bDMV12ttmU04an7qZS9SVEhjcYCQuWE=; b=k+ZmdHlLSXBQRN7GLDdu6r8nwTkRa+i2gK23tx1qQ89Vv3rdDUiOPa5rjrS+Tz7Dmj3dnC c2aqPJ9K9n4qJvrqswBEKIt064TpA7tcVciSebq6taqY8Xp/sv/15ASKRMw57/doA3G4SX 7/OJLFJJgsylVMG+XYvH/MgTvbrJrO6R4aVFp1F3zertmrl8f59VShhJeNzoSsaCagUnSl /3UpLueHJO3dTrZLMRejSIHT/WEVo8joUiG4ulOPBn5UDXI5NmRvX4BjCsUcccMi+89SHH 0UOHEY42PE41vvmQZy18uP4mrW4QwFkEqylLvcOAcJMBDN9rXw01CtNv9Cv6Bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759274525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=L7q+/mdERkX7bDMV12ttmU04an7qZS9SVEhjcYCQuWE=; b=C79mu80zsprNbw3X779CfISSpBh6DQMZjOqs8/q/WcDT/m3mSjrVmgGkZekhx0VobMpan1 84eA933DNuc1GZci9xOINeixZD/Wnv1KQFUiRS/2KZ6CaQz5BMg6JYCrjAEy4mSeotZWLy 2Sc7TLjGFRg9Bs2Daodd9QoLX/ARridAagR1N58CpTqRNKvGUQxp1gZrmhDxKzlTORLarK 0ELfwd/JuQIvx1a295/MYy2rsLw+T/l6QOsC2CEJkIA16nTi8lYDMdmzwWW+oUof6BwQA9 WpgJg7A7PNDOB3u48yhvqVtNxMYG6b2g5tG0KEVTyf+DpjOMq/f97a4U+G+4aA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759274525; a=rsa-sha256; cv=none; b=XWecjgnr34+yNE+aVAVxceU/5jyFNlEsy5GRVFSzbU1o815sP+grBRs8KBGZWzMdsgvA+3 LgGycYGe214QLMvoAJK5YR5B+dY0j0rLCC7U1XeWe7WonQgpVgrfJBWzt5zHuEzz0O/7nb xPobujSD/ZAwqrt0BKwi505vN754765TFTncGxrwcGIbpJ8cRsQ0Xubkgg4v9/Vp4dP8wr grbk2jwJ8F5EKK+2p4XlLwggvsO1v7uwnOz7KJ9TTyZM+2rSmol6Ukqc9r9nws1mucHjdf qgvmJCjDI1iNHuAYX0sp63HC8DstC5TBKODa32NH1zKkDkTOmboekkGiBvWJDQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cbvGP3PB6zxPL; Tue, 30 Sep 2025 23:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58UNM5qc050589; Tue, 30 Sep 2025 23:22:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58UNM58g050586; Tue, 30 Sep 2025 23:22:05 GMT (envelope-from git) Date: Tue, 30 Sep 2025 23:22:05 GMT Message-Id: <202509302322.58UNM58g050586@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Jose Luis Duran Subject: git: 53dc967db74f - stable/15 - openssh: blocklist: Use NetBSD probes List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jlduran X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 53dc967db74fba0d7b5bed413a7bc3216f16c55d Auto-Submitted: auto-generated The branch stable/15 has been updated by jlduran: URL: https://cgit.FreeBSD.org/src/commit/?id=53dc967db74fba0d7b5bed413a7bc3216f16c55d commit 53dc967db74fba0d7b5bed413a7bc3216f16c55d Author: Jose Luis Duran AuthorDate: 2025-09-29 16:32:36 +0000 Commit: Jose Luis Duran CommitDate: 2025-09-30 23:17:21 +0000 openssh: blocklist: Use NetBSD probes Use NetBSD probe locations for consistency. We have submitted all improved or missing probes, keeping them synchronized with NetBSD (our blocklist upstream) should simplify upgrades and maintenance, as the locations of these probes are a moving target, depending on upstream OpenSSH changes. Additionally, use BLACKLIST_AUTH_FAIL exclusively for now. At the time of this commit BLACKLIST_BAD_USER, is a no-op. However, it will change in a future upgrade. Also, enhance blacklist notification messages for better debugging by making them more descriptive. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D52749 (cherry picked from commit e02003bce726333872d65b7b9a1557d97b6d91a0) --- crypto/openssh/auth-pam.c | 4 ++-- crypto/openssh/auth.c | 6 ++++-- crypto/openssh/auth2.c | 5 +---- crypto/openssh/monitor.c | 14 ++++++++++++-- crypto/openssh/packet.c | 2 -- crypto/openssh/sshd-session.c | 15 +++++++++++---- 6 files changed, 30 insertions(+), 16 deletions(-) diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c index f95f6abbcbe0..df08dbd99a9d 100644 --- a/crypto/openssh/auth-pam.c +++ b/crypto/openssh/auth-pam.c @@ -937,8 +937,8 @@ sshpam_query(void *ctx, char **name, char **info, sshbuf_free(buffer); return (0); } - BLACKLIST_NOTIFY(NULL, BLACKLIST_BAD_USER, - sshpam_authctxt->user); + BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL, + "PAM illegal user"); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, sshpam_rhost); diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c index 961082b76667..0a1c8f71b390 100644 --- a/crypto/openssh/auth.c +++ b/crypto/openssh/auth.c @@ -289,7 +289,8 @@ auth_log(struct ssh *ssh, int authenticated, int partial, else { authmsg = authenticated ? "Accepted" : "Failed"; if (authenticated) - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh"); + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, + "Authenticated"); } if ((extra = format_method_key(authctxt)) == NULL) { @@ -338,6 +339,7 @@ auth_maxtries_exceeded(struct ssh *ssh) { Authctxt *authctxt = (Authctxt *)ssh->authctxt; + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded"); error("maximum