diff options
Diffstat (limited to 'crypto/openssh')
| -rw-r--r-- | crypto/openssh/auth-pam.c | 6 | ||||
| -rw-r--r-- | crypto/openssh/auth.c | 8 | ||||
| -rw-r--r-- | crypto/openssh/auth2.c | 5 | ||||
| -rw-r--r-- | crypto/openssh/blocklist.c (renamed from crypto/openssh/blacklist.c) | 16 | ||||
| -rw-r--r-- | crypto/openssh/blocklist_client.h (renamed from crypto/openssh/blacklist_client.h) | 30 | ||||
| -rw-r--r-- | crypto/openssh/monitor.c | 14 | ||||
| -rw-r--r-- | crypto/openssh/packet.c | 2 | ||||
| -rw-r--r-- | crypto/openssh/servconf.c | 18 | ||||
| -rw-r--r-- | crypto/openssh/servconf.h | 2 | ||||
| -rw-r--r-- | crypto/openssh/sshd-session.c | 15 | ||||
| -rw-r--r-- | crypto/openssh/sshd_config | 2 | ||||
| -rw-r--r-- | crypto/openssh/sshd_config.5 | 14 |
12 files changed, 72 insertions, 60 deletions
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c index f95f6abbcbe0..217fae531afa 100644 --- a/crypto/openssh/auth-pam.c +++ b/crypto/openssh/auth-pam.c @@ -101,7 +101,7 @@ #endif #include "monitor_wrap.h" #include "srclimit.h" -#include "blacklist_client.h" +#include "blocklist_client.h" extern ServerOptions options; extern struct sshbuf *loginmsg; @@ -937,8 +937,8 @@ sshpam_query(void *ctx, char **name, char **info, sshbuf_free(buffer); return (0); } - BLACKLIST_NOTIFY(NULL, BLACKLIST_BAD_USER, - sshpam_authctxt->user); + BLOCKLIST_NOTIFY(NULL, BLOCKLIST_AUTH_FAIL, + "PAM illegal user"); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, sshpam_rhost); diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c index 961082b76667..28ee390f4a15 100644 --- a/crypto/openssh/auth.c +++ b/crypto/openssh/auth.c @@ -75,7 +75,7 @@ #include "monitor_wrap.h" #include "ssherr.h" #include "channels.h" -#include "blacklist_client.h" +#include "blocklist_client.h" /* import */ extern ServerOptions options; @@ -289,7 +289,8 @@ auth_log(struct ssh *ssh, int authenticated, int partial, else { authmsg = authenticated ? "Accepted" : "Failed"; if (authenticated) - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh"); + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_OK, + "Authenticated"); } if ((extra = format_method_key(authctxt)) == NULL) { @@ -338,6 +339,7 @@ auth_maxtries_exceeded(struct ssh *ssh) { Authctxt *authctxt = (Authctxt *)ssh->authctxt; + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, "Maximum attempts exceeded"); error("maximum authentication attempts exceeded for " "%s%.100s from %.200s port %d ssh2", authctxt->valid ? "" : "invalid user ", @@ -498,7 +500,7 @@ getpwnamallow(struct ssh *ssh, const char *user) aix_restoreauthdb(); #endif if (pw == NULL) { - BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user); + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, "Invalid user"); logit("Invalid user %.100s from %.100s port %d", user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); #ifdef CUSTOM_FAILED_LOGIN diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index eac1d26a4aaf..82f6e6211259 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -52,7 +52,6 @@ #include "dispatch.h" #include "pathnames.h" #include "ssherr.h" -#include "blacklist_client.h" #ifdef GSSAPI #include "ssh-gss.h" #endif @@ -443,10 +442,8 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, } else { /* Allow initial try of "none" auth without failure penalty */ if (!partial && !authctxt->server_caused_failure && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) authctxt->failures++; - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh"); - } if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES); diff --git a/crypto/openssh/blacklist.c b/crypto/openssh/blocklist.c index 33d02607dd98..f3c00016db66 100644 --- a/crypto/openssh/blacklist.c +++ b/crypto/openssh/blocklist.c @@ -46,16 +46,16 @@ #include "log.h" #include "misc.h" #include "servconf.h" -#include <blacklist.h> -#include "blacklist_client.h" +#include <blocklist.h> +#include "blocklist_client.h" -static struct blacklist *blstate = NULL; +static struct blocklist *blstate = NULL; /* import */ extern ServerOptions options; /* internal definition from bl.h */ -struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); +struct blocklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); /* impedence