Attachment #252576 for bug #280203




/*-
 * Copyright (c) 2015 The NetBSD Foundation, Inc.
 * Copyright (c) 2016 The FreeBSD Foundation, Inc.
 * All rights reserved.
 *
 * Portions of this software were developed by Kurt Lidl
 * under sponsorship from the FreeBSD Foundation.
 *
 * This code is derived from software contributed to The NetBSD Foundation
 * by Christos Zoulas.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include <ctype.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <syslog.h>
#include <unistd.h>

#include "ssh.h"
#include "packet.h"
#include "log.h"
#include "misc.h"
#include <blacklist.h>
#include "blacklist_client.h"

static struct blacklist *blstate = NULL;

/* internal definition from bl.h */
struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));

/* impedence match vsyslog() to sshd's internal logging levels */
void
im_log(int priority, const char *message, va_list args)
{
	LogLevel imlevel;

	switch (priority) {
	case LOG_ERR:
		imlevel = SYSLOG_LEVEL_ERROR;
		break;
	case LOG_DEBUG:
		imlevel = SYSLOG_LEVEL_DEBUG1;
		break;
	case LOG_INFO:
		imlevel = SYSLOG_LEVEL_INFO;
		break;
	default:
		imlevel = SYSLOG_LEVEL_DEBUG2;
	}
	do_log2(imlevel, message, args);
}

void
blacklist_init(void)
{

	blstate = bl_create(false, NULL, im_log);
}

void
blacklist_notify(int action, struct ssh *ssh, const char *msg)
{

	if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
		(void)blacklist_r(blstate, action,
		ssh_packet_get_connection_in(ssh), msg);
}




/*-
 * Copyright (c) 2015 The NetBSD Foundation, Inc.
 * Copyright (c) 2016 The FreeBSD Foundation, Inc.
 * All rights reserved.
 *
 * Portions of this software were developed by Kurt Lidl
 * under sponsorship from the FreeBSD Foundation.
 *
 * This code is derived from software contributed to The NetBSD Foundation
 * by Christos Zoulas.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef BLACKLIST_CLIENT_H
#define BLACKLIST_CLIENT_H

#ifndef BLACKLIST_API_ENUM
enum {
	BLACKLIST_AUTH_OK = 0,
	BLACKLIST_AUTH_FAIL,
	BLACKLIST_ABUSIVE_BEHAVIOR,
	BLACKLIST_BAD_USER
};
#endif

#ifdef USE_BLACKLIST
void blacklist_init(void);
void blacklist_notify(int, struct ssh *, const char *);

#define BLACKLIST_INIT() blacklist_init()
#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg)

#else

#define BLACKLIST_INIT()
#define BLACKLIST_NOTIFY(x, ssh, msg)

#endif


#endif /* BLACKLIST_CLIENT_H */

Lines 172-177 initialize_server_options(ServerOptions *options) Link Here

(-)servconf.c (+11 lines)
172	options->max_sessions = -1;	172	options->max_sessions = -1;
173	options->banner = NULL;	173	options->banner = NULL;
174	options->use_dns = -1;	174	options->use_dns = -1;
		175	options->use_blacklist = -1;
175	options->client_alive_interval = -1;	176	options->client_alive_interval = -1;
176	options->client_alive_count_max = -1;	177	options->client_alive_count_max = -1;
177	options->num_authkeys_files = 0;	178	options->num_authkeys_files = 0;
Lines 410-415 fill_default_server_options(ServerOptions *options) Link Here
410	options->max_sessions = DEFAULT_SESSIONS_MAX;	411	options->max_sessions = DEFAULT_SESSIONS_MAX;
411	if (options->use_dns == -1)	412	if (options->use_dns == -1)
412	options->use_dns = 0;	413	options->use_dns = 0;
		414	if (options->use_blacklist == -1)
		415	options->use_blacklist = 0;
413	if (options->client_alive_interval == -1)	416	if (options->client_alive_interval == -1)
414	options->client_alive_interval = 0;	417	options->client_alive_interval = 0;
415	if (options->client_alive_count_max == -1)	418	if (options->client_alive_count_max == -1)
Lines 506-511 typedef enum { Link Here
506	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,	509	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
507	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,	510	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
508	sBanner, sUseDNS, sHostbasedAuthentication,	511	sBanner, sUseDNS, sHostbasedAuthentication,
		512	sUseBlacklist,
509	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,	513	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
510	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,	514	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
511	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,	515	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
Lines 642-647 static struct { Link Here
642	{ "maxsessions", sMaxSessions, SSHCFG_ALL },	646	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
643	{ "banner", sBanner, SSHCFG_ALL },	647	{ "banner", sBanner, SSHCFG_ALL },
644	{ "usedns", sUseDNS, SSHCFG_GLOBAL },	648	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
		649	{ "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
		650	{ "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */,
645	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },	651	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
646	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },	652	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
647	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },	653	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
Lines 1692-1697 process_server_config_line_depth(ServerOptions *option Link Here
1692	intptr = &options->use_dns;	1698	intptr = &options->use_dns;
1693	goto parse_flag;	1699	goto parse_flag;
1694		1700
		1701	case sUseBlacklist:
		1702	intptr = &options->use_blacklist;
		1703	goto parse_flag;
		1704
1695	case sLogFacility:	1705	case sLogFacility:
1696	log_facility_ptr = &options->log_facility;	1706	log_facility_ptr = &options->log_facility;
1697	arg = strdelim(&cp);	1707	arg = strdelim(&cp);
Lines 2872-2877 dump_config(ServerOptions *o) Link Here
2872	dump_cfg_fmtint(sCompression, o->compression);	2882	dump_cfg_fmtint(sCompression, o->compression);
2873	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);	2883	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2874	dump_cfg_fmtint(sUseDNS, o->use_dns);	2884	dump_cfg_fmtint(sUseDNS, o->use_dns);
		2885	dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
2875	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);	2886	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2876	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);	2887	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2877	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);	2888	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);

