From owner-svn-src-stable@freebsd.org Wed May 17 14:28:03 2017 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9209FD70A7A; Wed, 17 May 2017 14:28:03 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BDCA300; Wed, 17 May 2017 14:28:03 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v4HES2Vj064591; Wed, 17 May 2017 14:28:02 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v4HES1gZ064583; Wed, 17 May 2017 14:28:01 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201705171428.v4HES1gZ064583@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Wed, 17 May 2017 14:28:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r318402 - stable/11/crypto/openssh X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2017 14:28:03 -0000 Author: lidl Date: Wed May 17 14:28:01 2017 New Revision: 318402 URL: https://svnweb.freebsd.org/changeset/base/318402 Log: MFC r318242: Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Relnotes: yes Sponsored by: The FreeBSD Foundation Modified: stable/11/crypto/openssh/auth-pam.c stable/11/crypto/openssh/auth.c stable/11/crypto/openssh/auth1.c stable/11/crypto/openssh/auth2.c stable/11/crypto/openssh/blacklist.c stable/11/crypto/openssh/blacklist_client.h stable/11/crypto/openssh/packet.c stable/11/crypto/openssh/sshd.c Directory Properties: stable/11/ (props changed) Modified: stable/11/crypto/openssh/auth-pam.c ============================================================================== --- stable/11/crypto/openssh/auth-pam.c Wed May 17 13:22:13 2017 (r318401) +++ stable/11/crypto/openssh/auth-pam.c Wed May 17 14:28:01 2017 (r318402) @@ -795,7 +795,8 @@ sshpam_query(void *ctx, char **name, cha free(msg); return (0); } - BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, + sshpam_authctxt->user); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, Modified: stable/11/crypto/openssh/auth.c ============================================================================== --- stable/11/crypto/openssh/auth.c Wed May 17 13:22:13 2017 (r318401) +++ stable/11/crypto/openssh/auth.c Wed May 17 14:28:01 2017 (r318402) @@ -296,7 +296,7 @@ auth_log(Authctxt *authctxt, int authent else { authmsg = authenticated ? "Accepted" : "Failed"; if (authenticated) - BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh"); } authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", @@ -644,7 +644,7 @@ getpwnamallow(const char *user) } #endif if (pw == NULL) { - BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user); logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN Modified: stable/11/crypto/openssh/auth1.c ============================================================================== --- stable/11/crypto/openssh/auth1.c Wed May 17 13:22:13 2017 (r318401) +++ stable/11/crypto/openssh/auth1.c Wed May 17 14:28:01 2017 (r318402) @@ -338,7 +338,7 @@ do_authloop(Authctxt *authctxt) char *msg; size_t len; - BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh"); error("Access denied for user %s by PAM account " "configuration", authctxt->user); len = buffer_len(&loginmsg); @@ -364,6 +364,7 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh"); if (++authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); @@ -406,7 +407,7 @@ do_authentication(Authctxt *authctxt) else { debug("do_authentication: invalid user %s", user); authctxt->pw = fakepw(); - BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user); } /* Configuration may have changed as a result of Match */ Modified: stable/11/crypto/openssh/auth2.c ============================================================================== --- stable/11/crypto/openssh/auth2.c Wed May 17 13:22:13 2017 (r318401) +++ stable/11/crypto/openssh/auth2.c Wed May 17 14:28:01 2017 (r318402) @@ -249,7 +249,6 @@ input_userauth_request(int type, u_int32 } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); - BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_INVALID_USER)); #endif @@ -389,8 +388,10 @@ userauth_finish(Authctxt *authctxt, int /* Allow initial try of "none" auth without failure penalty */ if (!partial && !authctxt->server_caused_failure && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { authctxt->failures++; + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh"); + } if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); Modified: stable/11/crypto/openssh/blacklist.c ============================================================================== --- stable/11/crypto/openssh/blacklist.c Wed May 17 13:22:13 2017 (r318401) +++ stable/11/crypto/openssh/blacklist.c Wed May 17 14:28:01 2017 (r318402) @@ -46,8 +46,8 @@ #include "log.h" #include "misc.h" #include "servconf.h" -#include "blacklist_client.h" #include +#include "blacklist_client.h" static struct blacklist *blstate = NULL; @@ -88,10 +88,10 @@ blacklist_init(void) } void -blacklist_notify(int action) +blacklist_notify(int action, const char *msg) { if (blstate != NULL && packet_connection_is_on_socket()) (void)blacklist_r(blstate, action, - packet_get_connection_in(), "ssh"); + packet_get_connection_in(), msg); } Modified: stable/11/crypto/openssh/blacklist_client.h ============================================================================== --- stable/11/crypto/openssh/blacklist_client.h Wed May 17 13:22:13 2017 (r318401) +++ stable/11/crypto/openssh/blacklist_client.h Wed May 17 14:28:01 2017 (r318402) @@ -34,22 +34,26 @@ #ifndef BLACKLIST_CLIENT_H #define BLACKLIST_CLIENT_H +#ifndef BLACKLIST_API_ENUM enum { BLACKLIST_AUTH_OK = 0, - BLACKLIST_AUTH_FAIL + BLACKLIST_AUTH_FAIL, + BLACKLIST_ABUSIVE_BEHAVIOR, + BLACKLIST_BAD_USER }; +#endif #ifdef USE_BLACKLIST void blacklist_init(void); -void blacklist_notify(int); +void blacklist_notify(int, const char *); #define BLACKLIST_INIT() blacklist_init() -#define BLACKLIST_NOTIFY(x) blacklist_notify(x) +#define BLACKLIST_NOTIFY(x,msg) blacklist_notify(x,msg) #else #define BLACKLIST_INIT() -#define BLACKLIST_NOTIFY(x) +#define BLACKLIST_NOTIFY(x,msg) #endif Modified: stable/11/crypto/openssh/packet.c ============================================================================== --- stable/11/crypto/openssh/packet.c Wed May 17 13:22:13 2017 (r318401) +++ stable/11/crypto/openssh/packet.c Wed May 17 14:28:01 2017 (r318402) @@ -2072,7 +2072,7 @@ sshpkt_fatal(struct ssh *ssh, const char case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh && ssh->kex && ssh->kex->failed_choice) { - BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh"); fatal("Unable to negotiate with %.200s port %d: %s. " "Their offer: %s", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ssh_err(r), Modified: stable/11/crypto/openssh/sshd.c ============================================================================== --- stable/11/crypto/openssh/sshd.c Wed May 17 13:22:13 2017 (r318401) +++ stable/11/crypto/openssh/sshd.c Wed May 17 14:28:01 2017 (r318402) @@ -389,7 +389,7 @@ grace_alarm_handler(int sig) kill(0, SIGTERM); } - BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh"); /* Log error and exit. */ sigdie("Timeout before authentication for %s", get_remote_ipaddr());