From owner-svn-src-head@freebsd.org Sun Feb 19 23:22:21 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 053E5CE6AB4 for ; Sun, 19 Feb 2017 23:22:21 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-ua0-x22c.google.com (mail-ua0-x22c.google.com [IPv6:2607:f8b0:400c:c08::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A9F74105A for ; Sun, 19 Feb 2017 23:22:20 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-ua0-x22c.google.com with SMTP id 35so56039274uak.1 for ; Sun, 19 Feb 2017 15:22:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jQCdeQ5PJdeNDyTc9X10UFNp9SF+R6QbfAljCks+gM4=; b=uwpaXA5DKKyVXsNYvrbrQuhOS6/8+3K8siJK8EhZaIu4vHK9HawwePiEFCEyCclTRk GG6EMRPkRnLFPMn79xWpk2NWF4l7yWLi+E2H1bjNAik/8lbBu1BC4GGUlMZ2lquhtdrj X/9fc+MmlXld7Axwgl9kbLQu2VtTYhh9VXtinnFl0KhqhIupvsvF9gvKw9RQKWHyfN7l 0eH8gdvvsdy1/BfHdUUxSFo7JpFtzGcjWjryR4Y/GOejWK6VxWFgxKlDrLEOs+xuNilm ZKWs8uB0ialEpW+rtI0b6DlkFdUrjBhJaRl2lBa11Rl1xL85q5PzY8vtz7CvR3RMfXe7 BmQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jQCdeQ5PJdeNDyTc9X10UFNp9SF+R6QbfAljCks+gM4=; b=ICYCYBK9tP0vEVu4xKLqpJAJPX7O9vg0w8WejE7m2btZXN7YZq2cw1G5zbmGsRYzs7 dGf8mrGU5+SpeJRiUstdvKMyhtGalM4qXxlUdo0SIrfediGmvk1+TS7QQcBgX7F5Ue5p td19hBap2tGvlHUprkQZUA9brZ/Fntq/QzPEQtix2oOnvvWSKB9u8bVDN3Wv2Uydrk6X K1+6b6dTM8mte2bnJOMJbGybUbUEQWDs10jOEEw+IoyaGCULs0WtapZ2shbNXAC4eQG/ WnNxoZ4QWFk7EwA+Qy2LWjGeUTUFyDa8PtOccqlr+wCtmoDMU/GFMHHvQBD8D1wA9GQa MnxQ== X-Gm-Message-State: AMke39lBuRCIgCDs8Bb99oPSjwYmdPIwPXgKHeGdOOGZnKPD5C5bQ5D8tCaA+LoUvvy2g9m/UkjbznIe6mcs32HV X-Received: by 10.176.75.149 with SMTP id v21mr8497807uaf.94.1487546539761; Sun, 19 Feb 2017 15:22:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.45.2 with HTTP; Sun, 19 Feb 2017 15:22:19 -0800 (PST) In-Reply-To: <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org> References: <201702192035.v1JKZdie080791@repo.freebsd.org> <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org> From: Oliver Pinter Date: Mon, 20 Feb 2017 00:22:19 +0100 Message-ID: Subject: Re: svn commit: r313965 - head/crypto/openssh To: lidl@freebsd.org Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2017 23:22:21 -0000 On 2/20/17, Kurt Lidl wrote: > On 2/19/17 4:42 PM, Oliver Pinter wrote: >> Hello! >> >> On 2/19/17, Kurt Lidl wrote: >>> Author: lidl >>> Date: Sun Feb 19 20:35:39 2017 >>> New Revision: 313965 >>> URL: https://svnweb.freebsd.org/changeset/base/313965 >>> >>> Log: >>> Only notify blacklistd for successful logins in auth.c >> >> What's the rationale behind this change? > > Without this change, every pass through auth.c results in a > call to blacklist_notify(). > > So, in a normal remote login, you'd get a failed > login flagged for the printing of the "xxx login:" prompt, > before the remote user could enter a password. > > If the user successfully entered a good password, > you'd get a good login flagged, and everything would be OK. > > If the user entered an incorrect password, you'd get > another failed login in auth1.c (or auth2.c), and finally, > when sshd got around to issuing the second "xxx login:" > prompt, you'd have yet another failed login notice sent > to blacklistd. > > So, if you had 3 bad logins set to the limit, you'd actually > be blocking the address after the first bad login attempt. > > -Kurt Thanks for the detailed answer. Could you please include these sentences when you MFC this change? > >> >>> >>> Reported by: Rick Adams >>> Reviewed by: des >>> MFC after: 3 days >>> Sponsored by: The FreeBSD Foundation >>> >>> Modified: >>> head/crypto/openssh/auth.c >>> >>> Modified: head/crypto/openssh/auth.c >>> ============================================================================== >>> --- head/crypto/openssh/auth.c Sun Feb 19 19:56:12 2017 (r313964) >>> +++ head/crypto/openssh/auth.c Sun Feb 19 20:35:39 2017 (r313965) >>> @@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent >>> authmsg = "Partial"; >>> else { >>> authmsg = authenticated ? "Accepted" : "Failed"; >>> - BLACKLIST_NOTIFY(authenticated ? >>> - BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL); >>> + if (authenticated) >>> + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK); >>> } >>> >>> authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", >>> _______________________________________________ >>> svn-src-head@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/svn-src-head >>> To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" >>> > >