| @@ -1,177 +1,231 @@ | | | @@ -1,177 +1,231 @@ |
1 | --- /dev/null 2015-01-22 23:10:33.000000000 -0500 | | 1 | --- /dev/null 2015-01-22 23:10:33.000000000 -0500 |
2 | +++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 | | 2 | +++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 |
3 | @@ -0,0 +1,27 @@ | | 3 | @@ -0,0 +1,28 @@ |
4 | +#include "namespace.h" | | 4 | +#include "namespace.h" |
| | | 5 | +#include "includes.h" |
5 | +#include "ssh.h" | | 6 | +#include "ssh.h" |
6 | +#include "packet.h" | | 7 | +#include "packet.h" |
7 | +#include "log.h" | | 8 | +#include "log.h" |
8 | +#include "pfilter.h" | | 9 | +#include "pfilter.h" |
9 | +#include <blacklist.h> | | 10 | +#include <blacklist.h> |
10 | + | | 11 | + |
11 | +static struct blacklist *blstate; | | 12 | +static struct blacklist *blstate; |
12 | + | | 13 | + |
13 | +void | | 14 | +void |
14 | +pfilter_init(void) | | 15 | +pfilter_init(void) |
15 | +{ | | 16 | +{ |
16 | + blstate = blacklist_open(); | | 17 | + blstate = blacklist_open(); |
17 | +} | | 18 | +} |
18 | + | | 19 | + |
19 | +void | | 20 | +void |
20 | +pfilter_notify(int a) | | 21 | +pfilter_notify(int a) |
21 | +{ | | 22 | +{ |
22 | + int fd; | | 23 | + int fd; |
23 | + if (blstate == NULL) | | 24 | + if (blstate == NULL) |
24 | + pfilter_init(); | | 25 | + pfilter_init(); |
25 | + if (blstate == NULL) | | 26 | + if (blstate == NULL) |
26 | + return; | | 27 | + return; |
27 | + // XXX: 3? | | 28 | + // XXX: 3? |
28 | + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; | | 29 | + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; |
29 | + (void)blacklist_r(blstate, a, fd, "ssh"); | | 30 | + (void)blacklist_r(blstate, a, fd, "ssh"); |
30 | +} | | 31 | +} |
31 | --- /dev/null 2015-01-20 21:14:44.000000000 -0500 | | 32 | --- /dev/null 2015-01-20 21:14:44.000000000 -0500 |
32 | +++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 | | 33 | +++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 |
33 | @@ -0,0 +1,3 @@ | | 34 | @@ -0,0 +1,3 @@ |
34 | + | | 35 | + |
35 | +void pfilter_notify(int); | | 36 | +void pfilter_notify(int); |
36 | +void pfilter_init(void); | | 37 | +void pfilter_init(void); |
37 | Index: bin/sshd/Makefile | | 38 | Index: bin/sshd/Makefile |
38 | =================================================================== | | 39 | =================================================================== |
39 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v | | 40 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v |
40 | retrieving revision 1.10 | | 41 | retrieving revision 1.10 |
41 | diff -u -u -r1.10 Makefile | | 42 | diff -u -u -r1.10 Makefile |
42 | --- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 | | 43 | --- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 |
43 | +++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 | | 44 | +++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 |
44 | @@ -15,7 +15,7 @@ | | 45 | @@ -15,7 +15,7 @@ |
45 | auth2-none.c auth2-passwd.c auth2-pubkey.c \ | | 46 | auth2-none.c auth2-passwd.c auth2-pubkey.c \ |
46 | monitor_mm.c monitor.c monitor_wrap.c \ | | 47 | monitor_mm.c monitor.c monitor_wrap.c \ |
47 | kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ | | 48 | kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ |
48 | - roaming_common.c roaming_serv.c sandbox-rlimit.c | | 49 | - roaming_common.c roaming_serv.c sandbox-rlimit.c |
49 | + roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c | | 50 | + roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c |
50 | | | 51 | |
51 | COPTS.auth-options.c= -Wno-pointer-sign | | 52 | COPTS.auth-options.c= -Wno-pointer-sign |
