Link Here
|
|
|
1 |
Backport of blacklistd support from FreeBSD 11 |
2 |
|
3 |
723588495953f0e7337db601102da159b9d93477 |
4 |
fd982d3dfd22e656b2850200d4022afaa4d00b0d |
5 |
64d41a9ba5585261a0be3cd6c70516a7bb5c3d54 |
6 |
|
7 |
--- auth-pam.c.orig 2017-09-30 22:27:30 UTC |
8 |
+++ auth-pam.c |
9 |
@@ -103,6 +103,7 @@ extern char *__progname; |
10 |
#include "ssh-gss.h" |
11 |
#endif |
12 |
#include "monitor_wrap.h" |
13 |
+#include "blacklist_client.h" |
14 |
|
15 |
extern ServerOptions options; |
16 |
extern Buffer loginmsg; |
17 |
@@ -795,6 +796,8 @@ sshpam_query(void *ctx, char **name, cha |
18 |
free(msg); |
19 |
return (0); |
20 |
} |
21 |
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, |
22 |
+ sshpam_authctxt->user); |
23 |
error("PAM: %s for %s%.100s from %.100s", msg, |
24 |
sshpam_authctxt->valid ? "" : "illegal user ", |
25 |
sshpam_authctxt->user, |
26 |
--- auth.c.orig 2017-09-30 22:27:30 UTC |
27 |
+++ auth.c |
28 |
@@ -73,6 +73,7 @@ |
29 |
#include "authfile.h" |
30 |
#include "ssherr.h" |
31 |
#include "compat.h" |
32 |
+#include "blacklist_client.h" |
33 |
|
34 |
/* import */ |
35 |
extern ServerOptions options; |
36 |
@@ -324,8 +325,11 @@ auth_log(Authctxt *authctxt, int authent |
37 |
authmsg = "Postponed"; |
38 |
else if (partial) |
39 |
authmsg = "Partial"; |
40 |
- else |
41 |
+ else { |
42 |
authmsg = authenticated ? "Accepted" : "Failed"; |
43 |
+ if (authenticated) |
44 |
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh"); |
45 |
+ } |
46 |
|
47 |
if ((extra = format_method_key(authctxt)) == NULL) { |
48 |
if (authctxt->auth_method_info != NULL) |
49 |
@@ -592,6 +596,7 @@ getpwnamallow(const char *user) |
50 |
} |
51 |
#endif |
52 |
if (pw == NULL) { |
53 |
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user); |
54 |
logit("Invalid user %.100s from %.100s port %d", |
55 |
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); |
56 |
#ifdef CUSTOM_FAILED_LOGIN |
57 |
--- auth2.c.orig 2017-09-30 22:27:30 UTC |
58 |
+++ auth2.c |
59 |
@@ -51,6 +51,7 @@ |
60 |
#include "dispatch.h" |
61 |
#include "pathnames.h" |
62 |
#include "buffer.h" |
63 |
+#include "blacklist_client.h" |
64 |
|
65 |
#ifdef GSSAPI |
66 |
#include "ssh-gss.h" |
67 |
@@ -372,8 +373,10 @@ userauth_finish(struct ssh *ssh, int aut |
68 |
|
69 |
/* Allow initial try of "none" auth without failure penalty */ |
70 |
if (!partial && !authctxt->server_caused_failure && |
71 |
- (authctxt->attempt > 1 || strcmp(method, "none") != 0)) |
72 |
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { |
73 |
authctxt->failures++; |
74 |
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh"); |
75 |
+ } |
76 |
if (authctxt->failures >= options.max_authtries) { |
77 |
#ifdef SSH_AUDIT_EVENTS |
78 |
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); |
79 |
--- blacklist.c.orig 2017-10-02 20:12:03 UTC |
80 |
+++ blacklist.c |
81 |
@@ -0,0 +1,97 @@ |
82 |
+/*- |
83 |
+ * Copyright (c) 2015 The NetBSD Foundation, Inc. |
84 |
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc. |
85 |
+ * All rights reserved. |
86 |
+ * |
87 |
+ * Portions of this software were developed by Kurt Lidl |
88 |
+ * under sponsorship from the FreeBSD Foundation. |
89 |
+ * |
90 |
+ * This code is derived from software contributed to The NetBSD Foundation |
91 |
+ * by Christos Zoulas. |
92 |
+ * |
93 |
+ * Redistribution and use in source and binary forms, with or without |
94 |
+ * modification, are permitted provided that the following conditions |
95 |
+ * are met: |
96 |
+ * 1. Redistributions of source code must retain the above copyright |
97 |
+ * notice, this list of conditions and the following disclaimer. |
98 |
+ * 2. Redistributions in binary form must reproduce the above copyright |
99 |
+ * notice, this list of conditions and the following disclaimer in the |
100 |
+ * documentation and/or other materials provided with the distribution. |
101 |
+ * |
102 |
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
