From owner-svn-src-head@freebsd.org Tue Aug 30 14:09:26 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6488BC7D8C; Tue, 30 Aug 2016 14:09:26 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ABAADAD; Tue, 30 Aug 2016 14:09:26 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u7UE9PT7098205; Tue, 30 Aug 2016 14:09:25 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u7UE9ONL098191; Tue, 30 Aug 2016 14:09:24 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201608301409.u7UE9ONL098191@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Tue, 30 Aug 2016 14:09:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r305065 - in head: crypto/openssh secure/usr.sbin/sshd X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2016 14:09:27 -0000 Author: lidl Date: Tue Aug 30 14:09:24 2016 New Revision: 305065 URL: https://svnweb.freebsd.org/changeset/base/305065 Log: Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 Added: head/crypto/openssh/blacklist.c (contents, props changed) head/crypto/openssh/blacklist_client.h (contents, props changed) Modified: head/crypto/openssh/auth-pam.c head/crypto/openssh/auth.c head/crypto/openssh/auth1.c head/crypto/openssh/auth2.c head/crypto/openssh/packet.c head/crypto/openssh/servconf.c head/crypto/openssh/servconf.h head/crypto/openssh/sshd.c head/crypto/openssh/sshd_config head/crypto/openssh/sshd_config.5 head/secure/usr.sbin/sshd/Makefile head/secure/usr.sbin/sshd/Makefile.depend Modified: head/crypto/openssh/auth-pam.c ============================================================================== --- head/crypto/openssh/auth-pam.c Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/auth-pam.c Tue Aug 30 14:09:24 2016 (r305065) @@ -98,6 +98,7 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "blacklist_client.h" extern ServerOptions options; extern Buffer loginmsg; @@ -794,6 +795,7 @@ sshpam_query(void *ctx, char **name, cha free(msg); return (0); } + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, Modified: head/crypto/openssh/auth.c ============================================================================== --- head/crypto/openssh/auth.c Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/auth.c Tue Aug 30 14:09:24 2016 (r305065) @@ -75,6 +75,7 @@ __RCSID("$FreeBSD$"); #include "authfile.h" #include "ssherr.h" #include "compat.h" +#include "blacklist_client.h" /* import */ extern ServerOptions options; @@ -292,8 +293,11 @@ auth_log(Authctxt *authctxt, int authent authmsg = "Postponed"; else if (partial) authmsg = "Partial"; - else + else { authmsg = authenticated ? "Accepted" : "Failed"; + BLACKLIST_NOTIFY(authenticated ? + BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL); + } authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", authmsg, @@ -640,6 +644,7 @@ getpwnamallow(const char *user) } #endif if (pw == NULL) { + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN Modified: head/crypto/openssh/auth1.c ============================================================================== --- head/crypto/openssh/auth1.c Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/auth1.c Tue Aug 30 14:09:24 2016 (r305065) @@ -43,6 +43,7 @@ #endif #include "monitor_wrap.h" #include "buffer.h" +#include "blacklist_client.h" /* import */ extern ServerOptions options; @@ -337,6 +338,7 @@ do_authloop(Authctxt *authctxt) char *msg; size_t len; + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); error("Access denied for user %s by PAM account " "configuration", authctxt->user); len = buffer_len(&loginmsg); @@ -404,6 +406,7 @@ do_authentication(Authctxt *authctxt) else { debug("do_authentication: invalid user %s", user); authctxt->pw = fakepw(); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); } /* Configuration may have changed as a result of Match */ Modified: head/crypto/openssh/auth2.c ============================================================================== --- head/crypto/openssh/auth2.c Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/auth2.c Tue Aug 30 14:09:24 2016 (r305065) @@ -52,6 +52,7 @@ __RCSID("$FreeBSD$"); #include "pathnames.h" #include "buffer.h" #include "canohost.h" +#include "blacklist_client.