52 | COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix | | 53 | COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix |
53 | @@ -68,3 +68,6 @@ | | 54 | @@ -68,3 +68,6 @@ |
54 | | | 55 | |
55 | LDADD+= -lwrap | | 56 | LDADD+= -lwrap |
56 | DPADD+= ${LIBWRAP} | | 57 | DPADD+= ${LIBWRAP} |
57 | + | | 58 | + |
58 | +LDADD+= -lblacklist | | 59 | +LDADD+= -lblacklist |
59 | +DPADD+= ${LIBBLACKLIST} | | 60 | +DPADD+= ${LIBBLACKLIST} |
60 | Index: dist/auth.c | | 61 | Index: dist/auth.c |
61 | =================================================================== | | 62 | =================================================================== |
62 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v | | 63 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v |
63 | retrieving revision 1.10 | | 64 | retrieving revision 1.10 |
64 | diff -u -u -r1.10 auth.c | | 65 | diff -u -u -r1.10 auth.c |
65 | --- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 | | 66 | --- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 |
66 | +++ dist/auth.c 22 Jan 2015 21:39:22 -0000 | | 67 | +++ dist/auth.c 22 Jan 2015 21:39:22 -0000 |
67 | @@ -62,6 +62,7 @@ | | 68 | @@ -62,6 +62,7 @@ |
68 | #include "monitor_wrap.h" | | 69 | #include "monitor_wrap.h" |
69 | #include "krl.h" | | 70 | #include "krl.h" |
70 | #include "compat.h" | | 71 | #include "compat.h" |
71 | +#include "pfilter.h" | | 72 | +#include "pfilter.h" |
72 | | | 73 | |
73 | #ifdef HAVE_LOGIN_CAP | | 74 | #ifdef HAVE_LOGIN_CAP |
74 | #include <login_cap.h> | | 75 | #include <login_cap.h> |
75 | @@ -362,6 +363,8 @@ | | 76 | @@ -362,6 +363,8 @@ |
76 | compat20 ? "ssh2" : "ssh1", | | 77 | compat20 ? "ssh2" : "ssh1", |
77 | authctxt->info != NULL ? ": " : "", | | 78 | authctxt->info != NULL ? ": " : "", |
78 | authctxt->info != NULL ? authctxt->info : ""); | | 79 | authctxt->info != NULL ? authctxt->info : ""); |
79 | + if (!authctxt->postponed) | | 80 | + if (!authctxt->postponed) |
80 | + pfilter_notify(!authenticated); | | 81 | + pfilter_notify(!authenticated); |
81 | free(authctxt->info); | | 82 | free(authctxt->info); |
82 | authctxt->info = NULL; | | 83 | authctxt->info = NULL; |
83 | } | | 84 | } |
84 | Index: dist/sshd.c | | 85 | Index: dist/sshd.c |
85 | =================================================================== | | 86 | =================================================================== |
86 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v | | 87 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v |
87 | retrieving revision 1.15 | | 88 | retrieving revision 1.15 |
88 | diff -u -u -r1.15 sshd.c | | 89 | diff -u -u -r1.15 sshd.c |
89 | --- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 | | 90 | --- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 |
90 | +++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 | | 91 | +++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 |
91 | @@ -109,6 +109,7 @@ | | 92 | @@ -109,6 +109,7 @@ |
92 | #include "roaming.h" | | 93 | #include "roaming.h" |
93 | #include "ssh-sandbox.h" | | 94 | #include "ssh-sandbox.h" |
94 | #include "version.h" | | 95 | #include "version.h" |
95 | +#include "pfilter.h" | | 96 | +#include "pfilter.h" |
96 | | | 97 | |
97 | #ifdef LIBWRAP | | 98 | #ifdef LIBWRAP |
98 | #include <tcpd.h> | | 99 | #include <tcpd.h> |
99 | @@ -364,6 +365,7 @@ | | 100 | @@ -364,6 +365,7 @@ |
100 | killpg(0, SIGTERM); | | 101 | killpg(0, SIGTERM); |
101 | } | | 102 | } |
102 | | | 103 | |
103 | + pfilter_notify(1); | | 104 | + pfilter_notify(1); |
104 | /* Log error and exit. */ | | 105 | /* Log error and exit. */ |
105 | sigdie("Timeout before authentication for %s", get_remote_ipaddr()); | | 106 | sigdie("Timeout before authentication for %s", get_remote_ipaddr()); |