authentication attempts exceeded for " "%s%.100s from %.200s port %d ssh2", authctxt->valid ? "" : "invalid user ", @@ -498,7 +500,7 @@ getpwnamallow(struct ssh *ssh, const char *user) aix_restoreauthdb(); #endif if (pw == NULL) { - BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user); + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Invalid user"); logit("Invalid user %.100s from %.100s port %d", user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); #ifdef CUSTOM_FAILED_LOGIN diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index eac1d26a4aaf..82f6e6211259 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -52,7 +52,6 @@ #include "dispatch.h" #include "pathnames.h" #include "ssherr.h" -#include "blacklist_client.h" #ifdef GSSAPI #include "ssh-gss.h" #endif @@ -443,10 +442,8 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, } else { /* Allow initial try of "none" auth without failure penalty */ if (!partial && !authctxt->server_caused_failure && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) authctxt->failures++; - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh"); - } if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES); diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c index 2179553d3401..b826ecdb9065 100644 --- a/crypto/openssh/monitor.c +++ b/crypto/openssh/monitor.c @@ -85,6 +85,8 @@ #include "misc.h" #include "servconf.h" #include "monitor.h" +#include "blacklist_client.h" + #ifdef GSSAPI #include "ssh-gss.h" #endif @@ -353,16 +355,24 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) } } if (authctxt->failures > options.max_authtries) { + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, + "Too many authentication attempts"); /* Shouldn't happen */ fatal_f("privsep child made too many authentication " "attempts"); } } - if (!authctxt->valid) + if (!authctxt->valid) { + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, + "Authenticated invalid user"); fatal_f("authenticated invalid user"); - if (strcmp(auth_method, "unknown") == 0) + } + if (strcmp(auth_method, "unknown") == 0) { + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, + "Authentication method name unknown"); fatal_f("authentication method name unknown"); + } debug_f("user %s authenticated by privileged process", authctxt->user); auth_attempted = 0; diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c index cc114c837e31..9dea2cfc5188 100644 --- a/crypto/openssh/packet.c +++ b/crypto/openssh/packet.c @@ -96,7 +96,6 @@ #include "packet.h" #include "ssherr.h" #include "sshbuf.h" -#include "blacklist_client.h" #ifdef PACKET_DEBUG #define DBG(x) x @@ -2022,7 +2021,6 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, va_list ap) case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh->kex && ssh->kex->failed_choice) { - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh"); ssh_packet_clear_keys(ssh); errno = oerrno; logdie("Unable to negotiate with %s: %s. " diff --git a/crypto/openssh/sshd-session.c b/crypto/openssh/sshd-session.c index 902718524279..62c76cc1c8aa 100644 --- a/crypto/openssh/sshd-session.c +++ b/crypto/openssh/sshd-session.c @@ -217,6 +217,8 @@ mm_is_monitor(void) static void grace_alarm_handler(int sig) { + BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL, + "Grace period expired"); /* * Try to kill any processes that we have spawned, E.g. authorized * keys command helpers or privsep children. @@ -1201,6 +1203,8 @@ main(int ac, char **av) ssh_signal(SIGCHLD, SIG_DFL); ssh_signal(SIGINT, SIG_DFL); + BLACKLIST_INIT(); + /* * Register our connection. This turns encryption off because we do * not have a key. @@ -1277,8 +1281,10 @@ main(int ac, char **av) } if ((r = kex_exchange_identification(ssh, -1, - options.version_addendum)) != 0) + options.version_addendum)) != 0) { + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); sshpkt_fatal(ssh, r, "banner exchange"); + } ssh_packet_set_nonblocking(ssh); @@ -1298,8 +1304,6 @@ main(int ac, char **av) fatal("sshbuf_new loginmsg failed"); auth_debug_reset(); - BLACKLIST_INIT(); - if (privsep_preauth(ssh) != 1) fatal("privsep_preauth failed"); @@ -1425,7 +1429,10 @@ cleanup_exit(int i) audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif /* Override default fatal exit value when auth was attempted */ - if (i == 255 && auth_attempted) + if (i == 255 && auth_attempted) { + BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL, + "Fatal exit"); _exit(EXIT_AUTH_ATTEMPTED); + } _exit(i); }