103 |
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
104 |
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
105 |
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
106 |
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
107 |
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
108 |
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
109 |
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
110 |
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
111 |
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
112 |
+ * POSSIBILITY OF SUCH DAMAGE. |
113 |
+ */ |
114 |
+ |
115 |
+#include "includes.h" |
116 |
+ |
117 |
+#include <ctype.h> |
118 |
+#include <stdarg.h> |
119 |
+#include <stdbool.h> |
120 |
+#include <stdio.h> |
121 |
+#include <stdlib.h> |
122 |
+#include <syslog.h> |
123 |
+#include <unistd.h> |
124 |
+ |
125 |
+#include "ssh.h" |
126 |
+#include "packet.h" |
127 |
+#include "log.h" |
128 |
+#include "misc.h" |
129 |
+#include "servconf.h" |
130 |
+#include <blacklist.h> |
131 |
+#include "blacklist_client.h" |
132 |
+ |
133 |
+static struct blacklist *blstate = NULL; |
134 |
+ |
135 |
+/* import */ |
136 |
+extern ServerOptions options; |
137 |
+ |
138 |
+/* internal definition from bl.h */ |
139 |
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); |
140 |
+ |
141 |
+/* impedence match vsyslog() to sshd's internal logging levels */ |
142 |
+void |
143 |
+im_log(int priority, const char *message, va_list args) |
144 |
+{ |
145 |
+ LogLevel imlevel; |
146 |
+ |
147 |
+ switch (priority) { |
148 |
+ case LOG_ERR: |
149 |
+ imlevel = SYSLOG_LEVEL_ERROR; |
150 |
+ break; |
151 |
+ case LOG_DEBUG: |
152 |
+ imlevel = SYSLOG_LEVEL_DEBUG1; |
153 |
+ break; |
154 |
+ case LOG_INFO: |
155 |
+ imlevel = SYSLOG_LEVEL_INFO; |
156 |
+ break; |
157 |
+ default: |
158 |
+ imlevel = SYSLOG_LEVEL_DEBUG2; |
159 |
+ } |
160 |
+ do_log(imlevel, message, args); |
161 |
+} |
162 |
+ |
163 |
+void |
164 |
+blacklist_init(void) |
165 |
+{ |
166 |
+ |
167 |
+ if (options.use_blacklist) |
168 |
+ blstate = bl_create(false, NULL, im_log); |
169 |
+} |
170 |
+ |
171 |
+void |
172 |
+blacklist_notify(int action, const char *msg) |
173 |
+{ |
174 |
+ |
175 |
+ if (blstate != NULL && packet_connection_is_on_socket()) |
176 |
+ (void)blacklist_r(blstate, action, |
177 |
+ packet_get_connection_in(), msg); |
178 |
+} |
179 |
--- blacklist_client.h.orig 2017-10-02 20:12:03 UTC |
180 |
+++ blacklist_client.h |
181 |
@@ -0,0 +1,61 @@ |
182 |
+/*- |
183 |
+ * Copyright (c) 2015 The NetBSD Foundation, Inc. |
184 |
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc. |
185 |
+ * All rights reserved. |
186 |
+ * |
187 |
+ * Portions of this software were developed by Kurt Lidl |
188 |
+ * under sponsorship from the FreeBSD Foundation. |
189 |
+ * |
190 |
+ * This code is derived from software contributed to The NetBSD Foundation |
191 |
+ * by Christos Zoulas. |
192 |
+ * |
193 |
+ * Redistribution and use in source and binary forms, with or without |
194 |
+ * modification, are permitted provided that the following conditions |
195 |
+ * are met: |
196 |
+ * 1. Redistributions of source code must retain the above copyright |
197 |
+ * notice, this list of conditions and the following disclaimer. |
198 |
+ * 2. Redistributions in binary form must reproduce the above copyright |
199 |
+ * notice, this list of conditions and the following disclaimer in the |
200 |
+ * documentation and/or other materials provided with the distribution. |
201 |
+ * |
202 |
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
203 |
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
204 |
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
205 |
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
206 |
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
207 |
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
208 |
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
209 |