106 | } | | 107 | } |
107 | @@ -1160,6 +1162,7 @@ | | 108 | @@ -1160,6 +1162,7 @@ |
108 | for (i = 0; i < options.max_startups; i++) | | 109 | for (i = 0; i < options.max_startups; i++) |
109 | startup_pipes[i] = -1; | | 110 | startup_pipes[i] = -1; |
110 | | | 111 | |
111 | + pfilter_init(); | | 112 | + pfilter_init(); |
112 | /* | | 113 | /* |
113 | * Stay listening for connections until the system crashes or | | 114 | * Stay listening for connections until the system crashes or |
114 | * the daemon is killed with a signal. | | 115 | * the daemon is killed with a signal. |
115 | Index: auth1.c | | 116 | Index: auth1.c |
116 | =================================================================== | | 117 | =================================================================== |
117 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v | | 118 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v |
118 | retrieving revision 1.9 | | 119 | retrieving revision 1.9 |
119 | diff -u -u -r1.9 auth1.c | | 120 | diff -u -u -r1.9 auth1.c |
120 | --- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 | | 121 | --- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 |
121 | +++ auth1.c 14 Feb 2015 15:40:51 -0000 | | 122 | +++ auth1.c 14 Feb 2015 15:40:51 -0000 |
122 | @@ -41,6 +41,7 @@ | | 123 | @@ -41,6 +41,7 @@ |
123 | #endif | | 124 | #endif |
124 | #include "monitor_wrap.h" | | 125 | #include "monitor_wrap.h" |
125 | #include "buffer.h" | | 126 | #include "buffer.h" |
126 | +#include "pfilter.h" | | 127 | +#include "pfilter.h" |
127 | | | 128 | |
128 | /* import */ | | 129 | /* import */ |
129 | extern ServerOptions options; | | 130 | extern ServerOptions options; |
130 | @@ -445,6 +446,7 @@ | | 131 | @@ -445,6 +446,7 @@ |
131 | else { | | 132 | else { |
132 | debug("do_authentication: invalid user %s", user); | | 133 | debug("do_authentication: invalid user %s", user); |
133 | authctxt->pw = fakepw(); | | 134 | authctxt->pw = fakepw(); |
134 | + pfilter_notify(1); | | 135 | + pfilter_notify(1); |
135 | } | | 136 | } |
136 | | | 137 | |
137 | /* Configuration may have changed as a result of Match */ | | 138 | /* Configuration may have changed as a result of Match */ |
138 | Index: auth2.c | | 139 | Index: auth2.c |
139 | =================================================================== | | 140 | =================================================================== |
140 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v | | 141 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v |
141 | retrieving revision 1.9 | | 142 | retrieving revision 1.9 |
142 | diff -u -u -r1.9 auth2.c | | 143 | diff -u -u -r1.9 auth2.c |
143 | --- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 | | 144 | --- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 |
144 | +++ auth2.c 14 Feb 2015 15:40:51 -0000 | | 145 | +++ auth2.c 14 Feb 2015 15:40:51 -0000 |
145 | @@ -52,6 +52,7 @@ | | 146 | @@ -52,6 +52,7 @@ |
146 | #include "pathnames.h" | | 147 | #include "pathnames.h" |
147 | #include "buffer.h" | | 148 | #include "buffer.h" |
148 | #include "canohost.h" | | 149 | #include "canohost.h" |
149 | +#include "pfilter.h" | | 150 | +#include "pfilter.h" |
150 | | | 151 | |
151 | #ifdef GSSAPI | | 152 | #ifdef GSSAPI |
152 | #include "ssh-gss.h" | | 153 | #include "ssh-gss.h" |
153 | @@ -256,6 +257,7 @@ | | 154 | @@ -256,6 +257,7 @@ |
154 | } else { | | 155 | } else { |
155 | logit("input_userauth_request: invalid user %s", user); | | 156 | logit("input_userauth_request: invalid user %s", user); |
156 | authctxt->pw = fakepw(); | | 157 | authctxt->pw = fakepw(); |
157 | + pfilter_notify(1); | | 158 | + pfilter_notify(1); |
158 | } | | 159 | } |
