1301169Slidl--- /dev/null 2015-01-22 23:10:33.000000000 -0500 2301169Slidl+++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 3301169Slidl@@ -0,0 +1,28 @@ 4301169Slidl+#include "namespace.h" 5301169Slidl+#include "includes.h" 6301169Slidl+#include "ssh.h" 7301169Slidl+#include "packet.h" 8301169Slidl+#include "log.h" 9301169Slidl+#include "pfilter.h" 10301169Slidl+#include <blacklist.h> 11301169Slidl+ 12301169Slidl+static struct blacklist *blstate; 13301169Slidl+ 14301169Slidl+void 15301169Slidl+pfilter_init(void) 16301169Slidl+{ 17301169Slidl+ blstate = blacklist_open(); 18301169Slidl+} 19301169Slidl+ 20301169Slidl+void 21301169Slidl+pfilter_notify(int a) 22301169Slidl+{ 23301169Slidl+ int fd; 24301169Slidl+ if (blstate == NULL) 25301169Slidl+ pfilter_init(); 26301169Slidl+ if (blstate == NULL) 27301169Slidl+ return; 28301169Slidl+ // XXX: 3? 29301169Slidl+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; 30301169Slidl+ (void)blacklist_r(blstate, a, fd, "ssh"); 31301169Slidl+} 32301169Slidl--- /dev/null 2015-01-20 21:14:44.000000000 -0500 33301169Slidl+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 34301169Slidl@@ -0,0 +1,3 @@ 35301169Slidl+ 36301169Slidl+void pfilter_notify(int); 37301169Slidl+void pfilter_init(void); 38301169SlidlIndex: bin/sshd/Makefile 39301169Slidl=================================================================== 40301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v 41301169Slidlretrieving revision 1.10 42301169Slidldiff -u -u -r1.10 Makefile 43301169Slidl--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 44301169Slidl+++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 45301169Slidl@@ -15,7 +15,7 @@ 46301169Slidl auth2-none.c auth2-passwd.c auth2-pubkey.c \ 47301169Slidl monitor_mm.c monitor.c monitor_wrap.c \ 48301169Slidl kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ 49301169Slidl- roaming_common.c roaming_serv.c sandbox-rlimit.c 50301169Slidl+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c 51301169Slidl 52301169Slidl COPTS.auth-options.c= -Wno-pointer-sign 53301169Slidl COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix 54301169Slidl@@ -68,3 +68,6 @@ 55301169Slidl 56301169Slidl LDADD+= -lwrap 57301169Slidl DPADD+= ${LIBWRAP} 58301169Slidl+ 59301169Slidl+LDADD+= -lblacklist 60301169Slidl+DPADD+= ${LIBBLACKLIST} 61301169SlidlIndex: dist/auth.c 62301169Slidl=================================================================== 63301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v 64301169Slidlretrieving revision 1.10 65301169Slidldiff -u -u -r1.10 auth.c 66301169Slidl--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 67301169Slidl+++ dist/auth.c 22 Jan 2015 21:39:22 -0000 68301169Slidl@@ -62,6 +62,7 @@ 69301169Slidl #include "monitor_wrap.h" 70301169Slidl #include "krl.h" 71301169Slidl #include "compat.h" 72301169Slidl+#include "pfilter.h" 73301169Slidl 74301169Slidl #ifdef HAVE_LOGIN_CAP 75301169Slidl #include <login_cap.h> 76301169Slidl@@ -362,6 +363,8 @@ 77301169Slidl compat20 ? "ssh2" : "ssh1", 78301169Slidl authctxt->info != NULL ? ": " : "", 79301169Slidl authctxt->info != NULL ? authctxt->info : ""); 80301169Slidl+ if (!authctxt->postponed) 81301169Slidl+ pfilter_notify(!authenticated); 82301169Slidl free(authctxt->info); 83301169Slidl authctxt->info = NULL; 84301169Slidl } 85301169SlidlIndex: dist/sshd.c 86301169Slidl=================================================================== 87301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 88301169Slidlretrieving revision 1.15 89301169Slidldiff -u -u -r1.15 sshd.c 90301169Slidl--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 91301169Slidl+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 92301169Slidl@@ -109,6 +109,7 @@ 93301169Slidl #include "roaming.h" 94301169Slidl #include "ssh-sandbox.h" 95301169Slidl #include "version.h" 96301169Slidl+#include "pfilter.h" 97301169Slidl 98301169Slidl #ifdef LIBWRAP 99301169Slidl #include <tcpd.h> 100301169Slidl@@ -364,6 +365,7 @@ 101301169Slidl killpg(0, SIGTERM); 102301169Slidl } 103301169Slidl 104301169Slidl+ pfilter_notify(1); 105301169Slidl /* Log error and exit. */ 106301169Slidl sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 107301169Slidl } 108301169Slidl@@ -1160,6 +1162,7 @@ 109301169Slidl for (i = 0; i < options.max_startups; i++) 110301169Slidl startup_pipes[i] = -1; 111301169Slidl 112301169Slidl+ pfilter_init(); 113301169Slidl /* 114301169Slidl * Stay listening for connections until the system crashes or 115301169Slidl * the daemon is killed with a signal. 