ssh.diff revision 301169
1--- /dev/null 2015-01-22 23:10:33.000000000 -0500 2+++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 3@@ -0,0 +1,28 @@ 4+#include "namespace.h" 5+#include "includes.h" 6+#include "ssh.h" 7+#include "packet.h" 8+#include "log.h" 9+#include "pfilter.h" 10+#include <blacklist.h> 11+ 12+static struct blacklist *blstate; 13+ 14+void 15+pfilter_init(void) 16+{ 17+ blstate = blacklist_open(); 18+} 19+ 20+void 21+pfilter_notify(int a) 22+{ 23+ int fd; 24+ if (blstate == NULL) 25+ pfilter_init(); 26+ if (blstate == NULL) 27+ return; 28+ // XXX: 3? 29+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; 30+ (void)blacklist_r(blstate, a, fd, "ssh"); 31+} 32--- /dev/null 2015-01-20 21:14:44.000000000 -0500 33+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 34@@ -0,0 +1,3 @@ 35+ 36+void pfilter_notify(int); 37+void pfilter_init(void); 38Index: bin/sshd/Makefile 39=================================================================== 40RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v 41retrieving revision 1.10 42diff -u -u -r1.10 Makefile 43--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 44+++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 45@@ -15,7 +15,7 @@ 46 auth2-none.c auth2-passwd.c auth2-pubkey.c \ 47 monitor_mm.c monitor.c monitor_wrap.c \ 48 kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ 49- roaming_common.c roaming_serv.c sandbox-rlimit.c 50+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c 51 52 COPTS.auth-options.c= -Wno-pointer-sign 53 COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix 54@@ -68,3 +68,6 @@ 55 56 LDADD+= -lwrap 57 DPADD+= ${LIBWRAP} 58+ 59+LDADD+= -lblacklist 60+DPADD+= ${LIBBLACKLIST} 61Index: dist/auth.c 62=================================================================== 63RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v 64retrieving revision 1.10 65diff -u -u -r1.10 auth.c 66--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 67+++ dist/auth.c 22 Jan 2015 21:39:22 -0000 68@@ -62,6 +62,7 @@ 69 #include "monitor_wrap.h" 70 #include "krl.h" 71 #include "compat.h" 72+#include "pfilter.h" 73 74 #ifdef HAVE_LOGIN_CAP 75 #include <login_cap.h> 76@@ -362,6 +363,8 @@ 77 compat20 ? "ssh2" : "ssh1", 78 authctxt->info != NULL ? ": " : "", 79 authctxt->info != NULL ? authctxt->info : ""); 80+ if (!authctxt->postponed) 81+ pfilter_notify(!authenticated); 82 free(authctxt->info); 83 authctxt->info = NULL; 84 } 85Index: dist/sshd.c 86=================================================================== 87RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 88retrieving revision 1.15 89diff -u -u -r1.15 sshd.c 90--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 91+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 92@@ -109,6 +109,7 @@ 93 #include "roaming.h" 94 #include "ssh-sandbox.h" 95 #include "version.h" 96+#include "pfilter.h" 97 98 #ifdef LIBWRAP 99 #include <tcpd.h> 100@@ -364,6 +365,7 @@ 101 killpg(0, SIGTERM); 102 } 103 104+ pfilter_notify(1); 105 /* Log error and exit. */ 106 sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 107 } 108@@ -1160,6 +1162,7 @@ 109 for (i = 0; i < options.max_startups; i++) 110 startup_pipes[i] = -1; 111 112+ pfilter_init(); 113 /* 114 * Stay listening for connections until the system crashes or 115 * the daemon is killed with a signal. 116Index: auth1.c 117=================================================================== 118RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v 119retrieving revision 1.9 120diff -u -u -r1.9 auth1.c 121--- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 122+++ auth1.c 14 Feb 2015 15:40:51 -0000 123@@ -41,6 +41,7 @@ 124 #endif 125 #include "monitor_wrap.h" 126 #include "buffer.h" 127+#include "pfilter.h" 128 129 /* import */ 130 extern ServerOptions options; 131@@ -445,6 +446,7 @@ 132 else { 133 debug("do_authentication: invalid user %s", user); 134 authctxt->pw = fakepw(); 135+ pfilter_notify(1); 136 } 137 138 /* Configuration may have changed as a result of Match */ 139Index: auth2.c 140=================================================================== 141RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v 142retrieving revision 1.9 143diff -u -u -r1.9 auth2.c 144--- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 145+++ auth2.c 14 Feb 2015 15:40:51 -0000 146@@ -52,6 +52,7 @@ 147 #include "pathnames.h" 148 #include "buffer.h" 149 #include "canohost.h" 150+#include "pfilter.h" 151 152 #ifdef GSSAPI 153 #include "ssh-gss.h" 154@@ -256,6 +257,7 @@ 155 } else { 156 logit("input_userauth_request: invalid user %s", user); 157 authctxt->pw = fakepw(); 158+ pfilter_notify(1); 159 } 160 #ifdef USE_PAM 161 if (options.use_pam) 162Index: sshd.c 163=================================================================== 164RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 165retrieving revision 1.16 166diff -u -r1.16 sshd.c 167--- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 168+++ sshd.c 14 Feb 2015 09:55:06 -0000 169@@ -628,6 +628,8 @@ 170 explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); 171 endpwent(); 172 173+ pfilter_init(); 174+ 175 /* Change our root directory */ 176 if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 177 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 178 179Index: auth-pam.c 180=================================================================== 181RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v 182retrieving revision 1.7 183diff -u -u -r1.7 auth-pam.c 184--- auth-pam.c 3 Jul 2015 00:59:59 -0000 1.7 185+++ auth-pam.c 23 Jan 2016 00:01:16 -0000 186@@ -114,6 +114,7 @@ 187 #include "ssh-gss.h" 188 #endif 189 #include "monitor_wrap.h" 190+#include "pfilter.h" 191 192 extern ServerOptions options; 193 extern Buffer loginmsg; 194@@ -809,6 +810,7 @@ 195 free(msg); 196 return (0); 197 } 198+ pfilter_notify(1); 199 error("PAM: %s for %s%.100s from %.100s", msg, 200 sshpam_authctxt->valid ? "" : "illegal user ", 201 sshpam_authctxt->user, 202Index: auth.c 203=================================================================== 204RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v 205retrieving revision 1.15 206diff -u -u -r1.15 auth.c 207--- auth.c 21 Aug 2015 08:20:59 -0000 1.15 208+++ auth.c 23 Jan 2016 00:01:16 -0000 209@@ -656,6 +656,7 @@ 210 211 pw = getpwnam(user); 212 if (pw == NULL) { 213+ pfilter_notify(1); 214 logit("Invalid user %.100s from %.100s", 215 user, get_remote_ipaddr()); 216 return (NULL); 217Index: auth1.c 218=================================================================== 219RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v 220retrieving revision 1.12 221diff -u -u -r1.12 auth1.c 222--- auth1.c 3 Jul 2015 00:59:59 -0000 1.12 223+++ auth1.c 23 Jan 2016 00:01:16 -0000 224@@ -376,6 +376,7 @@ 225 char *msg; 226 size_t len; 227 228+ pfilter_notify(1); 229 error("Access denied for user %s by PAM account " 230 "configuration", authctxt->user); 231 len = buffer_len(&loginmsg); 232