From owner-svn-src-head@freebsd.org  Sun Feb 19 23:31:33 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4DE2CE6BA9;
 Sun, 19 Feb 2017 23:31:33 +0000 (UTC)
 (envelope-from lidl@FreeBSD.org)
Received: from hydra.pix.net (hydra.pix.net [IPv6:2001:470:e254::4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.pix.net", Issuer "Pix.Com Technologies LLC CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9867B132A;
 Sun, 19 Feb 2017 23:31:33 +0000 (UTC)
 (envelope-from lidl@FreeBSD.org)
Received: from torb.pix.net (torb.pix.net
 [IPv6:2001:470:e254:10:1042:6a31:1deb:9f8a]) (authenticated bits=0)
 by hydra.pix.net (8.16.0.19/8.15.2) with ESMTPA id v1JNVWGm029389;
 Sun, 19 Feb 2017 18:31:32 -0500 (EST)
 (envelope-from lidl@FreeBSD.org)
Reply-To: lidl@FreeBSD.org
Subject: Re: svn commit: r313965 - head/crypto/openssh
References: <201702192035.v1JKZdie080791@repo.freebsd.org>
 <CAPQ4fftcvpWJ=5DG2YNUB4WQUzJPKa_Tzm28MvKrEFzC3dYqUg@mail.gmail.com>
 <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org>
 <CAPQ4ffvcAr5TPo+GQXqZ-LdNZWu2Kt79Yv31TG2kWHWQtYz+NA@mail.gmail.com>
To: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
From: Kurt Lidl <lidl@FreeBSD.org>
Message-ID: <eecb4a52-c794-fe0b-0d44-5a8d1ee82c05@FreeBSD.org>
Date: Sun, 19 Feb 2017 18:31:32 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CAPQ4ffvcAr5TPo+GQXqZ-LdNZWu2Kt79Yv31TG2kWHWQtYz+NA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2017 23:31:34 -0000

On 2/19/17 6:22 PM, Oliver Pinter wrote:
> On 2/20/17, Kurt Lidl <lidl@freebsd.org> wrote:
>> On 2/19/17 4:42 PM, Oliver Pinter wrote:
>>> Hello!
>>>
>>> On 2/19/17, Kurt Lidl <lidl@freebsd.org> wrote:
>>>> Author: lidl
>>>> Date: Sun Feb 19 20:35:39 2017
>>>> New Revision: 313965
>>>> URL: https://svnweb.freebsd.org/changeset/base/313965
>>>>
>>>> Log:
>>>>   Only notify blacklistd for successful logins in auth.c
>>>
>>> What's the rationale behind this change?
>>
>> Without this change, every pass through auth.c results in a
>> call to blacklist_notify().
>>
>> So, in a normal remote login, you'd get a failed
>> login flagged for the printing of the "xxx login:" prompt,
>> before the remote user could enter a password.
>>
>> If the user successfully entered a good password,
>> you'd get a good login flagged, and everything would be OK.
>>
>> If the user entered an incorrect password, you'd get
>> another failed login in auth1.c (or auth2.c), and finally,
>> when sshd got around to issuing the second "xxx login:"
>> prompt, you'd have yet another failed login notice sent
>> to blacklistd.
>>
>> So, if you had 3 bad logins set to the limit, you'd actually
>> be blocking the address after the first bad login attempt.
>>
>> -Kurt
>
> Thanks for the detailed answer. Could you please include these
> sentences when you MFC this change?

Sure, I will do that.

-Kurt