Date: Tue, 17 Nov 2020 01:45:12 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r555531 - in head/security/openssh-portable: . files Message-ID: <202011170145.0AH1jCde036160@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Tue Nov 17 01:45:11 2020 New Revision: 555531 URL: https://svnweb.freebsd.org/changeset/ports/555531 Log: - Add blacklistd(8) support. This differs slightly from base as it uses the current NetBSD hook points. This is off-by-default as it needs testing and has issues that may cause crashes. One such issue is the use of private bl_create() symbol from libblacklist. It is also unclear if the hook points are sufficient or proper after the libssh refactoring in 8.x. PR: 223628 (patch rewritten as it no longer applied) Added: head/security/openssh-portable/files/extra-patch-blacklistd (contents, props changed) Modified: head/security/openssh-portable/Makefile Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Tue Nov 17 01:34:15 2020 (r555530) +++ head/security/openssh-portable/Makefile Tue Nov 17 01:45:11 2020 (r555531) @@ -40,7 +40,7 @@ gssapi_PKGNAMESUFFIX= -portable-gssapi OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN KERB_GSSAPI \ - LDNS NONECIPHER XMSS FIDO_U2F + LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F .if ${FLAVOR:U} == hpn OPTIONS_DEFAULT+= HPN NONECIPHER @@ -61,6 +61,7 @@ MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support XMSS_DESC= XMSS key support (experimental) FIDO_U2F_DESC= FIDO/U2F support (security/libfido2) +BLACKLISTD_DESC= FreeBSD blacklistd(8) support OPTIONS_SUB= yes @@ -89,6 +90,8 @@ FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2 FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin FIDO_U2F_CONFIGURE_OFF= --disable-security-key +BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd + ETCDIR?= ${PREFIX}/etc/ssh .include <bsd.port.pre.mk> @@ -113,6 +116,10 @@ GSSAPI_UPDATE_DATE= 20200607 PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex .endif +.if ${PORT_OPTIONS:MBLACKLISTD} +CONFIGURE_LIBS+= -lblacklist +.endif + # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} #BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. @@ -196,6 +203,9 @@ post-patch: post-configure-XMSS-on: @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h + +post-configure-BLACKLISTD-on: + @${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/moduli \ Added: head/security/openssh-portable/files/extra-patch-blacklistd ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-blacklistd Tue Nov 17 01:45:11 2020 (r555531) @@ -0,0 +1,428 @@ +--- blacklist.c.orig 2020-11-16 16:45:24.799150000 -0800 ++++ blacklist.c 2020-11-16 16:45:20.000470000 -0800 +@@ -0,0 +1,92 @@ ++/*- ++ * Copyright (c) 2015 The NetBSD Foundation, Inc. ++ * Copyright (c) 2016 The FreeBSD Foundation, Inc. ++ * All rights reserved. ++ * ++ * Portions of this software were developed by Kurt Lidl ++ * under sponsorship from the FreeBSD Foundation. ++ * ++ * This code is derived from software contributed to The NetBSD Foundation ++ * by Christos Zoulas. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS ++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED ++ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS ++ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "includes.h" ++ ++#include <ctype.h> ++#include <stdarg.h> ++#include <stdbool.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <syslog.h> ++#include <unistd.h> ++ ++#include "ssh.h" ++#include "packet.h" ++#include "log.h" ++#include "misc.h" ++#include <blacklist.h> ++#include "blacklist_client.h" ++ ++static struct blacklist *blstate = NULL; ++ ++/* internal definition from bl.h */ ++struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); ++ ++/* impedence match vsyslog() to sshd's internal logging levels */ ++void ++im_log(int priority, const char *message, va_list args) ++{ ++ LogLevel imlevel; ++ ++ switch (priority) { ++ case LOG_ERR: ++ imlevel = SYSLOG_LEVEL_ERROR; ++ break; ++ case LOG_DEBUG: ++ imlevel = SYSLOG_LEVEL_DEBUG1; ++ break; ++ case LOG_INFO: ++ imlevel = SYSLOG_LEVEL_INFO; ++ break; ++ default: ++ imlevel = SYSLOG_LEVEL_DEBUG2; ++ } ++ do_log(imlevel, message, args); ++} ++ ++void ++blacklist_init(void) ++{ ++ ++ blstate = bl_create(false, NULL, im_log); ++} ++ ++void ++blacklist_notify(int action, struct ssh *ssh, const char *msg) ++{ ++ ++ if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh)) ++ (void)blacklist_r(blstate, action, ++ ssh_packet_get_connection_in(ssh), msg); ++} +--- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800 ++++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800 +@@ -0,0 +1,61 @@ ++/*- ++ * Copyright (c) 2015 The NetBSD Foundation, Inc. ++ * Copyright (c) 2016 The FreeBSD Foundation, Inc. ++ * All rights reserved. ++ * ++ * Portions of this software were developed by Kurt Lidl ++ * under sponsorship from the FreeBSD Foundation. ++ * ++ * This code is derived from software contributed to The NetBSD Foundation ++ * by Christos Zoulas. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS ++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED ++ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS ++ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#ifndef BLACKLIST_CLIENT_H ++#define BLACKLIST_CLIENT_H ++ ++#ifndef BLACKLIST_API_ENUM ++enum { ++ BLACKLIST_AUTH_OK = 0, ++ BLACKLIST_AUTH_FAIL, ++ BLACKLIST_ABUSIVE_BEHAVIOR, ++ BLACKLIST_BAD_USER ++}; ++#endif ++ ++#ifdef USE_BLACKLIST ++void blacklist_init(void); ++void blacklist_notify(int, struct ssh *, const char *); ++ ++#define BLACKLIST_INIT() blacklist_init() ++#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg) ++ ++#else ++ ++#define BLACKLIST_INIT() ++#define BLACKLIST_NOTIFY(x, ssh, msg) ++ ++#endif ++ ++ ++#endif /* BLACKLIST_CLIENT_H */ +--- servconf.c.orig 2020-11-16 15:52:13.175438000 -0800 ++++ servconf.c 2020-11-16 15:52:15.812142000 -0800 +@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions *options) + options->max_sessions = -1; + options->banner = NULL; + options->use_dns = -1; ++ options->use_blacklist = -1; + options->client_alive_interval = -1; + options->client_alive_count_max = -1; + options->num_authkeys_files = 0; +@@ -432,6 +433,8 @@ fill_default_server_options(ServerOptions *options) + options->max_sessions = DEFAULT_SESSIONS_MAX; + if (options->use_dns == -1) + options->use_dns = 0; ++ if (options->use_blacklist == -1) ++ options->use_blacklist = 0; + if (options->client_alive_interval == -1) + options->client_alive_interval = 0; + if (options->client_alive_count_max == -1) +@@ -528,6 +531,7 @@ typedef enum { + sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, + sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, + sBanner, sUseDNS, sHostbasedAuthentication, ++ sUseBlacklist, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sHostKeyAlgorithms, + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, +@@ -658,6 +662,8 @@ static struct { + { "maxsessions", sMaxSessions, SSHCFG_ALL }, + { "banner", sBanner, SSHCFG_ALL }, + { "usedns", sUseDNS, SSHCFG_GLOBAL }, ++ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, ++ { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */, + { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, + { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, + { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, +@@ -1708,6 +1714,10 @@ process_server_config_line_depth(ServerOptions *option + intptr = &options->use_dns; + goto parse_flag; + ++ case sUseBlacklist: ++ intptr = &options->use_blacklist; ++ goto parse_flag; ++ + case sLogFacility: + log_facility_ptr = &options->log_facility; + arg = strdelim(&cp); +@@ -2841,6 +2851,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sCompression, o->compression); + dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); + dump_cfg_fmtint(sUseDNS, o->use_dns); ++ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); + dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); + dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); + dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); +--- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800 ++++ servconf.h 2020-11-16 15:51:02.962173000 -0800 +@@ -179,6 +179,7 @@ typedef struct { + int max_sessions; + char *banner; /* SSH-2 banner message */ + int use_dns; ++ int use_blacklist; + int client_alive_interval; /* + * poke the client this often to + * see if it's still there +--- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800 ++++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800 +@@ -105,6 +105,7 @@ extern char *__progname; + #include "ssh-gss.h" + #endif + #include "monitor_wrap.h" ++#include "blacklist_client.h" + + extern ServerOptions options; + extern struct sshbuf *loginmsg; +@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info, + sshbuf_free(buffer); + return (0); + } ++ /* XXX: ssh context unavailable here, unclear if this is even needed. ++ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ++ the_active_state, sshpam_authctxt->user); ++ */ + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, sshpam_rhost); +--- auth.c.orig 2020-11-16 15:52:45.824171000 -0800 ++++ auth.c 2020-11-16 15:57:51.091969000 -0800 +@@ -76,6 +76,7 @@ + #include "ssherr.h" + #include "compat.h" + #include "channels.h" ++#include "blacklist_client.h" + + /* import */ + extern ServerOptions options; +@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti + authmsg = "Postponed"; + else if (partial) + authmsg = "Partial"; +- else ++ else { + authmsg = authenticated ? "Accepted" : "Failed"; ++ if (authenticated) ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh"); ++ } + + if ((extra = format_method_key(authctxt)) == NULL) { + if (authctxt->auth_method_info != NULL) +@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user) + aix_restoreauthdb(); + #endif + if (pw == NULL) { ++ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user); + logit("Invalid