From nobody Tue Jan 20 19:43:39 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dwd6h3cmmz6P3LC
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Tue, 20 Jan 2026 19:43:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dwd6g6D1Xz3t3N
	for <dev-commits-src-all@FreeBSD.org>; Tue, 20 Jan 2026 19:43:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1768938220;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=aT8C5SeESpw084hcqTPaZ/CNXU2SkeW6yBZc+wStxPU=;
	b=eJTZ+B2PoTMXU0rGUIk6uloaawNWctc9hU8DYhxN6lbfTBwgxwJRmp9z0SClvaNjTNgqxp
	3wbFlNazOIhzoqUe5gaBv9q1Tf0ityEOiYq+S38ARZhTwjBha6NGRssUiljXVofBc4Qmdr
	FL5xynMF6yb+b1fWvzQD8aV5Wx9q5kq0d+Hux+oXPhrHzGHs4zU24Q1Vo0WXu4ucLRpbdu
	ftnUm3nRP6mB7hnngfRi1VQuF809ErWtJ0t3QPMHNlDuCmv2OkE4lmnoth7ZUDbG7kHGlE
	fdCLxq1j0tUsN3ZjflYUy1gQmcaP3SNB1vq+0Hw7JSZkfZeQYJoGd1aUe/uoog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1768938220;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=aT8C5SeESpw084hcqTPaZ/CNXU2SkeW6yBZc+wStxPU=;
	b=ni+CXez9ycGMFWszCn8VKOettBC9y5/wUSoNkR6oQ2GGfBF8Tlf0MY10tB2ldrdP7BFtes
	Z4/kvXz1iSBfYMeUIwPMuiwkRu7WIpRRrxvIsHQztMDKg0lpB8wLqaOoMUZ/4fjCYxH5tV
	iuMyJqBhveos0/t8DDUplp0ZMdq1Q7SSQLTdifEvulAAaRM36wU/UCwYI0z3tTXIzoWEPj
	KCVBLcaXRz9rETVs9J8gIHdHCAwU9ZrS8EZRznljOSQWwfFbqGb3F1sJGJwkyMEJ5KsOIN
	TjrjSBltVPj9YWrkbpRd1Rj94EwhP4pwJwv8Ug3w0C3A2lgEr5s/s6tTvd7Q/Q==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768938220; a=rsa-sha256; cv=none;
	b=VpDZQ1GPyPzq/3azym4ViFkcMPN3K0jP3cCE3SnBBQiPxdcugcgX3jXp1EbYoNkbAnycd/
	Q8jsUqYChTsfgUlbG5XloT4yx4Z+TOjPzU8VAU7h2n4CHuMUjruRrjsS7al7hmL7XT9dCI
	+UW6NMdMucmhJ+fDLrByQY7MUncddrI90dQA3AnQl2iZsXjfpUJcorhR+XVCZ8KfFBbVXt
	DwiuYgZb7oIoEsrMbNY3bea/r2oD5Or2rCcokxzOKR4x00qsLWo8pvS8HGC6gTkPItyN4f
	eobCpep7zHp9iYq5+1aZClZub0t18scBpdQeid0kXQNsp9tzOcdoOVhY099eyg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dwd6g5KdRz1K2
	for <dev-commits-src-all@FreeBSD.org>; Tue, 20 Jan 2026 19:43:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id c744
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 20 Jan 2026 19:43:39 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc: Jose Luis Duran <jlduran@FreeBSD.org>
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: e5e98c244fe9 - stable/14 - openssh: blocklist: Use NetBSD probes
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: e5e98c244fe9889db7efb6789a2d0bd2ca1d151b
Auto-Submitted: auto-generated
Date: Tue, 20 Jan 2026 19:43:39 +0000
Message-Id: <696fdaeb.c744.1c6512bb@gitrepo.freebsd.org>

The branch stable/14 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=e5e98c244fe9889db7efb6789a2d0bd2ca1d151b

commit e5e98c244fe9889db7efb6789a2d0bd2ca1d151b
Author:     Jose Luis Duran <jlduran@FreeBSD.org>
AuthorDate: 2025-09-29 16:32:36 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2026-01-20 19:42:08 +0000

    openssh: blocklist: Use NetBSD probes
    
    Use NetBSD probe locations for consistency.  We have submitted all
    improved or missing probes, keeping them synchronized with NetBSD (our
    blocklist upstream) should simplify upgrades and maintenance, as the
    locations of these probes are a moving target, depending on upstream
    OpenSSH changes.
    
    Additionally, use BLACKLIST_AUTH_FAIL exclusively for now.  At the time
    of this commit BLACKLIST_BAD_USER, is a no-op.  However, it will change
    in a future upgrade.
    
    Also, enhance blacklist notification messages for better debugging by
    making them more descriptive.
    