159 | #ifdef USE_PAM | | 160 | #ifdef USE_PAM |
160 | if (options.use_pam) | | 161 | if (options.use_pam) |
161 | Index: sshd.c | | 162 | Index: sshd.c |
162 | =================================================================== | | 163 | =================================================================== |
163 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v | | 164 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v |
164 | retrieving revision 1.16 | | 165 | retrieving revision 1.16 |
165 | diff -u -r1.16 sshd.c | | 166 | diff -u -r1.16 sshd.c |
166 | --- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 | | 167 | --- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 |
167 | +++ sshd.c 14 Feb 2015 09:55:06 -0000 | | 168 | +++ sshd.c 14 Feb 2015 09:55:06 -0000 |
168 | @@ -628,6 +628,8 @@ | | 169 | @@ -628,6 +628,8 @@ |
169 | explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); | | 170 | explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); |
170 | endpwent(); | | 171 | endpwent(); |
171 | | | 172 | |
172 | + pfilter_init(); | | 173 | + pfilter_init(); |
173 | + | | 174 | + |
174 | /* Change our root directory */ | | 175 | /* Change our root directory */ |
175 | if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) | | 176 | if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) |
176 | fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, | | 177 | fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, |
177 | | | 178 | |
| | | 179 | Index: auth-pam.c |
| | | 180 | =================================================================== |
| | | 181 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v |
| | | 182 | retrieving revision 1.7 |
| | | 183 | diff -u -u -r1.7 auth-pam.c |
| | | 184 | --- auth-pam.c 3 Jul 2015 00:59:59 -0000 1.7 |
| | | 185 | +++ auth-pam.c 23 Jan 2016 00:01:16 -0000 |
| | | 186 | @@ -114,6 +114,7 @@ |
| | | 187 | #include "ssh-gss.h" |
| | | 188 | #endif |
| | | 189 | #include "monitor_wrap.h" |
| | | 190 | +#include "pfilter.h" |
| | | 191 | |
| | | 192 | extern ServerOptions options; |
| | | 193 | extern Buffer loginmsg; |
| | | 194 | @@ -809,6 +810,7 @@ |
| | | 195 | free(msg); |
| | | 196 | return (0); |
| | | 197 | } |
| | | 198 | + pfilter_notify(1); |
| | | 199 | error("PAM: %s for %s%.100s from %.100s", msg, |
| | | 200 | sshpam_authctxt->valid ? "" : "illegal user ", |
| | | 201 | sshpam_authctxt->user, |
| | | 202 | Index: auth.c |
| | | 203 | =================================================================== |
| | | 204 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v |
| | | 205 | retrieving revision 1.15 |
| | | 206 | diff -u -u -r1.15 auth.c |
| | | 207 | --- auth.c 21 Aug 2015 08:20:59 -0000 1.15 |
| | | 208 | +++ auth.c 23 Jan 2016 00:01:16 -0000 |
| | | 209 | @@ -656,6 +656,7 @@ |
| | | 210 | |
| | | 211 | pw = getpwnam(user); |
| | | 212 | if (pw == NULL) { |
| | | 213 | + pfilter_notify(1); |
| | | 214 | logit("Invalid user %.100s from %.100s", |
| | | 215 | user, get_remote_ipaddr()); |
| | | 216 | return (NULL); |
| | | 217 | Index: auth1.c |
| | | 218 | =================================================================== |
| | | 219 | RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v |
| | | 220 | retrieving revision 1.12 |
| | | 221 | diff -u -u -r1.12 auth1.c |
| | | 222 | --- auth1.c 3 Jul 2015 00:59:59 -0000 1.12 |
| | | 223 | +++ auth1.c 23 Jan 2016 00:01:16 -0000 |
| | | 224 | @@ -376,6 +376,7 @@ |
| | | 225 | char *msg; |
| | | 226 | size_t len; |
| | | 227 | |
| | | 228 | + pfilter_notify(1); |
| | | 229 | error("Access denied for user %s by PAM account " |
| | | 230 | "configuration", authctxt->user); |
| | | 231 | len = buffer_len(&loginmsg); |