1301169Slidl--- /dev/null	2015-01-22 23:10:33.000000000 -0500
2301169Slidl+++ dist/pfilter.c	2015-01-22 23:46:03.000000000 -0500
3301169Slidl@@ -0,0 +1,28 @@
4301169Slidl+#include "namespace.h"
5301169Slidl+#include "includes.h"
6301169Slidl+#include "ssh.h"
7301169Slidl+#include "packet.h"
8301169Slidl+#include "log.h"
9301169Slidl+#include "pfilter.h"
10301169Slidl+#include <blacklist.h>
11301169Slidl+
12301169Slidl+static struct blacklist *blstate;
13301169Slidl+
14301169Slidl+void
15301169Slidl+pfilter_init(void)
16301169Slidl+{
17301169Slidl+	blstate = blacklist_open();
18301169Slidl+}
19301169Slidl+
20301169Slidl+void
21301169Slidl+pfilter_notify(int a)
22301169Slidl+{
23301169Slidl+	int fd;
24301169Slidl+	if (blstate == NULL)
25301169Slidl+		pfilter_init();
26301169Slidl+	if (blstate == NULL)
27301169Slidl+		return;
28301169Slidl+	// XXX: 3?
29301169Slidl+ 	fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
30301169Slidl+	(void)blacklist_r(blstate, a, fd, "ssh");
31301169Slidl+}
32301169Slidl--- /dev/null	2015-01-20 21:14:44.000000000 -0500
33301169Slidl+++ dist/pfilter.h	2015-01-20 20:16:20.000000000 -0500
34301169Slidl@@ -0,0 +1,3 @@
35301169Slidl+
36301169Slidl+void pfilter_notify(int);
37301169Slidl+void pfilter_init(void);
38301169SlidlIndex: bin/sshd/Makefile
39301169Slidl===================================================================
40301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
41301169Slidlretrieving revision 1.10
42301169Slidldiff -u -u -r1.10 Makefile
43301169Slidl--- bin/sshd/Makefile	19 Oct 2014 16:30:58 -0000	1.10
44301169Slidl+++ bin/sshd/Makefile	22 Jan 2015 21:39:21 -0000
45301169Slidl@@ -15,7 +15,7 @@
46301169Slidl 	auth2-none.c auth2-passwd.c auth2-pubkey.c \
47301169Slidl 	monitor_mm.c monitor.c monitor_wrap.c \
48301169Slidl 	kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
49301169Slidl-	roaming_common.c roaming_serv.c sandbox-rlimit.c
50301169Slidl+	roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
51301169Slidl 
52301169Slidl COPTS.auth-options.c=	-Wno-pointer-sign
53301169Slidl COPTS.ldapauth.c=	-Wno-format-nonliteral	# XXX: should fix
54301169Slidl@@ -68,3 +68,6 @@
55301169Slidl 
56301169Slidl LDADD+=	-lwrap
57301169Slidl DPADD+=	${LIBWRAP}
58301169Slidl+
59301169Slidl+LDADD+=	-lblacklist
60301169Slidl+DPADD+=	${LIBBLACKLIST}
61301169SlidlIndex: dist/auth.c
62301169Slidl===================================================================
63301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
64301169Slidlretrieving revision 1.10
65301169Slidldiff -u -u -r1.10 auth.c
66301169Slidl--- dist/auth.c	19 Oct 2014 16:30:58 -0000	1.10
67301169Slidl+++ dist/auth.c	22 Jan 2015 21:39:22 -0000
68301169Slidl@@ -62,6 +62,7 @@
69301169Slidl #include "monitor_wrap.h"
70301169Slidl #include "krl.h"
71301169Slidl #include "compat.h"
72301169Slidl+#include "pfilter.h"
73301169Slidl 
74301169Slidl #ifdef HAVE_LOGIN_CAP
75301169Slidl #include <login_cap.h>
76301169Slidl@@ -362,6 +363,8 @@
77301169Slidl 	    compat20 ? "ssh2" : "ssh1",
78301169Slidl 	    authctxt->info != NULL ? ": " : "",
79301169Slidl 	    authctxt->info != NULL ? authctxt->info : "");
80301169Slidl+	if (!authctxt->postponed)
81301169Slidl+		pfilter_notify(!authenticated);
82301169Slidl 	free(authctxt->info);
83301169Slidl 	authctxt->info = NULL;
84301169Slidl }
85301169SlidlIndex: dist/sshd.c
86301169Slidl===================================================================
87301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
88301169Slidlretrieving revision 1.15
89301169Slidldiff -u -u -r1.15 sshd.c
90301169Slidl--- dist/sshd.c	28 Oct 2014 21:36:16 -0000	1.15
91301169Slidl+++ dist/sshd.c	22 Jan 2015 21:39:22 -0000
92301169Slidl@@ -109,6 +109,7 @@
93301169Slidl #include "roaming.h"
94301169Slidl #include "ssh-sandbox.h"
95301169Slidl #include "version.h"
96301169Slidl+#include "pfilter.h"
97301169Slidl 
98301169Slidl #ifdef LIBWRAP
99301169Slidl #include <tcpd.h>
100301169Slidl@@ -364,6 +365,7 @@
101301169Slidl 		killpg(0, SIGTERM);
102301169Slidl 	}
103301169Slidl 
104301169Slidl+	pfilter_notify(1);
105301169Slidl 	/* Log error and exit. */
106301169Slidl 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
107301169Slidl }
108301169Slidl@@ -1160,6 +1162,7 @@
109301169Slidl 	for (i = 0; i < options.max_startups; i++)
110301169Slidl 		startup_pipes[i] = -1;
111301169Slidl 
112301169Slidl+	pfilter_init();
113301169Slidl 	/*
114301169Slidl 	 * Stay listening for connections until the system crashes or
115301169Slidl 	 * the daemon is killed with a signal.
