1*12017ca8SKurt Lidl--- /dev/null 2015-01-22 23:10:33.000000000 -0500 2*12017ca8SKurt Lidl+++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 3*12017ca8SKurt Lidl@@ -0,0 +1,28 @@ 4*12017ca8SKurt Lidl+#include "namespace.h" 5*12017ca8SKurt Lidl+#include "includes.h" 6*12017ca8SKurt Lidl+#include "ssh.h" 7*12017ca8SKurt Lidl+#include "packet.h" 8*12017ca8SKurt Lidl+#include "log.h" 9*12017ca8SKurt Lidl+#include "pfilter.h" 10*12017ca8SKurt Lidl+#include <blacklist.h> 11*12017ca8SKurt Lidl+ 12*12017ca8SKurt Lidl+static struct blacklist *blstate; 13*12017ca8SKurt Lidl+ 14*12017ca8SKurt Lidl+void 15*12017ca8SKurt Lidl+pfilter_init(void) 16*12017ca8SKurt Lidl+{ 17*12017ca8SKurt Lidl+ blstate = blacklist_open(); 18*12017ca8SKurt Lidl+} 19*12017ca8SKurt Lidl+ 20*12017ca8SKurt Lidl+void 21*12017ca8SKurt Lidl+pfilter_notify(int a) 22*12017ca8SKurt Lidl+{ 23*12017ca8SKurt Lidl+ int fd; 24*12017ca8SKurt Lidl+ if (blstate == NULL) 25*12017ca8SKurt Lidl+ pfilter_init(); 26*12017ca8SKurt Lidl+ if (blstate == NULL) 27*12017ca8SKurt Lidl+ return; 28*12017ca8SKurt Lidl+ // XXX: 3? 29*12017ca8SKurt Lidl+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; 30*12017ca8SKurt Lidl+ (void)blacklist_r(blstate, a, fd, "ssh"); 31*12017ca8SKurt Lidl+} 32*12017ca8SKurt Lidl--- /dev/null 2015-01-20 21:14:44.000000000 -0500 33*12017ca8SKurt Lidl+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 34*12017ca8SKurt Lidl@@ -0,0 +1,3 @@ 35*12017ca8SKurt Lidl+ 36*12017ca8SKurt Lidl+void pfilter_notify(int); 37*12017ca8SKurt Lidl+void pfilter_init(void); 38*12017ca8SKurt LidlIndex: bin/sshd/Makefile 39*12017ca8SKurt Lidl=================================================================== 40*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v 41*12017ca8SKurt Lidlretrieving revision 1.10 42*12017ca8SKurt Lidldiff -u -u -r1.10 Makefile 43*12017ca8SKurt Lidl--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 44*12017ca8SKurt Lidl+++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 45*12017ca8SKurt Lidl@@ -15,7 +15,7 @@ 46*12017ca8SKurt Lidl auth2-none.c auth2-passwd.c auth2-pubkey.c \ 47*12017ca8SKurt Lidl monitor_mm.c monitor.c monitor_wrap.c \ 48*12017ca8SKurt Lidl kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ 49*12017ca8SKurt Lidl- roaming_common.c roaming_serv.c sandbox-rlimit.c 50*12017ca8SKurt Lidl+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c 51*12017ca8SKurt Lidl 52*12017ca8SKurt Lidl COPTS.auth-options.c= -Wno-pointer-sign 53*12017ca8SKurt Lidl COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix 54*12017ca8SKurt Lidl@@ -68,3 +68,6 @@ 55*12017ca8SKurt Lidl 56*12017ca8SKurt Lidl LDADD+= -lwrap 57*12017ca8SKurt Lidl DPADD+= ${LIBWRAP} 58*12017ca8SKurt Lidl+ 59*12017ca8SKurt Lidl+LDADD+= -lblacklist 60*12017ca8SKurt Lidl+DPADD+= ${LIBBLACKLIST} 61*12017ca8SKurt LidlIndex: dist/auth.c 62*12017ca8SKurt Lidl=================================================================== 63*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v 64*12017ca8SKurt Lidlretrieving revision 1.10 65*12017ca8SKurt Lidldiff -u -u -r1.10 auth.c 66*12017ca8SKurt Lidl--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 67*12017ca8SKurt Lidl+++ dist/auth.c 22 Jan 2015 21:39:22 -0000 68*12017ca8SKurt Lidl@@ -62,6 +62,7 @@ 69*12017ca8SKurt Lidl #include "monitor_wrap.h" 70*12017ca8SKurt Lidl #include "krl.h" 71*12017ca8SKurt Lidl #include "compat.h" 72*12017ca8SKurt Lidl+#include "pfilter.h" 73*12017ca8SKurt Lidl 74*12017ca8SKurt Lidl #ifdef HAVE_LOGIN_CAP 75*12017ca8SKurt Lidl #include <login_cap.h> 76*12017ca8SKurt Lidl@@ -362,6 +363,8 @@ 77*12017ca8SKurt Lidl compat20 ? "ssh2" : "ssh1", 78*12017ca8SKurt Lidl authctxt->info != NULL ? ": " : "", 79*12017ca8SKurt Lidl authctxt->info != NULL ? authctxt->info : ""); 80*12017ca8SKurt Lidl+ if (!authctxt->postponed) 81*12017ca8SKurt Lidl+ pfilter_notify(!authenticated); 82*12017ca8SKurt Lidl free(authctxt->info); 83*12017ca8SKurt Lidl authctxt->info = NULL; 84*12017ca8SKurt Lidl } 85*12017ca8SKurt LidlIndex: dist/sshd.c 86*12017ca8SKurt Lidl=================================================================== 87*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 88*12017ca8SKurt Lidlretrieving revision 1.15 89*12017ca8SKurt Lidldiff -u -u -r1.15 sshd.c 90*12017ca8SKurt Lidl--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 91*12017ca8SKurt Lidl+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 92*12017ca8SKurt Lidl@@ -109,6 +109,7 @@ 93*12017ca8SKurt Lidl #include "roaming.h" 94*12017ca8SKurt Lidl #include "ssh-sandbox.h" 95*12017ca8SKurt Lidl #include "version.h" 96*12017ca8SKurt Lidl+#include "pfilter.h" 97*12017ca8SKurt Lidl 98*12017ca8SKurt Lidl #ifdef LIBWRAP 99*12017ca8SKurt Lidl #include <tcpd.h> 100*12017ca8SKurt Lidl@@ -364,6 +365,7 @@ 101*12017ca8SKurt Lidl killpg(0, SIGTERM); 102*12017ca8SKurt Lidl } 103*12017ca8SKurt Lidl 104*12017ca8SKurt Lidl+ pfilter_notify(1); 105*12017ca8SKurt Lidl /* Log error and exit. */ 106*12017ca8SKurt Lidl sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 107*12017ca8SKurt Lidl } 108*12017ca8SKurt Lidl@@ -1160,6 +1162,7 @@ 109*12017ca8SKurt Lidl for (i = 0; i < options.max_startups; i++) 110*12017ca8SKurt Lidl startup_pipes[i] = -1; 111*12017ca8SKurt Lidl 112*12017ca8SKurt Lidl+ pfilter_init(); 113*12017ca8SKurt Lidl /* 114*12017ca8SKurt Lidl * Stay listening for connections until the system crashes or 115*12017ca8SKurt Lidl * the daemon is killed with a signal. 116*12017ca8SKurt LidlIndex: auth1.c 117*12017ca8SKurt Lidl=================================================================== 118*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v 119*12017ca8SKurt Lidlretrieving revision 1.9 120*12017ca8SKurt Lidldiff -u -u -r1.9 auth1.c 121*12017ca8SKurt Lidl--- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 122*12017ca8SKurt Lidl+++ auth1.c 14 Feb 2015 15:40:51 -0000 123*12017ca8SKurt Lidl@@ -41,6 +41,7 @@ 124*12017ca8SKurt Lidl #endif 125*12017ca8SKurt Lidl #include "monitor_wrap.h" 126*12017ca8SKurt Lidl #include "buffer.h" 127*12017ca8SKurt Lidl+#include "pfilter.h" 128*12017ca8SKurt Lidl 129*12017ca8SKurt Lidl /* import */ 130*12017ca8SKurt Lidl extern ServerOptions options; 131*12017ca8SKurt Lidl@@ -445,6 +446,7 @@ 132*12017ca8SKurt Lidl else { 133*12017ca8SKurt Lidl debug("do_authentication: invalid user %s", user); 134*12017ca8SKurt Lidl authctxt->pw = fakepw(); 135*12017ca8SKurt Lidl+ pfilter_notify(1); 136*12017ca8SKurt Lidl } 137*12017ca8SKurt Lidl 138*12017ca8SKurt Lidl /* Configuration may have changed as a result of Match */ 139*12017ca8SKurt LidlIndex: auth2.c 140*12017ca8SKurt Lidl=================================================================== 141*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v 142*12017ca8SKurt Lidlretrieving revision 1.9 143*12017ca8SKurt Lidldiff -u -u -r1.9 auth2.c 144*12017ca8SKurt Lidl--- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 145*12017ca8SKurt Lidl+++ auth2.c 14 Feb 2015 15:40:51 -0000 146*12017ca8SKurt Lidl@@ -52,6 +52,7 @@ 147*12017ca8SKurt Lidl #include "pathnames.h" 148*12017ca8SKurt Lidl #include "buffer.h" 149*12017ca8SKurt Lidl #include "canohost.h" 150*12017ca8SKurt Lidl+#include "pfilter.h" 151*12017ca8SKurt Lidl 152*12017ca8SKurt Lidl #ifdef GSSAPI 153*12017ca8SKurt Lidl #include "ssh-gss.h" 154*12017ca8SKurt Lidl@@ -256,6 +257,7 @@ 155*12017ca8SKurt Lidl } else { 156*12017ca8SKurt Lidl logit("input_userauth_request: invalid user %s", user); 157*12017ca8SKurt