diff options
Diffstat (limited to 'contrib/blacklist/diff/ssh.diff')
-rw-r--r-- | contrib/blacklist/diff/ssh.diff | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/contrib/blacklist/diff/ssh.diff b/contrib/blacklist/diff/ssh.diff new file mode 100644 index 000000000000..9427fc8ddb36 --- /dev/null +++ b/contrib/blacklist/diff/ssh.diff @@ -0,0 +1,150 @@ +--- /dev/null 2015-01-22 23:10:33.000000000 -0500 ++++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 +@@ -0,0 +1,32 @@ ++#include "namespace.h" ++#include "includes.h" ++#include "ssh.h" ++#include "packet.h" ++#include "log.h" ++#include "pfilter.h" ++#include <blacklist.h> ++ ++static struct blacklist *blstate; ++ ++void ++pfilter_init(void) ++{ ++ blstate = blacklist_open(); ++} ++ ++void ++pfilter_notify(int a) ++{ ++ int fd; ++ if (blstate == NULL) ++ pfilter_init(); ++ if (blstate == NULL) ++ return; ++ // XXX: 3? ++ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; ++ (void)blacklist_r(blstate, a, fd, "ssh"); ++ if (a == 0) { ++ blacklist_close(blstate); ++ blstate = NULL; ++ } ++} +--- /dev/null 2015-01-20 21:14:44.000000000 -0500 ++++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 +@@ -0,0 +1,3 @@ ++ ++void pfilter_notify(int); ++void pfilter_init(void); +Index: bin/sshd/Makefile +=================================================================== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v +retrieving revision 1.10 +diff -u -u -r1.10 Makefile +--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 ++++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 +@@ -15,7 +15,7 @@ + auth2-none.c auth2-passwd.c auth2-pubkey.c \ + monitor_mm.c monitor.c monitor_wrap.c \ + kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ +- roaming_common.c roaming_serv.c sandbox-rlimit.c ++ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c + + COPTS.auth-options.c= -Wno-pointer-sign + COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix +@@ -68,3 +68,6 @@ + + LDADD+= -lwrap + DPADD+= ${LIBWRAP} ++ ++LDADD+= -lblacklist ++DPADD+= ${LIBBLACKLIST} +diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c +--- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400 ++++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400 +@@ -103,6 +103,7 @@ + #include "ssh-gss.h" + #endif + #include "monitor_wrap.h" ++#include "pfilter.h" + + extern ServerOptions options; + extern Buffer loginmsg; +@@ -526,6 +527,7 @@ + ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer); + else + ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); ++ pfilter_notify(1); + buffer_free(&buffer); + pthread_exit(NULL); + +@@ -804,6 +806,7 @@ + free(msg); + return (0); + } ++ pfilter_notify(1); + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, +diff -ru openssh-7.7p1/auth2.c dist/auth2.c +--- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.000000000 -0400 ++++ dist/auth2.c 2018-05-23 11:57:31.022197317 -0400 +@@ -51,6 +51,7 @@ + #include "dispatch.h" + #include "pathnames.h" + #include "buffer.h" ++#include "pfilter.h" + + #ifdef GSSAPI + #include "ssh-gss.h" +@@ -242,6 +243,7 @@ + } else { + /* Invalid user, fake password information */ + authctxt->pw = fakepw(); ++ pfilter_notify(1); + #ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_INVALID_USER)); + #endif +Only in dist: pfilter.c +Only in dist: pfilter.h +diff -ru openssh-7.7p1/sshd.c dist/sshd.c +--- openssh-7.7p1/sshd.c 2018-04-02 01:38:28.000000000 -0400 ++++ dist/sshd.c 2018-05-23 11:59:39.573197347 -0400 +@@ -122,6 +122,7 @@ + #include "auth-options.h" + #include "version.h" + #include "ssherr.h" ++#include "pfilter.h" + + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) +@@ -346,6 +347,7 @@ + static void + grace_alarm_handler(int sig) + { ++ pfilter_notify(1); + if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) + kill(pmonitor->m_pid, SIGALRM); + +@@ -1835,6 +1837,8 @@ + if (test_flag) + exit(0); + ++ pfilter_init(); ++ + /* + * Clear out any supplemental groups we may have inherited. This + * prevents inadvertent creation of files with bad modes (in the +@@ -2280,6 +2284,9 @@ + { + struct ssh *ssh = active_state; /* XXX */ + ++ if (i == 255) ++ pfilter_notify(1); ++ + if (the_authctxt) { + do_cleanup(ssh, the_authctxt); + if (use_privsep && privsep_is_preauth && |