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -248,6 +249,7 @@ input_userauth_request(int type, u_int32 } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_INVALID_USER)); #endif Added: head/crypto/openssh/blacklist.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/crypto/openssh/blacklist.c Tue Aug 30 14:09:24 2016 (r305065) @@ -0,0 +1,97 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * Copyright (c) 2016 The FreeBSD Foundation, Inc. + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl + * under sponsorship from the FreeBSD Foundation. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include +#include +#include +#include +#include +#include +#include + +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "misc.h" +#include "servconf.h" +#include "blacklist_client.h" +#include + +static struct blacklist *blstate = NULL; + +/* import */ +extern ServerOptions options; + +/* internal definition from bl.h */ +struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); + +/* impedence match vsyslog() to sshd's internal logging levels */ +void +im_log(int priority, const char *message, va_list args) +{ + LogLevel imlevel; + + switch (priority) { + case LOG_ERR: + imlevel = SYSLOG_LEVEL_ERROR; + break; + case LOG_DEBUG: + imlevel = SYSLOG_LEVEL_DEBUG1; + break; + case LOG_INFO: + imlevel = SYSLOG_LEVEL_INFO; + break; + default: + imlevel = SYSLOG_LEVEL_DEBUG2; + } + do_log(imlevel, message, args); +} + +void +blacklist_init(void) +{ + + if (options.use_blacklist) + blstate = bl_create(false, NULL, im_log); +} + +void +blacklist_notify(int action) +{ + + if (blstate != NULL && packet_connection_is_on_socket()) + (void)blacklist_r(blstate, action, + packet_get_connection_in(), "ssh"); +} Added: head/crypto/openssh/blacklist_client.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/crypto/openssh/blacklist_client.h Tue Aug 30 14:09:24 2016 (r305065) @@ -0,0 +1,57 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * Copyright (c) 2016 The FreeBSD Foundation, Inc. + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl + * under sponsorship from the FreeBSD Foundation. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef BLACKLIST_CLIENT_H +#define BLACKLIST_CLIENT_H + +enum { + BLACKLIST_AUTH_OK = 0, + BLACKLIST_AUTH_FAIL +}; + +#ifdef USE_BLACKLIST +void blacklist_init(void); +void blacklist_notify(int); + +#define BLACKLIST_INIT() blacklist_init() +#define BLACKLIST_NOTIFY(x) blacklist_notify(x) + +#else + +#define BLACKLIST_INIT() +#define BLACKLIST_NOTIFY(x) + +#endif + + +#endif /* BLACKLIST_CLIENT_H */ Modified: head/crypto/openssh/packet.c ============================================================================== --- head/crypto/openssh/packet.c Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/packet.c Tue Aug 30 14:09:24 2016 (r305065) @@ -86,6 +86,7 @@ __RCSID("$FreeBSD$"); #include "packet.h" #include "ssherr.h" #include "sshbuf.h" +#include "blacklist_client.h" #ifdef PACKET_DEBUG #define DBG(x) x @@ -2071,6 +2072,7 @@ sshpkt_fatal(struct ssh *ssh, const char case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh && ssh->kex && ssh->kex->failed_choice) { + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); fatal("Unable to negotiate with %.200s port %d: %s. " "Their offer: %s", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ssh_err(r), Modified: head/crypto/openssh/servconf.c ============================================================================== --- head/crypto/openssh/servconf.c Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/servconf.c Tue Aug 30 14:09:24 2016 (r305065) @@ -172,6 +172,7 @@ initialize_server_options(ServerOptions options->ip_qos_bulk = -1; options->version_addendum = NULL; options->fingerprint_hash = -1; + options->use_blacklist = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -360,6 +361,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + if (options->use_blacklist == -1) + options->use_blacklist = 0; assemble_algorithms(options); @@ -437,6 +440,7 @@ typedef enum { sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, sAllowStreamLocalForwarding, sFingerprintHash, + sUseBlacklist, sDeprecated, sUnsupported } ServerOpCodes; @@ -579,6 +583,7 @@ static struct { { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, + { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, { "noneenabled", sUnsupported, SSHCFG_ALL }, { "hpndisabled", sDeprecated, SSHCFG_ALL }, { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, @@ -1861,6 +1866,10 @@ process_server_config_line(ServerOptions options->fingerprint_hash = value; break; + case sUseBlacklist: + intptr = &options->use_blacklist; + goto parse_flag; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -2304,6 +2313,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); + dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); Modified: head/crypto/openssh/servconf.h ============================================================================== --- head/crypto/openssh/servconf.h Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/servconf.h Tue Aug 30 14:09:24 2016 (r305065) @@ -195,6 +195,7 @@ typedef struct { char *auth_methods[MAX_AUTH_METHODS]; int fingerprint_hash; + int use_blacklist; } ServerOptions; /* Information about the incoming connection as used by Match */ Modified: head/crypto/openssh/sshd.c ============================================================================== --- head/crypto/openssh/sshd.c Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/sshd.c Tue Aug 30 14:09:24 2016 (r305065) @@ -135,6 +135,7 @@ __RCSID("$FreeBSD$"); #include "ssh-sandbox.h" #include "version.h" #include "ssherr.h" +#include "blacklist_client.h" #ifdef LIBWRAP #include @@ -388,6 +389,8 @@ grace_alarm_handler(int sig) kill(0, SIGTERM); } + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL); + /* Log error and exit. */ sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } @@ -2251,6 +2254,8 @@ main(int ac, char **av) buffer_init(&loginmsg); auth_debug_reset(); + BLACKLIST_INIT(); + if (use_privsep) { if (privsep_preauth(authctxt) == 1) goto authenticated; Modified: head/crypto/openssh/sshd_config ============================================================================== --- head/crypto/openssh/sshd_config Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/sshd_config Tue Aug 30 14:09:24 2016 (r305065) @@ -120,6 +120,7 @@ #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none +#UseBlacklist no #VersionAddendum FreeBSD-20160310 # no default banner path Modified: head/crypto/openssh/sshd_config.5 ============================================================================== --- head/crypto/openssh/sshd_config.5 Tue Aug 30 13:56:11 2016 (r305064) +++ head/crypto/openssh/sshd_config.5 Tue Aug 30 14:09:24 2016 (r305065) @@ -1537,6 +1537,15 @@ for authentication using .Cm TrustedUserCAKeys . For more details on certificates, see the CERTIFICATES section in .Xr ssh-keygen 1 . +.It Cm UseBlacklist +Specifies whether +.Xr sshd 8 +attempts to send authentication success and failure messages +to the +.Xr blacklistd 8 +daemon. +The default is +.Dq no . .It Cm UseDNS Specifies whether .Xr sshd 8 Modified: head/secure/usr.sbin/sshd/Makefile ============================================================================== --- head/secure/usr.sbin/sshd/Makefile Tue Aug 30 13:56:11 2016 (r305064) +++ head/secure/usr.sbin/sshd/Makefile Tue Aug 30 14:09:24 2016 (r305065) @@ -40,6 +40,13 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT LIBADD+= bsm .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include +SRCS+= blacklist.c +LIBADD+= blacklist +LDFLAGS+=-L${LIBBLACKLISTDIR} +.endif + .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h SRCS+= krb5_config.h Modified: head/secure/usr.sbin/sshd/Makefile.depend ============================================================================== --- head/secure/usr.sbin/sshd/Makefile.depend Tue Aug 30 13:56:11 2016 (r305064) +++ head/secure/usr.sbin/sshd/Makefile.depend Tue Aug 30 14:09:24 2016 (r305065) @@ -17,6 +17,7 @@ DIRDEPS = \ kerberos5/lib/libroken \ kerberos5/lib/libwind \ lib/${CSU_DIR} \ + lib/libblacklist \ lib/libbsm \ lib/libc \ lib/libcom_err \