user %.100s from %.100s port %d", + user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); + #ifdef CUSTOM_FAILED_LOGIN +--- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800 ++++ auth2.c 2020-11-16 17:12:04.852943000 -0800 +@@ -58,6 +58,7 @@ + #endif + #include "monitor_wrap.h" + #include "digest.h" ++#include "blacklist_client.h" + + /* import */ + extern ServerOptions options; +@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct + } else { + /* Invalid user, fake password information */ + authctxt->pw = fakepw(); ++ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh"); + #ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); + #endif +@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co + } else { + /* Allow initial try of "none" auth without failure penalty */ + if (!partial && !authctxt->server_caused_failure && +- (authctxt->attempt > 1 || strcmp(method, "none") != 0)) ++ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { + authctxt->failures++; ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); ++ } + if (authctxt->failures >= options.max_authtries) { + #ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); +--- packet.c.orig 2020-11-16 15:52:45.839070000 -0800 ++++ packet.c 2020-11-16 15:56:09.285418000 -0800 +@@ -96,6 +96,7 @@ + #include "packet.h" + #include "ssherr.h" + #include "sshbuf.h" ++#include "blacklist_client.h" + + #ifdef PACKET_DEBUG + #define DBG(x) x +@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, + case SSH_ERR_NO_KEX_ALG_MATCH: + case SSH_ERR_NO_HOSTKEY_ALG_MATCH: + if (ssh && ssh->kex && ssh->kex->failed_choice) { ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); + ssh_packet_clear_keys(ssh); + errno = oerrno; + logdie("Unable to negotiate with %s: %s. " +--- sshd.c.orig 2020-11-16 15:52:45.846609000 -0800 ++++ sshd.c 2020-11-16 15:56:34.401305000 -0800 +@@ -131,6 +131,7 @@ + #include "version.h" + #include "ssherr.h" + #include "sk-api.h" ++#include "blacklist_client.h" + + #ifdef LIBWRAP + #include <tcpd.h> +@@ -388,6 +389,8 @@ grace_alarm_handler(int sig) + kill(0, SIGTERM); + } + ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, the_active_state, "ssh"); ++ + /* XXX pre-format ipaddr/port so we don't need to access active_state */ + /* Log error and exit. */ + sigdie("Timeout before authentication for %s port %d", +@@ -2290,6 +2293,9 @@ main(int ac, char **av) + if ((loginmsg = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + auth_debug_reset(); ++ ++ if (options.use_blacklist) ++ BLACKLIST_INIT(); + + if (use_privsep) { + if (privsep_preauth(ssh) == 1) +--- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800 ++++ Makefile.in 2020-11-16 16:28:28.083007000 -0800 +@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) + FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ + @UNSUPPORTED_ALGORITHMS@ + ++LIBSSH_OBJS+= blacklist.o ++ + all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) + + $(LIBSSH_OBJS): Makefile.in config.h +--- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 ++++ sshd_config 2020-11-16 16:57:42.183846000 -0800 +@@ -94,6 +94,7 @@ + #PrintLastLog yes + #TCPKeepAlive yes + #PermitUserEnvironment no ++#UseBlacklist no + #Compression delayed + #ClientAliveInterval 0 + #ClientAliveCountMax 3 +--- sshd_config.5.orig 2020-11-16 16:57:58.533307000 -0800 ++++ sshd_config.5 2020-11-16 17:00:02.635070000 -0800 +@@ -1703,6 +1703,20 @@ for authentication using + .Cm TrustedUserCAKeys . + For more details on certificates, see the CERTIFICATES section in + .Xr ssh-keygen 1 . ++.It Cm UseBlacklist ++Specifies whether ++.Xr sshd 8 ++attempts to send authentication success and failure messages ++to the ++.Xr blacklistd 8 ++daemon. ++The default is ++.Cm no . ++For forward compatibility with an upcoming ++.Xr blacklistd ++rename, the ++.Cm UseBlocklist ++alias can be used instead. + .It Cm UseDNS + Specifies whether + .Xr sshd 8 +--- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800 ++++ monitor.c 2020-11-16 17:25:57.642510000 -0800 +@@ -96,6 +96,7 @@ + #include "match.h" + #include "ssherr.h" + #include "sk-api.h" ++#include "blacklist_client.h" + + #ifdef GSSAPI + static Gssctxt *gsscontext = NULL; +@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor + if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { + auth_log(ssh, authenticated, partial, + auth_method, auth_submethod); +- if (!partial && !authenticated) ++ if (!partial && !authenticated) { + authctxt->failures++; ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ++ ssh, "ssh"); ++ } + if (authenticated || partial) { + auth2_update_session_info(authctxt, + auth_method, auth_submethod); +@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct + } else { + /* Log failed attempt */ + auth_log(ssh, 0, 0, auth_method, NULL); ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); + free(cuser); + free(chost); + }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011170145.0AH1jCde036160>