contrib/blacklist/diff/ssh.diff

   1 --- /dev/null   2015-01-22 23:10:33.000000000 -0500
   2 +++ dist/pfilter.c      2015-01-22 23:46:03.000000000 -0500
   3 @@ -0,0 +1,32 @@
   4 +#include "namespace.h"
   5 +#include "includes.h"
   6 +#include "ssh.h"
   7 +#include "packet.h"
   8 +#include "log.h"
   9 +#include "pfilter.h"
  10 +#include <blacklist.h>
  11 +
  12 +static struct blacklist *blstate;
  13 +
  14 +void
  15 +pfilter_init(void)
  16 +{
  17 +       blstate = blacklist_open();
  18 +}
  19 +
  20 +void
  21 +pfilter_notify(int a)
  22 +{
  23 +       int fd;
  24 +       if (blstate == NULL)
  25 +               pfilter_init();
  26 +       if (blstate == NULL)
  27 +               return;
  28 +       // XXX: 3?
  29 +       fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
  30 +       (void)blacklist_r(blstate, a, fd, "ssh");
  31 +       if (a == 0) {
  32 +               blacklist_close(blstate);
  33 +               blstate = NULL;
  34 +       }
  35 +}
  36 --- /dev/null   2015-01-20 21:14:44.000000000 -0500
  37 +++ dist/pfilter.h      2015-01-20 20:16:20.000000000 -0500
  38 @@ -0,0 +1,3 @@
  39 +
  40 +void pfilter_notify(int);
  41 +void pfilter_init(void);
  42 Index: bin/sshd/Makefile
  43 ===================================================================
  44 RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
  45 retrieving revision 1.10
  46 diff -u -u -r1.10 Makefile
  47 --- bin/sshd/Makefile   19 Oct 2014 16:30:58 -0000      1.10
  48 +++ bin/sshd/Makefile   22 Jan 2015 21:39:21 -0000
  49 @@ -15,7 +15,7 @@
  50         auth2-none.c auth2-passwd.c auth2-pubkey.c \
  51         monitor_mm.c monitor.c monitor_wrap.c \
  52         kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
  53 -       roaming_common.c roaming_serv.c sandbox-rlimit.c
  54 +       roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
  55
  56  COPTS.auth-options.c=  -Wno-pointer-sign
  57  COPTS.ldapauth.c=      -Wno-format-nonliteral  # XXX: should fix
  58 @@ -68,3 +68,6 @@
  59
  60  LDADD+=        -lwrap
  61  DPADD+=        ${LIBWRAP}
  62 +
  63 +LDADD+=        -lblacklist
  64 +DPADD+=        ${LIBBLACKLIST}
  65 diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c
  66 --- openssh-7.7p1/auth-pam.c    2018-04-02 01:38:28.000000000 -0400
  67 +++ dist/auth-pam.c     2018-05-23 11:56:22.206661484 -0400
  68 @@ -103,6 +103,7 @@
  69  #include "ssh-gss.h"
  70  #endif
  71  #include "monitor_wrap.h"
  72 +#include "pfilter.h"
  73
  74  extern ServerOptions options;
  75  extern Buffer loginmsg;
  76 @@ -526,6 +527,7 @@
  77                 ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
  78         else
  79                 ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
  80 +       pfilter_notify(1);
  81         buffer_free(&buffer);
  82         pthread_exit(NULL);
  83
  84 @@ -804,6 +806,7 @@
  85                                 free(msg);
  86                                 return (0);
  87                         }
  88 +                       pfilter_notify(1);
  89                         error("PAM: %s for %s%.100s from %.100s", msg,
  90                             sshpam_authctxt->valid ? "" : "illegal user ",
  91                             sshpam_authctxt->user,
  92 diff -ru openssh-7.7p1/auth2.c dist/auth2.c
  93 --- openssh-7.7p1/auth2.c       2018-04-02 01:38:28.000000000 -0400
  94 +++ dist/auth2.c        2018-05-23 11:57:31.022197317 -0400
  95 @@ -51,6 +51,7 @@
  96  #include "dispatch.h"
  97  #include "pathnames.h"
  98  #include "buffer.h"
  99 +#include "pfilter.h"
 100
 101  #ifdef GSSAPI
 102  #include "ssh-gss.h"
 103 @@ -242,6 +243,7 @@
 104                 } else {
 105                         /* Invalid user, fake password information */
 106                         authctxt->pw = fakepw();
 107 +                       pfilter_notify(1);
 108  #ifdef SSH_AUDIT_EVENTS
 109                         PRIVSEP(audit_event(SSH_INVALID_USER));
 110  #endif
 111 Only in dist: pfilter.c
 112 Only in dist: pfilter.h
 113 diff -ru openssh-7.7p1/sshd.c dist/sshd.c
 114 --- openssh-7.7p1/sshd.c        2018-04-02 01:38:28.000000000 -0400
 115 +++ dist/sshd.c 2018-05-23 11:59:39.573197347 -0400
 116 @@ -122,6 +122,7 @@
 117  #include "auth-options.h"
 118  #include "version.h"
 119  #include "ssherr.h"
 120 +#include "pfilter.h"
 121
 122  /* Re-exec fds */
 123  #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
 124 @@ -346,6 +347,7 @@
 125  static void
 126  grace_alarm_handler(int sig)
 127  {
 128 +       pfilter_notify(1);
 129         if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
 130                 kill(pmonitor->m_pid, SIGALRM);
 131
 132 @@ -1835,6 +1837,8 @@
 133         if (test_flag)
 134                 exit(0);
 135
 136 +       pfilter_init();
 137 +
 138         /*
 139          * Clear out any supplemental groups we may have inherited.  This
 140          * prevents inadvertent creation of files with bad modes (in the
 141 @@ -2280,6 +2284,9 @@
 142  {
 143         struct ssh *ssh = active_state; /* XXX */
 144
 145 +       if (i == 255)
 146 +               pfilter_notify(1);
 147 +
 148         if (the_authctxt) {
 149                 do_cleanup(ssh, the_authctxt);
 150                 if (use_privsep && privsep_is_preauth &&