116301169SlidlIndex: auth1.c
117301169Slidl===================================================================
118301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
119301169Slidlretrieving revision 1.9
120301169Slidldiff -u -u -r1.9 auth1.c
121301169Slidl--- auth1.c	19 Oct 2014 16:30:58 -0000	1.9
122301169Slidl+++ auth1.c	14 Feb 2015 15:40:51 -0000
123301169Slidl@@ -41,6 +41,7 @@
124301169Slidl #endif
125301169Slidl #include "monitor_wrap.h"
126301169Slidl #include "buffer.h"
127301169Slidl+#include "pfilter.h"
128301169Slidl 
129301169Slidl /* import */
130301169Slidl extern ServerOptions options;
131301169Slidl@@ -445,6 +446,7 @@
132301169Slidl 	else {
133301169Slidl 		debug("do_authentication: invalid user %s", user);
134301169Slidl 		authctxt->pw = fakepw();
135301169Slidl+		pfilter_notify(1);
136301169Slidl 	}
137301169Slidl 
138301169Slidl 	/* Configuration may have changed as a result of Match */
139301169SlidlIndex: auth2.c
140301169Slidl===================================================================
141301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v
142301169Slidlretrieving revision 1.9
143301169Slidldiff -u -u -r1.9 auth2.c
144301169Slidl--- auth2.c	19 Oct 2014 16:30:58 -0000	1.9
145301169Slidl+++ auth2.c	14 Feb 2015 15:40:51 -0000
146301169Slidl@@ -52,6 +52,7 @@
147301169Slidl #include "pathnames.h"
148301169Slidl #include "buffer.h"
149301169Slidl #include "canohost.h"
150301169Slidl+#include "pfilter.h"
151301169Slidl 
152301169Slidl #ifdef GSSAPI
153301169Slidl #include "ssh-gss.h"
154301169Slidl@@ -256,6 +257,7 @@
155301169Slidl 		} else {
156301169Slidl 			logit("input_userauth_request: invalid user %s", user);
157301169Slidl 			authctxt->pw = fakepw();
158301169Slidl+			pfilter_notify(1);
159301169Slidl 		}
160301169Slidl #ifdef USE_PAM
161301169Slidl 		if (options.use_pam)
162301169SlidlIndex: sshd.c
163301169Slidl===================================================================
164301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
165301169Slidlretrieving revision 1.16
166301169Slidldiff -u -r1.16 sshd.c
167301169Slidl--- sshd.c	25 Jan 2015 15:52:44 -0000	1.16
168301169Slidl+++ sshd.c	14 Feb 2015 09:55:06 -0000
169301169Slidl@@ -628,6 +628,8 @@
170301169Slidl 	explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd));
171301169Slidl 	endpwent();
172301169Slidl 
173301169Slidl+	pfilter_init();
174301169Slidl+
175301169Slidl 	/* Change our root directory */
176301169Slidl 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
177301169Slidl 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
178301169Slidl
179301169SlidlIndex: auth-pam.c
180301169Slidl===================================================================
181301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v
182301169Slidlretrieving revision 1.7
183301169Slidldiff -u -u -r1.7 auth-pam.c
184301169Slidl--- auth-pam.c	3 Jul 2015 00:59:59 -0000	1.7
185301169Slidl+++ auth-pam.c	23 Jan 2016 00:01:16 -0000
186301169Slidl@@ -114,6 +114,7 @@
187301169Slidl #include "ssh-gss.h"
188301169Slidl #endif
189301169Slidl #include "monitor_wrap.h"
190301169Slidl+#include "pfilter.h"
191301169Slidl 
192301169Slidl extern ServerOptions options;
193301169Slidl extern Buffer loginmsg;
194301169Slidl@@ -809,6 +810,7 @@
195301169Slidl 				free(msg);
196301169Slidl 				return (0);
197301169Slidl 			}
198301169Slidl+			pfilter_notify(1);
199301169Slidl 			error("PAM: %s for %s%.100s from %.100s", msg,
200301169Slidl 			    sshpam_authctxt->valid ? "" : "illegal user ",
201301169Slidl 			    sshpam_authctxt->user,
202301169SlidlIndex: auth.c
203301169Slidl===================================================================
204301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
205301169Slidlretrieving revision 1.15
206301169Slidldiff -u -u -r1.15 auth.c
207301169Slidl--- auth.c	21 Aug 2015 08:20:59 -0000	1.15
208301169Slidl+++ auth.c	23 Jan 2016 00:01:16 -0000
209301169Slidl@@ -656,6 +656,7 @@
210301169Slidl 
211301169Slidl 	pw = getpwnam(user);
212301169Slidl 	if (pw == NULL) {
213301169Slidl+		pfilter_notify(1);
214301169Slidl 		logit("Invalid user %.100s from %.100s",
215301169Slidl 		    user, get_remote_ipaddr());
216301169Slidl 		return (NULL);
217301169SlidlIndex: auth1.c
218301169Slidl===================================================================
219301169SlidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
220301169Slidlretrieving revision 1.12
221301169Slidldiff -u -u -r1.12 auth1.c
222301169Slidl--- auth1.c	3 Jul 2015 00:59:59 -0000	1.12
223301169Slidl+++ auth1.c	23 Jan 2016 00:01:16 -0000
224301169Slidl@@ -376,6 +376,7 @@
225301169Slidl 			char *msg;
226301169Slidl 			size_t len;
227301169Slidl 
228301169Slidl+			pfilter_notify(1);
229301169Slidl 			error("Access denied for user %s by PAM account "
230301169Slidl 			    "configuration", authctxt->user);
231301169Slidl 			len = buffer_len(&loginmsg);
232