From owner-svn-src-head@freebsd.org  Sun Feb 19 23:18:28 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DDC94CE6942
 for <svn-src-head@mailman.ysv.freebsd.org>;
 Sun, 19 Feb 2017 23:18:28 +0000 (UTC) (envelope-from ian@freebsd.org)
Received: from outbound1b.ore.mailhop.org (outbound1b.ore.mailhop.org
 [54.200.247.200])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C18F8C94
 for <svn-src-head@freebsd.org>; Sun, 19 Feb 2017 23:18:28 +0000 (UTC)
 (envelope-from ian@freebsd.org)
X-MHO-User: bff74d44-f6f9-11e6-ba57-8bc134ee460a
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 73.78.92.27
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from ilsoft.org (unknown [73.78.92.27])
 by outbound1.ore.mailhop.org (Halon) with ESMTPSA
 id bff74d44-f6f9-11e6-ba57-8bc134ee460a;
 Sun, 19 Feb 2017 23:18:41 +0000 (UTC)
Received: from rev (rev [172.22.42.240])
 by ilsoft.org (8.15.2/8.15.2) with ESMTP id v1JNIJFU001140;
 Sun, 19 Feb 2017 16:18:19 -0700 (MST) (envelope-from ian@freebsd.org)
Message-ID: <1487546299.73144.110.camel@freebsd.org>
Subject: Re: svn commit: r313965 - head/crypto/openssh
From: Ian Lepore <ian@freebsd.org>
To: lidl@FreeBSD.org, Oliver Pinter <oliver.pinter@hardenedbsd.org>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Date: Sun, 19 Feb 2017 16:18:19 -0700
In-Reply-To: <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org>
References: <201702192035.v1JKZdie080791@repo.freebsd.org>
 <CAPQ4fftcvpWJ=5DG2YNUB4WQUzJPKa_Tzm28MvKrEFzC3dYqUg@mail.gmail.com>
 <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailer: Evolution 3.18.5.1 FreeBSD GNOME Team Port 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2017 23:18:29 -0000

On Sun, 2017-02-19 at 18:06 -0500, Kurt Lidl wrote:
> On 2/19/17 4:42 PM, Oliver Pinter wrote:
> > 
> > Hello!
> > 
> > On 2/19/17, Kurt Lidl <lidl@freebsd.org> wrote:
> > > 
> > > Author: lidl
> > > Date: Sun Feb 19 20:35:39 2017
> > > New Revision: 313965
> > > URL: https://svnweb.freebsd.org/changeset/base/313965
> > > 
> > > Log:
> > >   Only notify blacklistd for successful logins in auth.c
> > What's the rationale behind this change?
> Without this change, every pass through auth.c results in a
> call to blacklist_notify().
> 
> So, in a normal remote login, you'd get a failed
> login flagged for the printing of the "xxx login:" prompt,
> before the remote user could enter a password.
> 
> If the user successfully entered a good password,
> you'd get a good login flagged, and everything would be OK.
> 
> If the user entered an incorrect password, you'd get
> another failed login in auth1.c (or auth2.c), and finally,
> when sshd got around to issuing the second "xxx login:"
> prompt, you'd have yet another failed login notice sent
> to blacklistd.
> 
> So, if you had 3 bad logins set to the limit, you'd actually
> be blocking the address after the first bad login attempt.
> 
> -Kurt
> 

I would contend that this explanation, exactly as written, should have
been part of the commit message.  It's a perfect example of explaining
*why* a change was made, instead of just saying what was changed.

-- Ian

> > 
> > 
> > > 
> > > 
> > >   Reported by:	Rick Adams
> > >   Reviewed by:	des
> > >   MFC after:	3 days
> > >   Sponsored by:	The FreeBSD Foundation
> > > 
> > > Modified:
> > >   head/crypto/openssh/auth.c
> > > 
> > > Modified: head/crypto/openssh/auth.c
> > > =================================================================
> > > =============
> > > --- head/crypto/openssh/auth.c	Sun Feb 19 19:56:12 2017	
> > > (r313964)
> > > +++ head/crypto/openssh/auth.c	Sun Feb 19 20:35:39 2017	
> > > (r313965)
> > > @@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent
> > >  		authmsg = "Partial";
> > >  	else {
> > >  		authmsg = authenticated ? "Accepted" : "Failed";
> > > -		BLACKLIST_NOTIFY(authenticated ?
> > > -		    BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
> > > +		if (authenticated)
> > > +			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
> > >  	}
> > > 
> > >  	authlog("%s %s%s%s for %s%.100s from %.200s port %d
> > > %s%s%s",
> > > _______________________________________________
> > > svn-src-head@freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/svn-src-head
> > > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebs
> > > d.org"
> > > 
>