Sat Jan 23 00:05:38 2016 UTC ()
add more points.


(christos)
diff -r1.7 -r1.8 src/external/bsd/blacklist/diff/ssh.diff
cvs diff -r1.7 -r1.8 src/external/bsd/blacklist/diff/Attic/ssh.diff (switch to unified diff)

--- src/external/bsd/blacklist/diff/Attic/ssh.diff 2015/05/30 21:05:18 1.7
+++ src/external/bsd/blacklist/diff/Attic/ssh.diff 2016/01/23 00:05:38 1.8
@@ -1,177 +1,231 @@ @@ -1,177 +1,231 @@
1--- /dev/null 2015-01-22 23:10:33.000000000 -0500 1--- /dev/null 2015-01-22 23:10:33.000000000 -0500
2+++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 2+++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500
3@@ -0,0 +1,27 @@ 3@@ -0,0 +1,28 @@
4+#include "namespace.h" 4+#include "namespace.h"
 5+#include "includes.h"
5+#include "ssh.h" 6+#include "ssh.h"
6+#include "packet.h" 7+#include "packet.h"
7+#include "log.h" 8+#include "log.h"
8+#include "pfilter.h" 9+#include "pfilter.h"
9+#include <blacklist.h> 10+#include <blacklist.h>
10+ 11+
11+static struct blacklist *blstate; 12+static struct blacklist *blstate;
12+ 13+
13+void 14+void
14+pfilter_init(void) 15+pfilter_init(void)
15+{ 16+{
16+ blstate = blacklist_open(); 17+ blstate = blacklist_open();
17+} 18+}
18+ 19+
19+void 20+void
20+pfilter_notify(int a) 21+pfilter_notify(int a)
21+{ 22+{
22+ int fd; 23+ int fd;
23+ if (blstate == NULL) 24+ if (blstate == NULL)
24+ pfilter_init(); 25+ pfilter_init();
25+ if (blstate == NULL) 26+ if (blstate == NULL)
26+ return; 27+ return;
27+ // XXX: 3? 28+ // XXX: 3?
28+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; 29+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
29+ (void)blacklist_r(blstate, a, fd, "ssh"); 30+ (void)blacklist_r(blstate, a, fd, "ssh");
30+} 31+}
31--- /dev/null 2015-01-20 21:14:44.000000000 -0500 32--- /dev/null 2015-01-20 21:14:44.000000000 -0500
32+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 33+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500
33@@ -0,0 +1,3 @@ 34@@ -0,0 +1,3 @@
34+ 35+
35+void pfilter_notify(int); 36+void pfilter_notify(int);
36+void pfilter_init(void); 37+void pfilter_init(void);
37Index: bin/sshd/Makefile 38Index: bin/sshd/Makefile
38=================================================================== 39===================================================================
39RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v 40RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
40retrieving revision 1.10 41retrieving revision 1.10
41diff -u -u -r1.10 Makefile 42diff -u -u -r1.10 Makefile
42--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 43--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10
43+++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 44+++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000
44@@ -15,7 +15,7 @@ 45@@ -15,7 +15,7 @@
45 auth2-none.c auth2-passwd.c auth2-pubkey.c \ 46 auth2-none.c auth2-passwd.c auth2-pubkey.c \
46 monitor_mm.c monitor.c monitor_wrap.c \ 47 monitor_mm.c monitor.c monitor_wrap.c \
47 kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ 48 kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
48- roaming_common.c roaming_serv.c sandbox-rlimit.c 49- roaming_common.c roaming_serv.c sandbox-rlimit.c
49+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c 50+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
50  51
51 COPTS.auth-options.c= -Wno-pointer-sign 52 COPTS.auth-options.c= -Wno-pointer-sign
52 COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix 53 COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix
53@@ -68,3 +68,6 @@ 54@@ -68,3 +68,6 @@
54  55
55 LDADD+= -lwrap 56 LDADD+= -lwrap
56 DPADD+= ${LIBWRAP} 57 DPADD+= ${LIBWRAP}
57+ 58+
58+LDADD+= -lblacklist 59+LDADD+= -lblacklist
59+DPADD+= ${LIBBLACKLIST} 60+DPADD+= ${LIBBLACKLIST}
60Index: dist/auth.c 61Index: dist/auth.c
61=================================================================== 62===================================================================
62RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v 63RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
63retrieving revision 1.10 64retrieving revision 1.10
64diff -u -u -r1.10 auth.c 65diff -u -u -r1.10 auth.c
65--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 66--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10
66+++ dist/auth.c 22 Jan 2015 21:39:22 -0000 67+++ dist/auth.c 22 Jan 2015 21:39:22 -0000
67@@ -62,6 +62,7 @@ 68@@ -62,6 +62,7 @@
68 #include "monitor_wrap.h" 69 #include "monitor_wrap.h"
69 #include "krl.h" 70 #include "krl.h"
70 #include "compat.h" 71 #include "compat.h"
71+#include "pfilter.h" 72+#include "pfilter.h"
72  73
73 #ifdef HAVE_LOGIN_CAP 74 #ifdef HAVE_LOGIN_CAP
74 #include <login_cap.h> 75 #include <login_cap.h>
75@@ -362,6 +363,8 @@ 76@@ -362,6 +363,8 @@
76 compat20 ? "ssh2" : "ssh1", 77 compat20 ? "ssh2" : "ssh1",
77 authctxt->info != NULL ? ": " : "", 78 authctxt->info != NULL ? ": " : "",
78 authctxt->info != NULL ? authctxt->info : ""); 79 authctxt->info != NULL ? authctxt->info : "");
79+ if (!authctxt->postponed) 80+ if (!authctxt->postponed)
80+ pfilter_notify(!authenticated); 81+ pfilter_notify(!authenticated);
81 free(authctxt->info); 82 free(authctxt->info);
82 authctxt->info = NULL; 83 authctxt->info = NULL;
83 } 84 }
84Index: dist/sshd.c 85Index: dist/sshd.c
85=================================================================== 86===================================================================
86RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 87RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
87retrieving revision 1.15 88retrieving revision 1.15
88diff -u -u -r1.15 sshd.c 89diff -u -u -r1.15 sshd.c
89--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 90--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15
90+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 91+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000
91@@ -109,6 +109,7 @@ 92@@ -109,6 +109,7 @@
92 #include "roaming.h" 93 #include "roaming.h"
93 #include "ssh-sandbox.h" 94 #include "ssh-sandbox.h"
94 #include "version.h" 95 #include "version.h"
95+#include "pfilter.h" 96+#include "pfilter.h"
96  97
97 #ifdef LIBWRAP 98 #ifdef LIBWRAP
98 #include <tcpd.h> 99 #include <tcpd.h>
99@@ -364,6 +365,7 @@ 100@@ -364,6 +365,7 @@
100 killpg(0, SIGTERM); 101 killpg(0, SIGTERM);
101 } 102 }
102  103
103+ pfilter_notify(1); 104+ pfilter_notify(1);
104 /* Log error and exit. */ 105 /* Log error and exit. */
105 sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 106 sigdie("Timeout before authentication for %s", get_remote_ipaddr());
106 } 107 }
107@@ -1160,6 +1162,7 @@ 108@@ -1160,6 +1162,7 @@
108 for (i = 0; i < options.max_startups; i++) 109 for (i = 0; i < options.max_startups; i++)
109 startup_pipes[i] = -1; 110 startup_pipes[i] = -1;
110  111
111+ pfilter_init(); 112+ pfilter_init();
112 /* 113 /*
113 * Stay listening for connections until the system crashes or 114 * Stay listening for connections until the system crashes or
114 * the daemon is killed with a signal. 115 * the daemon is killed with a signal.