Lines 179-184 typedef struct { Link Here

(-)servconf.h (+1 lines)
179	int max_sessions;	179	int max_sessions;
180	char banner; / SSH-2 banner message */	180	char banner; / SSH-2 banner message */
181	int use_dns;	181	int use_dns;
		182	int use_blacklist;
182	int client_alive_interval; /*	183	int client_alive_interval; /*
183	* poke the client this often to	184	* poke the client this often to
184	* see if it's still there	185	* see if it's still there

Lines 100-105 extern char *__progname; Link Here

(-)auth-pam.c (+5 lines)
100	#include "ssh-gss.h"	100	#include "ssh-gss.h"
101	#endif	101	#endif
102	#include "monitor_wrap.h"	102	#include "monitor_wrap.h"
		103	#include "blacklist_client.h"
103	#include "srclimit.h"	104	#include "srclimit.h"
104		105
105	extern ServerOptions options;	106	extern ServerOptions options;
Lines 936-941 sshpam_query(void ctx, char name, char *info, Link Here
936	sshbuf_free(buffer);	937	sshbuf_free(buffer);
937	return (0);	938	return (0);
938	}	939	}
		940	/* XXX: ssh context unavailable here, unclear if this is even needed.
		941	BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
		942	the_active_state, sshpam_authctxt->user);
		943	*/
939	error("PAM: %s for %s%.100s from %.100s", msg,	944	error("PAM: %s for %s%.100s from %.100s", msg,
940	sshpam_authctxt->valid ? "" : "illegal user ",	945	sshpam_authctxt->valid ? "" : "illegal user ",
941	sshpam_authctxt->user, sshpam_rhost);	946	sshpam_authctxt->user, sshpam_rhost);

Lines 76-81 Link Here

(-)auth.c (-1 / +6 lines)
76	#include "ssherr.h"	76	#include "ssherr.h"
77	#include "compat.h"	77	#include "compat.h"
78	#include "channels.h"	78	#include "channels.h"
		79	#include "blacklist_client.h"
79		80
80	/* import */	81	/* import */
81	extern ServerOptions options;	82	extern ServerOptions options;
Lines 331-338 auth_log(struct ssh *ssh, int authenticated, int parti Link Here
331	authmsg = "Postponed";	332	authmsg = "Postponed";
332	else if (partial)	333	else if (partial)
333	authmsg = "Partial";	334	authmsg = "Partial";
334	else	335	else {
335	authmsg = authenticated ? "Accepted" : "Failed";	336	authmsg = authenticated ? "Accepted" : "Failed";
		337	if (authenticated)
		338	BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh");
		339	}
336		340
337	if ((extra = format_method_key(authctxt)) == NULL) {	341	if ((extra = format_method_key(authctxt)) == NULL) {
338	if (authctxt->auth_method_info != NULL)	342	if (authctxt->auth_method_info != NULL)
Lines 586-591 getpwnamallow(struct ssh ssh, const char user) Link Here
586	aix_restoreauthdb();	590	aix_restoreauthdb();
587	#endif	591	#endif
588	if (pw == NULL) {	592	if (pw == NULL) {
		593	BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user);
589	logit("Invalid user %.100s from %.100s port %d",	594	logit("Invalid user %.100s from %.100s port %d",
590	user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));	595	user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
591	#ifdef CUSTOM_FAILED_LOGIN	596	#ifdef CUSTOM_FAILED_LOGIN

