Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Feb 2017 04:15:39 +0000 (UTC)
From:      Kurt Lidl <lidl@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r314072 - stable/11/crypto/openssh
Message-ID:  <201702220415.v1M4FdmW051596@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: lidl
Date: Wed Feb 22 04:15:39 2017
New Revision: 314072
URL: https://svnweb.freebsd.org/changeset/base/314072

Log:
  MFC r313965:
  
  Only notify blacklistd for successful logins in auth.c
  
  Before this change, every pass through auth.c resulted in a
  call to blacklist_notify().
  
  In a normal remote login, there would be a failed login flagged for
  the printing of the "xxx login:" prompt, before the remote user
  could enter a password.
  
  If the user successfully entered a good password, then a good login
  would be flagged, and everything would be OK.
  
  If the user entered an incorrect password, there would be another
  failed login flagged in auth1.c (or auth2.c) for the actual bad
  password attempt.  Finally, when sshd got around to issuing the
  second "xxx login:" prompt, there would be yet another failed login
  notice sent to blacklistd.
  
  So, if there was a 3 bad logins limit set (the default), the system
  would actually block the address after the first bad password attempt.
  
  Reported by:	Rick Adams
  Reviewed by:	des
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/crypto/openssh/auth.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/crypto/openssh/auth.c
==============================================================================
--- stable/11/crypto/openssh/auth.c	Wed Feb 22 03:49:46 2017	(r314071)
+++ stable/11/crypto/openssh/auth.c	Wed Feb 22 04:15:39 2017	(r314072)
@@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent
 		authmsg = "Partial";
 	else {
 		authmsg = authenticated ? "Accepted" : "Failed";
-		BLACKLIST_NOTIFY(authenticated ?
-		    BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
+		if (authenticated)
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
 	}
 
 	authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702220415.v1M4FdmW051596>