match vsyslog() to sshd's internal logging levels */ void @@ -80,18 +80,18 @@ im_log(int priority, const char *message, va_list args) } void -blacklist_init(void) +blocklist_init(void) { - if (options.use_blacklist) + if (options.use_blocklist) blstate = bl_create(false, NULL, im_log); } void -blacklist_notify(struct ssh *ssh, int action, const char *msg) +blocklist_notify(struct ssh *ssh, int action, const char *msg) { if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh)) - (void)blacklist_r(blstate, action, + (void)blocklist_r(blstate, action, ssh_packet_get_connection_in(ssh), msg); } diff --git a/crypto/openssh/blacklist_client.h b/crypto/openssh/blocklist_client.h index 601a44461e20..be92245e4690 100644 --- a/crypto/openssh/blacklist_client.h +++ b/crypto/openssh/blocklist_client.h @@ -31,31 +31,31 @@ * POSSIBILITY OF SUCH DAMAGE. */ -#ifndef BLACKLIST_CLIENT_H -#define BLACKLIST_CLIENT_H +#ifndef BLOCKLIST_CLIENT_H +#define BLOCKLIST_CLIENT_H -#ifndef BLACKLIST_API_ENUM +#ifndef BLOCKLIST_API_ENUM enum { - BLACKLIST_AUTH_OK = 0, - BLACKLIST_AUTH_FAIL, - BLACKLIST_ABUSIVE_BEHAVIOR, - BLACKLIST_BAD_USER + BLOCKLIST_AUTH_OK = 0, + BLOCKLIST_AUTH_FAIL, + BLOCKLIST_ABUSIVE_BEHAVIOR, + BLOCKLIST_BAD_USER }; #endif -#ifdef USE_BLACKLIST -void blacklist_init(void); -void blacklist_notify(struct ssh *, int, const char *); +#ifdef USE_BLOCKLIST +void blocklist_init(void); +void blocklist_notify(struct ssh *, int, const char *); -#define BLACKLIST_INIT() blacklist_init() -#define BLACKLIST_NOTIFY(ssh,x,msg) blacklist_notify(ssh,x,msg) +#define BLOCKLIST_INIT() blocklist_init() +#define BLOCKLIST_NOTIFY(ssh,x,msg) blocklist_notify(ssh,x,msg) #else -#define BLACKLIST_INIT() -#define BLACKLIST_NOTIFY(ssh,x,msg) +#define BLOCKLIST_INIT() +#define BLOCKLIST_NOTIFY(ssh,x,msg) #endif -#endif /* BLACKLIST_CLIENT_H */ +#endif /* BLOCKLIST_CLIENT_H */ diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c index 2179553d3401..77dccf0d84f1 100644 --- a/crypto/openssh/monitor.c +++ b/crypto/openssh/monitor.c @@ -85,6 +85,8 @@ #include "misc.h" #include "servconf.h" #include "monitor.h" +#include "blocklist_client.h" + #ifdef GSSAPI #include "ssh-gss.h" #endif @@ -353,16 +355,24 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) } } if (authctxt->failures > options.max_authtries) { + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, + "Too many authentication attempts"); /* Shouldn't happen */ fatal_f("privsep child made too many authentication " "attempts"); } } - if (!authctxt->valid) + if (!authctxt->valid) { + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, + "Authenticated invalid user"); fatal_f("authenticated invalid user"); - if (strcmp(auth_method, "unknown") == 0) + } + if (strcmp(auth_method, "unknown") == 0) { + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, + "Authentication method name unknown"); fatal_f("authentication method name unknown"); + } debug_f("user %s authenticated by privileged process", authctxt->user); auth_attempted = 0; diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c index cc114c837e31..9dea2cfc5188 100644 --- a/crypto/openssh/packet.c +++ b/crypto/openssh/packet.c @@ -96,7 +96,6 @@ #include "packet.h" #include "ssherr.h" #include "sshbuf.h" -#include "blacklist_client.h" #ifdef PACKET_DEBUG #define DBG(x) x @@ -2022,7 +2021,6 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, va_list ap) case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh->kex && ssh->kex->failed_choice) { - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh"); ssh_packet_clear_keys(ssh); errno = oerrno; logdie("Unable to negotiate with %s: %s. " diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 5ab34973bbcb..07d3bee2fcb9 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -217,7 +217,7 @@ initialize_server_options(ServerOptions *options) options->sshd_session_path = NULL; options->sshd_auth_path = NULL; options->refuse_connection = -1; - options->use_blacklist = -1; + options->use_blocklist = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -506,8 +506,8 @@ fill_default_server_options(ServerOptions *options) options->sshd_auth_path = xstrdup(_PATH_SSHD_AUTH); if (options->refuse_connection == -1) options->refuse_connection = 0; - if (options->use_blacklist == -1) - options->use_blacklist = 0; + if (options->use_blocklist == -1) + options->use_blocklist = 0; assemble_algorithms(options); @@ -591,7 +591,7 @@ typedef enum { sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout, sSshdSessionPath, sSshdAuthPath, sRefuseConnection, - sUseBlacklist, + sUseBlocklist, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -761,8 +761,8 @@ static struct { { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL }, { "sshdauthpath", sSshdAuthPath, SSHCFG_GLOBAL }, { "refuseconnection", sRefuseConnection, SSHCFG_ALL }, - { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, - { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */ + { "useblocklist", sUseBlocklist, SSHCFG_GLOBAL }, + { "useblacklist", sUseBlocklist, SSHCFG_GLOBAL }, /* alias */ { NULL, sBadOption, 0 } }; @@ -2742,8 +2742,8 @@ process_server_config_line_depth(ServerOptions *options, char *line, multistate_ptr = multistate_flag; goto parse_multistate; - case sUseBlacklist: - intptr = &options->use_blacklist; + case sUseBlocklist: + intptr = &options->use_blocklist; goto parse_flag; case sDeprecated: @@ -3297,7 +3297,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); dump_cfg_fmtint(sRefuseConnection, o->refuse_connection); - dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); + dump_cfg_fmtint(sUseBlocklist, o->use_blocklist); /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h index ad3974322e83..38b2afeb15bd 100644 --- a/crypto/openssh/servconf.h +++ b/crypto/openssh/servconf.h @@ -253,7 +253,7 @@ typedef struct { int refuse_connection; - int use_blacklist; + int use_blocklist; } ServerOptions; /* Information about the incoming connection as used by Match */ diff --git a/crypto/openssh/sshd-session.c b/crypto/openssh/sshd-session.c index 902718524279..ca35790149ac 100644 --- a/crypto/openssh/sshd-session.c +++ b/crypto/openssh/sshd-session.c @@ -108,7 +108,7 @@ #include "sk-api.h" #include "srclimit.h" #include "dh.h" -#include "blacklist_client.h" +#include "blocklist_client.h" /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) @@ -1201,6 +1201,8 @@ main(int ac, char **av) ssh_signal(SIGCHLD, SIG_DFL); ssh_signal(SIGINT, SIG_DFL); + BLOCKLIST_INIT(); + /* * Register our connection. This turns encryption off because we do * not have a key. @@ -1277,8 +1279,10 @@ main(int ac, char **av) } if ((r = kex_exchange_identification(ssh, -1, - options.version_addendum)) != 0) + options.version_addendum)) != 0) { + BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, "Banner exchange"); sshpkt_fatal(ssh, r, "banner exchange"); + } ssh_packet_set_nonblocking(ssh); @@ -1298,8 +1302,6 @@ main(int ac, char **av) fatal("sshbuf_new loginmsg failed"); auth_debug_reset(); - BLACKLIST_INIT(); - if (privsep_preauth(ssh) != 1) fatal("privsep_preauth failed"); @@ -1425,7 +1427,10 @@ cleanup_exit(int i) audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif /* Override default fatal exit value when auth was attempted */ - if (i == 255 && auth_attempted) + if (i == 255 && auth_attempted) { + BLOCKLIST_NOTIFY(the_active_state, BLOCKLIST_AUTH_FAIL, + "Fatal exit"); _exit(EXIT_AUTH_ATTEMPTED); + } _exit(i); } diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 50a3d228fa58..708be7fe2870 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -107,7 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none -#UseBlacklist no +#UseBlocklist no #VersionAddendum FreeBSD-20250801 # no default banner path diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index ff1be7ba6ccf..c637d68f90c6 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -2020,20 +2020,20 @@ The default is to never expire connections for having no open channels. This option may be useful in conjunction with .Cm ChannelTimeout . -.It Cm UseBlacklist +.It Cm UseBlocklist Specifies whether .Xr sshd 8 attempts to send authentication success and failure messages to the -.Xr blacklistd 8 +.Xr blocklistd 8 daemon. The default is .Cm no . -For forward compatibility with an upcoming -.Xr blacklistd -rename, the -.Cm UseBlocklist -alias can be used instead. +For backward compatibility with +.Xr blacklistd 8 , +the +.Cm UseBlacklist +alias can still be used. .It Cm UseDNS Specifies whether .Xr sshd 8 |