Lidl authctxt->pw = fakepw(); 158*12017ca8SKurt Lidl+ pfilter_notify(1); 159*12017ca8SKurt Lidl } 160*12017ca8SKurt Lidl #ifdef USE_PAM 161*12017ca8SKurt Lidl if (options.use_pam) 162*12017ca8SKurt LidlIndex: sshd.c 163*12017ca8SKurt Lidl=================================================================== 164*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 165*12017ca8SKurt Lidlretrieving revision 1.16 166*12017ca8SKurt Lidldiff -u -r1.16 sshd.c 167*12017ca8SKurt Lidl--- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 168*12017ca8SKurt Lidl+++ sshd.c 14 Feb 2015 09:55:06 -0000 169*12017ca8SKurt Lidl@@ -628,6 +628,8 @@ 170*12017ca8SKurt Lidl explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); 171*12017ca8SKurt Lidl endpwent(); 172*12017ca8SKurt Lidl 173*12017ca8SKurt Lidl+ pfilter_init(); 174*12017ca8SKurt Lidl+ 175*12017ca8SKurt Lidl /* Change our root directory */ 176*12017ca8SKurt Lidl if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 177*12017ca8SKurt Lidl fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 178*12017ca8SKurt Lidl 179*12017ca8SKurt LidlIndex: auth-pam.c 180*12017ca8SKurt Lidl=================================================================== 181*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v 182*12017ca8SKurt Lidlretrieving revision 1.7 183*12017ca8SKurt Lidldiff -u -u -r1.7 auth-pam.c 184*12017ca8SKurt Lidl--- auth-pam.c 3 Jul 2015 00:59:59 -0000 1.7 185*12017ca8SKurt Lidl+++ auth-pam.c 23 Jan 2016 00:01:16 -0000 186*12017ca8SKurt Lidl@@ -114,6 +114,7 @@ 187*12017ca8SKurt Lidl #include "ssh-gss.h" 188*12017ca8SKurt Lidl #endif 189*12017ca8SKurt Lidl #include "monitor_wrap.h" 190*12017ca8SKurt Lidl+#include "pfilter.h" 191*12017ca8SKurt Lidl 192*12017ca8SKurt Lidl extern ServerOptions options; 193*12017ca8SKurt Lidl extern Buffer loginmsg; 194*12017ca8SKurt Lidl@@ -809,6 +810,7 @@ 195*12017ca8SKurt Lidl free(msg); 196*12017ca8SKurt Lidl return (0); 197*12017ca8SKurt Lidl } 198*12017ca8SKurt Lidl+ pfilter_notify(1); 199*12017ca8SKurt Lidl error("PAM: %s for %s%.100s from %.100s", msg, 200*12017ca8SKurt Lidl sshpam_authctxt->valid ? "" : "illegal user ", 201*12017ca8SKurt Lidl sshpam_authctxt->user, 202*12017ca8SKurt LidlIndex: auth.c 203*12017ca8SKurt Lidl=================================================================== 204*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v 205*12017ca8SKurt Lidlretrieving revision 1.15 206*12017ca8SKurt Lidldiff -u -u -r1.15 auth.c 207*12017ca8SKurt Lidl--- auth.c 21 Aug 2015 08:20:59 -0000 1.15 208*12017ca8SKurt Lidl+++ auth.c 23 Jan 2016 00:01:16 -0000 209*12017ca8SKurt Lidl@@ -656,6 +656,7 @@ 210*12017ca8SKurt Lidl 211*12017ca8SKurt Lidl pw = getpwnam(user); 212*12017ca8SKurt Lidl if (pw == NULL) { 213*12017ca8SKurt Lidl+ pfilter_notify(1); 214*12017ca8SKurt Lidl logit("Invalid user %.100s from %.100s", 215*12017ca8SKurt Lidl user, get_remote_ipaddr()); 216*12017ca8SKurt Lidl return (NULL); 217*12017ca8SKurt LidlIndex: auth1.c 218*12017ca8SKurt Lidl=================================================================== 219*12017ca8SKurt LidlRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v 220*12017ca8SKurt Lidlretrieving revision 1.12 221*12017ca8SKurt Lidldiff -u -u -r1.12 auth1.c 222*12017ca8SKurt Lidl--- auth1.c 3 Jul 2015 00:59:59 -0000 1.12 223*12017ca8SKurt Lidl+++ auth1.c 23 Jan 2016 00:01:16 -0000 224*12017ca8SKurt Lidl@@ -376,6 +376,7 @@ 225*12017ca8SKurt Lidl char *msg; 226*12017ca8SKurt Lidl size_t len; 227*12017ca8SKurt Lidl 228*12017ca8SKurt Lidl+ pfilter_notify(1); 229*12017ca8SKurt Lidl error("Access denied for user %s by PAM account " 230*12017ca8SKurt Lidl "configuration", authctxt->user); 231*12017ca8SKurt Lidl len = buffer_len(&loginmsg); 232