115Index: auth1.c 116Index: auth1.c
116=================================================================== 117===================================================================
117RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v 118RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
118retrieving revision 1.9 119retrieving revision 1.9
119diff -u -u -r1.9 auth1.c 120diff -u -u -r1.9 auth1.c
120--- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 121--- auth1.c 19 Oct 2014 16:30:58 -0000 1.9
121+++ auth1.c 14 Feb 2015 15:40:51 -0000 122+++ auth1.c 14 Feb 2015 15:40:51 -0000
122@@ -41,6 +41,7 @@ 123@@ -41,6 +41,7 @@
123 #endif 124 #endif
124 #include "monitor_wrap.h" 125 #include "monitor_wrap.h"
125 #include "buffer.h" 126 #include "buffer.h"
126+#include "pfilter.h" 127+#include "pfilter.h"
127  128
128 /* import */ 129 /* import */
129 extern ServerOptions options; 130 extern ServerOptions options;
130@@ -445,6 +446,7 @@ 131@@ -445,6 +446,7 @@
131 else { 132 else {
132 debug("do_authentication: invalid user %s", user); 133 debug("do_authentication: invalid user %s", user);
133 authctxt->pw = fakepw(); 134 authctxt->pw = fakepw();
134+ pfilter_notify(1); 135+ pfilter_notify(1);
135 } 136 }
136  137
137 /* Configuration may have changed as a result of Match */ 138 /* Configuration may have changed as a result of Match */
138Index: auth2.c 139Index: auth2.c
139=================================================================== 140===================================================================
140RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v 141RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v
141retrieving revision 1.9 142retrieving revision 1.9
142diff -u -u -r1.9 auth2.c 143diff -u -u -r1.9 auth2.c
143--- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 144--- auth2.c 19 Oct 2014 16:30:58 -0000 1.9
144+++ auth2.c 14 Feb 2015 15:40:51 -0000 145+++ auth2.c 14 Feb 2015 15:40:51 -0000
145@@ -52,6 +52,7 @@ 146@@ -52,6 +52,7 @@
146 #include "pathnames.h" 147 #include "pathnames.h"
147 #include "buffer.h" 148 #include "buffer.h"
148 #include "canohost.h" 149 #include "canohost.h"
149+#include "pfilter.h" 150+#include "pfilter.h"
150  151
151 #ifdef GSSAPI 152 #ifdef GSSAPI
152 #include "ssh-gss.h" 153 #include "ssh-gss.h"
153@@ -256,6 +257,7 @@ 154@@ -256,6 +257,7 @@
154 } else { 155 } else {
155 logit("input_userauth_request: invalid user %s", user); 156 logit("input_userauth_request: invalid user %s", user);
156 authctxt->pw = fakepw(); 157 authctxt->pw = fakepw();
157+ pfilter_notify(1); 158+ pfilter_notify(1);
158 } 159 }
159 #ifdef USE_PAM 160 #ifdef USE_PAM
160 if (options.use_pam) 161 if (options.use_pam)
161Index: sshd.c 162Index: sshd.c
162=================================================================== 163===================================================================
163RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 164RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
164retrieving revision 1.16 165retrieving revision 1.16
165diff -u -r1.16 sshd.c 166diff -u -r1.16 sshd.c
166--- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 167--- sshd.c 25 Jan 2015 15:52:44 -0000 1.16
167+++ sshd.c 14 Feb 2015 09:55:06 -0000 168+++ sshd.c 14 Feb 2015 09:55:06 -0000
168@@ -628,6 +628,8 @@ 169@@ -628,6 +628,8 @@
169 explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); 170 explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd));
170 endpwent(); 171 endpwent();
171  172
172+ pfilter_init(); 173+ pfilter_init();
173+ 174+
174 /* Change our root directory */ 175 /* Change our root directory */
175 if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 176 if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
176 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 177 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
177 178
 179Index: auth-pam.c
 180===================================================================
 181RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v
 182retrieving revision 1.7
 183diff -u -u -r1.7 auth-pam.c
 184--- auth-pam.c 3 Jul 2015 00:59:59 -0000 1.7
 185+++ auth-pam.c 23 Jan 2016 00:01:16 -0000
 186@@ -114,6 +114,7 @@
 187 #include "ssh-gss.h"
 188 #endif
 189 #include "monitor_wrap.h"
 190+#include "pfilter.h"
 191
 192 extern ServerOptions options;
 193 extern Buffer loginmsg;
 194@@ -809,6 +810,7 @@
 195 free(msg);
 196 return (0);
 197 }
 198+ pfilter_notify(1);
 199 error("PAM: %s for %s%.100s from %.100s", msg,
 200 sshpam_authctxt->valid ? "" : "illegal user ",
 201 sshpam_authctxt->user,
 202Index: auth.c
 203===================================================================
 204RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
 205retrieving revision 1.15
 206diff -u -u -r1.15 auth.c
 207--- auth.c 21 Aug 2015 08:20:59 -0000 1.15
 208+++ auth.c 23 Jan 2016 00:01:16 -0000
 209@@ -656,6 +656,7 @@
 210
 211 pw = getpwnam(user);
 212 if (pw == NULL) {
 213+ pfilter_notify(1);
 214 logit("Invalid user %.100s from %.100s",
 215 user, get_remote_ipaddr());
 216 return (NULL);
 217Index: auth1.c
 218===================================================================
 219RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
 220retrieving revision 1.12
 221diff -u -u -r1.12 auth1.c
 222--- auth1.c 3 Jul 2015 00:59:59 -0000 1.12
 223+++ auth1.c 23 Jan 2016 00:01:16 -0000
 224@@ -376,6 +376,7 @@
 225 char *msg;
 226 size_t len;
 227
 228+ pfilter_notify(1);
 229 error("Access denied for user %s by PAM account "
 230 "configuration", authctxt->user);
 231 len = buffer_len(&loginmsg);