Date: Mon, 20 Feb 2017 00:22:19 +0100 From: Oliver Pinter <oliver.pinter@hardenedbsd.org> To: lidl@freebsd.org Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r313965 - head/crypto/openssh Message-ID: <CAPQ4ffvcAr5TPo%2BGQXqZ-LdNZWu2Kt79Yv31TG2kWHWQtYz%2BNA@mail.gmail.com> In-Reply-To: <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org> References: <201702192035.v1JKZdie080791@repo.freebsd.org> <CAPQ4fftcvpWJ=5DG2YNUB4WQUzJPKa_Tzm28MvKrEFzC3dYqUg@mail.gmail.com> <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/20/17, Kurt Lidl <lidl@freebsd.org> wrote: > On 2/19/17 4:42 PM, Oliver Pinter wrote: >> Hello! >> >> On 2/19/17, Kurt Lidl <lidl@freebsd.org> wrote: >>> Author: lidl >>> Date: Sun Feb 19 20:35:39 2017 >>> New Revision: 313965 >>> URL: https://svnweb.freebsd.org/changeset/base/313965 >>> >>> Log: >>> Only notify blacklistd for successful logins in auth.c >> >> What's the rationale behind this change? > > Without this change, every pass through auth.c results in a > call to blacklist_notify(). > > So, in a normal remote login, you'd get a failed > login flagged for the printing of the "xxx login:" prompt, > before the remote user could enter a password. > > If the user successfully entered a good password, > you'd get a good login flagged, and everything would be OK. > > If the user entered an incorrect password, you'd get > another failed login in auth1.c (or auth2.c), and finally, > when sshd got around to issuing the second "xxx login:" > prompt, you'd have yet another failed login notice sent > to blacklistd. > > So, if you had 3 bad logins set to the limit, you'd actually > be blocking the address after the first bad login attempt. > > -Kurt Thanks for the detailed answer. Could you please include these sentences when you MFC this change? > >> >>> >>> Reported by: Rick Adams >>> Reviewed by: des >>> MFC after: 3 days >>> Sponsored by: The FreeBSD Foundation >>> >>> Modified: >>> head/crypto/openssh/auth.c >>> >>> Modified: head/crypto/openssh/auth.c >>> ============================================================================== >>> --- head/crypto/openssh/auth.c Sun Feb 19 19:56:12 2017 (r313964) >>> +++ head/crypto/openssh/auth.c Sun Feb 19 20:35:39 2017 (r313965) >>> @@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent >>> authmsg = "Partial"; >>> else { >>> authmsg = authenticated ? "Accepted" : "Failed"; >>> - BLACKLIST_NOTIFY(authenticated ? >>> - BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL); >>> + if (authenticated) >>> + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK); >>> } >>> >>> authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", >>> _______________________________________________ >>> svn-src-head@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/svn-src-head >>> To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" >>> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPQ4ffvcAr5TPo%2BGQXqZ-LdNZWu2Kt79Yv31TG2kWHWQtYz%2BNA>