Lines 58-63 Link Here

(-)auth2.c (-1 / +5 lines)
58	#include "monitor_wrap.h"	58	#include "monitor_wrap.h"
59	#include "digest.h"	59	#include "digest.h"
60	#include "kex.h"	60	#include "kex.h"
		61	#include "blacklist_client.h"
61		62
62	/* import */	63	/* import */
63	extern ServerOptions options;	64	extern ServerOptions options;
Lines 295-300 input_userauth_request(int type, u_int32_t seq, struct Link Here
295	} else {	296	} else {
296	/* Invalid user, fake password information */	297	/* Invalid user, fake password information */
297	authctxt->pw = fakepw();	298	authctxt->pw = fakepw();
		299	BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh");
298	#ifdef SSH_AUDIT_EVENTS	300	#ifdef SSH_AUDIT_EVENTS
299	PRIVSEP(audit_event(ssh, SSH_INVALID_USER));	301	PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
300	#endif	302	#endif
Lines 448-455 userauth_finish(struct ssh *ssh, int authenticated, co Link Here
448	} else {	450	} else {
449	/* Allow initial try of "none" auth without failure penalty */	451	/* Allow initial try of "none" auth without failure penalty */
450	if (!partial && !authctxt->server_caused_failure &&	452	if (!partial && !authctxt->server_caused_failure &&
451	(authctxt->attempt > 1 \|\| strcmp(method, "none") != 0))	453	(authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)) {
452	authctxt->failures++;	454	authctxt->failures++;
		455	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
		456	}
453	if (authctxt->failures >= options.max_authtries) {	457	if (authctxt->failures >= options.max_authtries) {
454	#ifdef SSH_AUDIT_EVENTS	458	#ifdef SSH_AUDIT_EVENTS
455	PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));	459	PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));

Lines 96-101 Link Here

(-)packet.c (+2 lines)
96	#include "packet.h"	96	#include "packet.h"
97	#include "ssherr.h"	97	#include "ssherr.h"
98	#include "sshbuf.h"	98	#include "sshbuf.h"
		99	#include "blacklist_client.h"
99		100
100	#ifdef PACKET_DEBUG	101	#ifdef PACKET_DEBUG
101	#define DBG(x) x	102	#define DBG(x) x
Lines 1882-1887 sshpkt_vfatal(struct ssh ssh, int r, const char fmt, Link Here
1882	case SSH_ERR_NO_KEX_ALG_MATCH:	1883	case SSH_ERR_NO_KEX_ALG_MATCH:
1883	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:	1884	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
1884	if (ssh->kex && ssh->kex->failed_choice) {	1885	if (ssh->kex && ssh->kex->failed_choice) {
		1886	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
1885	ssh_packet_clear_keys(ssh);	1887	ssh_packet_clear_keys(ssh);
1886	errno = oerrno;	1888	errno = oerrno;
1887	logdie("Unable to negotiate with %s: %s. "	1889	logdie("Unable to negotiate with %s: %s. "

Lines 107-112 Link Here

(-)sshd-session.c (+6 lines)
107	#include "version.h"	107	#include "version.h"
108	#include "ssherr.h"	108	#include "ssherr.h"
109	#include "sk-api.h"	109	#include "sk-api.h"
		110	#include "blacklist_client.h"
110	#include "srclimit.h"	111	#include "srclimit.h"
111	#include "dh.h"	112	#include "dh.h"
112		113
Lines 219-222 grace_alarm_handler(int sig) Link Here
219	kill(0, SIGTERM);	220	kill(0, SIGTERM);
220	}	221	}
		222	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, the_active_state, "ssh");
		223
221	_exit(EXIT_LOGIN_GRACE);	224	_exit(EXIT_LOGIN_GRACE);
222	}	225	}
Lines 1299-1303 main(int ac, char **av) Link Here
1299	if ((loginmsg = sshbuf_new()) == NULL)	1302	if ((loginmsg = sshbuf_new()) == NULL)
1300	fatal_f("sshbuf_new failed");	1303	fatal_f("sshbuf_new failed");
1301	auth_debug_reset();	1304	auth_debug_reset();
		1305
		1306	if (options.use_blacklist)
		1307	BLACKLIST_INIT();
1302		1308
1303	if (privsep_preauth(ssh) == 1)	1309	if (privsep_preauth(ssh) == 1)