    Reviewed by:    emaste
    Approved by:    emaste (mentor)
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D52749
    
    (cherry picked from commit e02003bce726333872d65b7b9a1557d97b6d91a0)
    (cherry picked from commit 53dc967db74fba0d7b5bed413a7bc3216f16c55d)
    (cherry picked from commit 9c82c17c2a3ac61a69cb5337cb6f92ae88bc0b08)
    (cherry picked from commit 7161c525abffe6cdb19ac01223d058fcbabf49c5)
---
 crypto/openssh/auth-pam.c     |  4 ++--
 crypto/openssh/auth.c         |  6 ++++--
 crypto/openssh/auth2.c        |  5 +----
 crypto/openssh/monitor.c      | 14 ++++++++++++--
 crypto/openssh/packet.c       |  2 --
 crypto/openssh/sshd-session.c | 13 +++++++++----
 6 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index f95f6abbcbe0..df08dbd99a9d 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -937,8 +937,8 @@ sshpam_query(void *ctx, char **name, char **info,
 				sshbuf_free(buffer);
 				return (0);
 			}
-			BLACKLIST_NOTIFY(NULL, BLACKLIST_BAD_USER,
-			    sshpam_authctxt->user);
+			BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL,
+			    "PAM illegal user");
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user, sshpam_rhost);
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index 961082b76667..0a1c8f71b390 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -289,7 +289,8 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
 	else {
 		authmsg = authenticated ? "Accepted" : "Failed";
 		if (authenticated)
-			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh");
+			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK,
+			    "Authenticated");
 	}
 
 	if ((extra = format_method_key(authctxt)) == NULL) {
@@ -338,6 +339,7 @@ auth_maxtries_exceeded(struct ssh *ssh)
 {
 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
 
+	BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded");
 	error("maximum authentication attempts exceeded for "
 	    "%s%.100s from %.200s port %d ssh2",
 	    authctxt->valid ? "" : "invalid user ",
@@ -498,7 +500,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
 	aix_restoreauthdb();
 #endif
 	if (pw == NULL) {
-		BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user);
+		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Invalid user");
 		logit("Invalid user %.100s from %.100s port %d",
 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
 #ifdef CUSTOM_FAILED_LOGIN
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index eac1d26a4aaf..82f6e6211259 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -52,7 +52,6 @@
 #include "dispatch.h"
 #include "pathnames.h"
 #include "ssherr.h"
-#include "blacklist_client.h"
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
@@ -443,10 +442,8 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
 	} else {
 		/* Allow initial try of "none" auth without failure penalty */
 		if (!partial && !authctxt->server_caused_failure &&
-		    (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
 			authctxt->failures++;
-			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
-		}
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES);
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index 2179553d3401..b826ecdb9065 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -85,6 +85,8 @@
 #include "misc.h"
 #include "servconf.h"
 #include "monitor.h"
+#include "blacklist_client.h"
+
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
@@ -353,16 +355,24 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
 			}
 		}
 		if (authctxt->failures > options.max_authtries) {
+			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
+			    "Too many authentication attempts");
 			/* Shouldn't happen */
 			fatal_f("privsep child made too many authentication "
 			    "attempts");
 		}
 	}
 
-	if (!authctxt->valid)
+	if (!authctxt->valid) {
+		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
+		    "Authenticated invalid user");
 		fatal_f("authenticated invalid user");
-	if (strcmp(auth_method, "unknown") == 0)
+	}
+	if (strcmp(auth_method, "unknown") == 0) {
+		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
+		    "Authentication method name unknown");
 		fatal_f("authentication method name unknown");
+	}
 
 	debug_f("user %s authenticated by privileged process", authctxt->user);
 	auth_attempted = 0;
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
index cc114c837e31..9dea2cfc5188 100644
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@@ -96,7 +96,6 @@
 #include "packet.h"
 #include "ssherr.h"
 #include "sshbuf.h"
-#include "blacklist_client.h"
 
 #ifdef PACKET_DEBUG
 #define DBG(x) x
@@ -2022,7 +2021,6 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, va_list ap)
 	case SSH_ERR_NO_KEX_ALG_MATCH:
 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
 		if (ssh->kex && ssh->kex->failed_choice) {
-			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
 			ssh_packet_clear_keys(ssh);
 			errno = oerrno;
 			logdie("Unable to negotiate with %s: %s. "
diff --git a/crypto/openssh/sshd-session.c b/crypto/openssh/sshd-session.c
index 902718524279..5d677a1968d1 100644
--- a/crypto/openssh/sshd-session.c
+++ b/crypto/openssh/sshd-session.c
@@ -1201,6 +1201,8 @@ main(int ac, char **av)
 	ssh_signal(SIGCHLD, SIG_DFL);
 	ssh_signal(SIGINT, SIG_DFL);
 
+	BLACKLIST_INIT();
+
 	/*
 	 * Register our connection.  This turns encryption off because we do
 	 * not have a key.
@@ -1277,8 +1279,10 @@ main(int ac, char **av)
 	}
 
 	if ((r = kex_exchange_identification(ssh, -1,
-	    options.version_addendum)) != 0)
+	    options.version_addendum)) != 0) {
+		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
 		sshpkt_fatal(ssh, r, "banner exchange");
+	}
 
 	ssh_packet_set_nonblocking(ssh);
 
@@ -1298,8 +1302,6 @@ main(int ac, char **av)
 		fatal("sshbuf_new loginmsg failed");
 	auth_debug_reset();
 
-	BLACKLIST_INIT();
-
 	if (privsep_preauth(ssh) != 1)
 		fatal("privsep_preauth failed");
 
@@ -1425,7 +1427,10 @@ cleanup_exit(int i)
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
 	/* Override default fatal exit value when auth was attempted */
-	if (i == 255 && auth_attempted)
+	if (i == 255 && auth_attempted) {
+		BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
+		    "Fatal exit");
 		_exit(EXIT_AUTH_ATTEMPTED);
+	}
 	_exit(i);
 }