116301169SlidlIndex: auth1.c 117301169Slidl=================================================================== 118301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v 119301169Slidlretrieving revision 1.9 120301169Slidldiff -u -u -r1.9 auth1.c 121301169Slidl--- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 122301169Slidl+++ auth1.c 14 Feb 2015 15:40:51 -0000 123301169Slidl@@ -41,6 +41,7 @@ 124301169Slidl #endif 125301169Slidl #include "monitor_wrap.h" 126301169Slidl #include "buffer.h" 127301169Slidl+#include "pfilter.h" 128301169Slidl 129301169Slidl /* import */ 130301169Slidl extern ServerOptions options; 131301169Slidl@@ -445,6 +446,7 @@ 132301169Slidl else { 133301169Slidl debug("do_authentication: invalid user %s", user); 134301169Slidl authctxt->pw = fakepw(); 135301169Slidl+ pfilter_notify(1); 136301169Slidl } 137301169Slidl 138301169Slidl /* Configuration may have changed as a result of Match */ 139301169SlidlIndex: auth2.c 140301169Slidl=================================================================== 141301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v 142301169Slidlretrieving revision 1.9 143301169Slidldiff -u -u -r1.9 auth2.c 144301169Slidl--- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 145301169Slidl+++ auth2.c 14 Feb 2015 15:40:51 -0000 146301169Slidl@@ -52,6 +52,7 @@ 147301169Slidl #include "pathnames.h" 148301169Slidl #include "buffer.h" 149301169Slidl #include "canohost.h" 150301169Slidl+#include "pfilter.h" 151301169Slidl 152301169Slidl #ifdef GSSAPI 153301169Slidl #include "ssh-gss.h" 154301169Slidl@@ -256,6 +257,7 @@ 155301169Slidl } else { 156301169Slidl logit("input_userauth_request: invalid user %s", user); 157301169Slidl authctxt->pw = fakepw(); 158301169Slidl+ pfilter_notify(1); 159301169Slidl } 160301169Slidl #ifdef USE_PAM 161301169Slidl if (options.use_pam) 162301169SlidlIndex: sshd.c 163301169Slidl=================================================================== 164301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 165301169Slidlretrieving revision 1.16 166301169Slidldiff -u -r1.16 sshd.c 167301169Slidl--- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 168301169Slidl+++ sshd.c 14 Feb 2015 09:55:06 -0000 169301169Slidl@@ -628,6 +628,8 @@ 170301169Slidl explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); 171301169Slidl endpwent(); 172301169Slidl 173301169Slidl+ pfilter_init(); 174301169Slidl+ 175301169Slidl /* Change our root directory */ 176301169Slidl if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 177301169Slidl fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 178301169Slidl 179301169SlidlIndex: auth-pam.c 180301169Slidl=================================================================== 181301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v 182301169Slidlretrieving revision 1.7 183301169Slidldiff -u -u -r1.7 auth-pam.c 184301169Slidl--- auth-pam.c 3 Jul 2015 00:59:59 -0000 1.7 185301169Slidl+++ auth-pam.c 23 Jan 2016 00:01:16 -0000 186301169Slidl@@ -114,6 +114,7 @@ 187301169Slidl #include "ssh-gss.h" 188301169Slidl #endif 189301169Slidl #include "monitor_wrap.h" 190301169Slidl+#include "pfilter.h" 191301169Slidl 192301169Slidl extern ServerOptions options; 193301169Slidl extern Buffer loginmsg; 194301169Slidl@@ -809,6 +810,7 @@ 195301169Slidl free(msg); 196301169Slidl return (0); 197301169Slidl } 198301169Slidl+ pfilter_notify(1); 199301169Slidl error("PAM: %s for %s%.100s from %.100s", msg, 200301169Slidl sshpam_authctxt->valid ? "" : "illegal user ", 201301169Slidl sshpam_authctxt->user, 202301169SlidlIndex: auth.c 203301169Slidl=================================================================== 204301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v 205301169Slidlretrieving revision 1.15 206301169Slidldiff -u -u -r1.15 auth.c 207301169Slidl--- auth.c 21 Aug 2015 08:20:59 -0000 1.15 208301169Slidl+++ auth.c 23 Jan 2016 00:01:16 -0000 209301169Slidl@@ -656,6 +656,7 @@ 210301169Slidl 211301169Slidl pw = getpwnam(user); 212301169Slidl if (pw == NULL) { 213301169Slidl+ pfilter_notify(1); 214301169Slidl logit("Invalid user %.100s from %.100s", 215301169Slidl user, get_remote_ipaddr()); 216301169Slidl return (NULL); 217301169SlidlIndex: auth1.c 218301169Slidl=================================================================== 219301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v 220301169Slidlretrieving revision 1.12 221301169Slidldiff -u -u -r1.12 auth1.c 222301169Slidl--- auth1.c 3 Jul 2015 00:59:59 -0000 1.12 223301169Slidl+++ auth1.c 23 Jan 2016 00:01:16 -0000 224301169Slidl@@ -376,6 +376,7 @@ 225301169Slidl char *msg; 226301169Slidl size_t len; 227301169Slidl 228301169Slidl+ pfilter_notify(1); 229301169Slidl error("Access denied for user %s by PAM account " 230301169Slidl "configuration", authctxt->user); 231301169Slidl len = buffer_len(&loginmsg); 232