Lines 185-190 FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S Link Here

(-)Makefile.in (+2 lines)
185	FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \	185	FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
186	@UNSUPPORTED_ALGORITHMS@	186	@UNSUPPORTED_ALGORITHMS@
187		187
		188	LIBSSH_OBJS+= blacklist.o
		189
188	all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)	190	all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
189		191
190	$(LIBSSH_OBJS): Makefile.in config.h	192	$(LIBSSH_OBJS): Makefile.in config.h

Lines 94-99 Link Here

(-)sshd_config (+1 lines)
94	#PrintLastLog yes	94	#PrintLastLog yes
95	#TCPKeepAlive yes	95	#TCPKeepAlive yes
96	#PermitUserEnvironment no	96	#PermitUserEnvironment no
		97	#UseBlacklist no
97	#Compression delayed	98	#Compression delayed
98	#ClientAliveInterval 0	99	#ClientAliveInterval 0
99	#ClientAliveCountMax 3	100	#ClientAliveCountMax 3




is to never expire connections for having no open channels.
This option may be useful in conjunction with
.Cm ChannelTimeout .
.It Cm UseBlacklist
Specifies whether
.Xr sshd 8
attempts to send authentication success and failure messages
to the
.Xr blacklistd 8
daemon.
The default is
.Cm no .
For forward compatibility with an upcoming
.Xr blacklistd
rename, the
.Cm UseBlocklist
alias can be used instead.
.It Cm UseDNS
Specifies whether
.Xr sshd 8

Lines 96-101 Link Here

(-)monitor.c (-1 / +6 lines)
96	#include "match.h"	96	#include "match.h"
97	#include "ssherr.h"	97	#include "ssherr.h"
98	#include "sk-api.h"	98	#include "sk-api.h"
		99	#include "blacklist_client.h"
99		100
100	#ifdef GSSAPI	101	#ifdef GSSAPI
101	static Gssctxt *gsscontext = NULL;	102	static Gssctxt *gsscontext = NULL;
Lines 342-349 monitor_child_preauth(struct ssh *ssh, struct monitor Link Here
342	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {	343	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {
343	auth_log(ssh, authenticated, partial,	344	auth_log(ssh, authenticated, partial,
344	auth_method, auth_submethod);	345	auth_method, auth_submethod);
345	if (!partial && !authenticated)	346	if (!partial && !authenticated) {
346	authctxt->failures++;	347	authctxt->failures++;
		348	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL,
		349	ssh, "ssh");
		350	}
347	if (authenticated \|\| partial) {	351	if (authenticated \|\| partial) {
348	auth2_update_session_info(authctxt,	352	auth2_update_session_info(authctxt,
349	auth_method, auth_submethod);	353	auth_method, auth_submethod);
Lines 1228-1233 mm_answer_keyallowed(struct ssh *ssh, int sock, struct Link Here
1228	} else {	1232	} else {
1229	/* Log failed attempt */	1233	/* Log failed attempt */
1230	auth_log(ssh, 0, 0, auth_method, NULL);	1234	auth_log(ssh, 0, 0, auth_method, NULL);
		1235	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
1231	free(cuser);	1236	free(cuser);
1232	free(chost);	1237	free(chost);
1233	}	1238	}

Return to bug 280203

Lines 1855-1860 This option may be useful in conjunction with Link Here

(-)sshd_config.5 2024-01-06 16:36:17.025742000 +0100 (+14 lines)
1855	is to never expire connections for having no open channels.	1855	is to never expire connections for having no open channels.
1856	This option may be useful in conjunction with	1856	This option may be useful in conjunction with
1857	.Cm ChannelTimeout .	1857	.Cm ChannelTimeout .
		1858	.It Cm UseBlacklist
		1859	Specifies whether
		1860	.Xr sshd 8
		1861	attempts to send authentication success and failure messages
		1862	to the
		1863	.Xr blacklistd 8
		1864	daemon.
		1865	The default is
		1866	.Cm no .
		1867	For forward compatibility with an upcoming
		1868	.Xr blacklistd
		1869	rename, the
		1870	.Cm UseBlocklist
		1871	alias can be used instead.
1858	.It Cm UseDNS	1872	.It Cm UseDNS
1859	Specifies whether	1873	Specifies whether
1860	.Xr sshd 8	1874	.Xr sshd 8

