From owner-svn-src-head@freebsd.org Sun Feb 19 23:06:31 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3502ACE6649; Sun, 19 Feb 2017 23:06:31 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from hydra.pix.net (hydra.pix.net [IPv6:2001:470:e254::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.pix.net", Issuer "Pix.Com Technologies LLC CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DD858667; Sun, 19 Feb 2017 23:06:30 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from torb.pix.net (torb.pix.net [IPv6:2001:470:e254:10:1042:6a31:1deb:9f8a]) (authenticated bits=0) by hydra.pix.net (8.16.0.19/8.15.2) with ESMTPA id v1JN6TFI028564; Sun, 19 Feb 2017 18:06:29 -0500 (EST) (envelope-from lidl@FreeBSD.org) Reply-To: lidl@FreeBSD.org Subject: Re: svn commit: r313965 - head/crypto/openssh References: <201702192035.v1JKZdie080791@repo.freebsd.org> To: Oliver Pinter Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org From: Kurt Lidl Message-ID: <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org> Date: Sun, 19 Feb 2017 18:06:29 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2017 23:06:31 -0000 On 2/19/17 4:42 PM, Oliver Pinter wrote: > Hello! > > On 2/19/17, Kurt Lidl wrote: >> Author: lidl >> Date: Sun Feb 19 20:35:39 2017 >> New Revision: 313965 >> URL: https://svnweb.freebsd.org/changeset/base/313965 >> >> Log: >> Only notify blacklistd for successful logins in auth.c > > What's the rationale behind this change? Without this change, every pass through auth.c results in a call to blacklist_notify(). So, in a normal remote login, you'd get a failed login flagged for the printing of the "xxx login:" prompt, before the remote user could enter a password. If the user successfully entered a good password, you'd get a good login flagged, and everything would be OK. If the user entered an incorrect password, you'd get another failed login in auth1.c (or auth2.c), and finally, when sshd got around to issuing the second "xxx login:" prompt, you'd have yet another failed login notice sent to blacklistd. So, if you had 3 bad logins set to the limit, you'd actually be blocking the address after the first bad login attempt. -Kurt > >> >> Reported by: Rick Adams >> Reviewed by: des >> MFC after: 3 days >> Sponsored by: The FreeBSD Foundation >> >> Modified: >> head/crypto/openssh/auth.c >> >> Modified: head/crypto/openssh/auth.c >> ============================================================================== >> --- head/crypto/openssh/auth.c Sun Feb 19 19:56:12 2017 (r313964) >> +++ head/crypto/openssh/auth.c Sun Feb 19 20:35:39 2017 (r313965) >> @@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent >> authmsg = "Partial"; >> else { >> authmsg = authenticated ? "Accepted" : "Failed"; >> - BLACKLIST_NOTIFY(authenticated ? >> - BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL); >> + if (authenticated) >> + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK); >> } >> >> authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", >> _______________________________________________ >> svn-src-head@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/svn-src-head >> To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" >>