Line 0 Link Here

(-)blacklist.c (+92 lines)
		1	/*-
		2	* Copyright (c) 2015 The NetBSD Foundation, Inc.
		3	* Copyright (c) 2016 The FreeBSD Foundation, Inc.
		4	* All rights reserved.
		5	*
		6	* Portions of this software were developed by Kurt Lidl
		7	* under sponsorship from the FreeBSD Foundation.
		8	*
		9	* This code is derived from software contributed to The NetBSD Foundation
		10	* by Christos Zoulas.
		11	*
		12	* Redistribution and use in source and binary forms, with or without
		13	* modification, are permitted provided that the following conditions
		14	* are met:
		15	* 1. Redistributions of source code must retain the above copyright
		16	* notice, this list of conditions and the following disclaimer.
		17	* 2. Redistributions in binary form must reproduce the above copyright
		18	* notice, this list of conditions and the following disclaimer in the
		19	* documentation and/or other materials provided with the distribution.
		20	*
		21	* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
		22	* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
		23	* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		24	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
		25	* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
		26	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
		27	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
		28	* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
		29	* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		30	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
		31	* POSSIBILITY OF SUCH DAMAGE.
		32	*/
		33
		34	#include "includes.h"
		35
		36	#include <ctype.h>
		37	#include <stdarg.h>
		38	#include <stdbool.h>
		39	#include <stdio.h>
		40	#include <stdlib.h>
		41	#include <syslog.h>
		42	#include <unistd.h>
		43
		44	#include "ssh.h"
		45	#include "packet.h"
		46	#include "log.h"
		47	#include "misc.h"
		48	#include <blacklist.h>
		49	#include "blacklist_client.h"
		50
		51	static struct blacklist *blstate = NULL;
		52
		53	/* internal definition from bl.h */
		54	struct blacklist bl_create(bool, char , void ()(int, const char , va_list));
		55
		56	/* impedence match vsyslog() to sshd's internal logging levels */
		57	void
		58	im_log(int priority, const char *message, va_list args)
		59	{
		60	LogLevel imlevel;
		61
		62	switch (priority) {
		63	case LOG_ERR:
		64	imlevel = SYSLOG_LEVEL_ERROR;
65	break;
66	case LOG_DEBUG:
67	imlevel = SYSLOG_LEVEL_DEBUG1;
68	break;
69	case LOG_INFO:
70	imlevel = SYSLOG_LEVEL_INFO;
71	break;
72	default:
73	imlevel = SYSLOG_LEVEL_DEBUG2;
74	}
75	do_log2(imlevel, message, args);
76	}
77
78	void
79	blacklist_init(void)
80	{
81
82	blstate = bl_create(false, NULL, im_log);
83	}
84
85	void
86	blacklist_notify(int action, struct ssh ssh, const char msg)
87	{
88
89	if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
90	(void)blacklist_r(blstate, action,
91	ssh_packet_get_connection_in(ssh), msg);
92	}

Line 0 Link Here

(-)blacklist_client.h (+61 lines)
	1	/*-
	2	* Copyright (c) 2015 The NetBSD Foundation, Inc.
	3	* Copyright (c) 2016 The FreeBSD Foundation, Inc.
	4	* All rights reserved.
	5	*
	6	* Portions of this software were developed by Kurt Lidl
	7	* under sponsorship from the FreeBSD Foundation.
	8	*
	9	* This code is derived from software contributed to The NetBSD Foundation
	10	* by Christos Zoulas.
	11	*
	12	* Redistribution and use in source and binary forms, with or without
	13	* modification, are permitted provided that the following conditions
	14	* are met:
	15	* 1. Redistributions of source code must retain the above copyright
	16	* notice, this list of conditions and the following disclaimer.
	17	* 2. Redistributions in binary form must reproduce the above copyright
	18	* notice, this list of conditions and the following disclaimer in the
	19	* documentation and/or other materials provided with the distribution.
	20	*
	21	* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
	22	* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
	23	* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	24	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
	25	* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	26	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	27	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	28	* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	29	* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	30	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	31	* POSSIBILITY OF SUCH DAMAGE.
	32	*/
	33
	34	#ifndef BLACKLIST_CLIENT_H
	35	#define BLACKLIST_CLIENT_H
	36
	37	#ifndef BLACKLIST_API_ENUM
	38	enum {
	39	BLACKLIST_AUTH_OK = 0,
	40	BLACKLIST_AUTH_FAIL,
	41	BLACKLIST_ABUSIVE_BEHAVIOR,
	42	BLACKLIST_BAD_USER
	43	};
	44	#endif
	45
	46	#ifdef USE_BLACKLIST
	47	void blacklist_init(void);
	48	void blacklist_notify(int, struct ssh , const char );
	49
	50	#define BLACKLIST_INIT() blacklist_init()
	51	#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg)
	52
	53	#else
	54
	55	#define BLACKLIST_INIT()
	56	#define BLACKLIST_NOTIFY(x, ssh, msg)
	57
	58	#endif
	59
	60
	61	#endif /* BLACKLIST_CLIENT_H */