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
210 |
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
211 |
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
212 |
+ * POSSIBILITY OF SUCH DAMAGE. |
213 |
+ */ |
214 |
+ |
215 |
+#ifndef BLACKLIST_CLIENT_H |
216 |
+#define BLACKLIST_CLIENT_H |
217 |
+ |
218 |
+#ifndef BLACKLIST_API_ENUM |
219 |
+enum { |
220 |
+ BLACKLIST_AUTH_OK = 0, |
221 |
+ BLACKLIST_AUTH_FAIL, |
222 |
+ BLACKLIST_ABUSIVE_BEHAVIOR, |
223 |
+ BLACKLIST_BAD_USER |
224 |
+}; |
225 |
+#endif |
226 |
+ |
227 |
+#ifdef USE_BLACKLIST |
228 |
+void blacklist_init(void); |
229 |
+void blacklist_notify(int, const char *); |
230 |
+ |
231 |
+#define BLACKLIST_INIT() blacklist_init() |
232 |
+#define BLACKLIST_NOTIFY(x,msg) blacklist_notify(x,msg) |
233 |
+ |
234 |
+#else |
235 |
+ |
236 |
+#define BLACKLIST_INIT() |
237 |
+#define BLACKLIST_NOTIFY(x,msg) |
238 |
+ |
239 |
+#endif |
240 |
+ |
241 |
+ |
242 |
+#endif /* BLACKLIST_CLIENT_H */ |
243 |
--- packet.c.orig 2017-09-30 22:27:30 UTC |
244 |
+++ packet.c |
245 |
@@ -83,6 +83,7 @@ |
246 |
#include "packet.h" |
247 |
#include "ssherr.h" |
248 |
#include "sshbuf.h" |
249 |
+#include "blacklist_client.h" |
250 |
|
251 |
#ifdef PACKET_DEBUG |
252 |
#define DBG(x) x |
253 |
@@ -1825,6 +1826,7 @@ sshpkt_fatal(struct ssh *ssh, const char |
254 |
case SSH_ERR_NO_KEX_ALG_MATCH: |
255 |
case SSH_ERR_NO_HOSTKEY_ALG_MATCH: |
256 |
if (ssh && ssh->kex && ssh->kex->failed_choice) { |
257 |
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh"); |
258 |
ssh_packet_clear_keys(ssh); |
259 |
logdie("Unable to negotiate with %s: %s. " |
260 |
"Their offer: %s", remote_id, ssh_err(r), |
261 |
--- servconf.c.orig 2017-09-30 22:27:30 UTC |
262 |
+++ servconf.c |
263 |
@@ -165,6 +165,7 @@ initialize_server_options(ServerOptions |
264 |
options->fingerprint_hash = -1; |
265 |
options->disable_forwarding = -1; |
266 |
options->expose_userauth_info = -1; |
267 |
+ options->use_blacklist = -1; |
268 |
} |
269 |
|
270 |
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
271 |
@@ -336,6 +337,8 @@ fill_default_server_options(ServerOption |
272 |
options->disable_forwarding = 0; |
273 |
if (options->expose_userauth_info == -1) |
274 |
options->expose_userauth_info = 0; |
275 |
+ if (options->use_blacklist == -1) |
276 |
+ options->use_blacklist = 0; |
277 |
|
278 |
assemble_algorithms(options); |
279 |
|
280 |
@@ -422,6 +425,7 @@ typedef enum { |
281 |
sStreamLocalBindMask, sStreamLocalBindUnlink, |
282 |
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
283 |
sExposeAuthInfo, |
284 |
+ sUseBlacklist, |
285 |
sDeprecated, sIgnore, sUnsupported |
286 |
} ServerOpCodes; |
287 |
|
288 |
@@ -533,6 +537,7 @@ static struct { |
289 |
{ "maxsessions", sMaxSessions, SSHCFG_ALL }, |
290 |
{ "banner", sBanner, SSHCFG_ALL }, |
291 |
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, |
292 |
+ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, |
293 |
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, |
294 |
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, |
295 |
{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, |
296 |
@@ -1883,6 +1888,10 @@ process_server_config_line(ServerOptions |
297 |
intptr = &options->expose_userauth_info; |
298 |
goto parse_flag; |
299 |
|
300 |
+ case sUseBlacklist: |
301 |
+ intptr = &options->use_blacklist; |
302 |
+ goto parse_flag; |
303 |
+ |
304 |
case sDeprecated: |
305 |
case sIgnore: |
306 |
case sUnsupported: |
307 |
@@ -2322,6 +2331,7 @@ dump_config(ServerOptions *o) |
308 |
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); |
309 |
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); |
310 |
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); |
311 |
+ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); |
312 |
|
313 |
/* string arguments */ |
314 |
dump_cfg_string(sPidFile, o->pid_file); |
315 |
--- servconf.h.orig 2017-09-30 22:27:30 UTC |
316 |
+++ servconf.h |
317 |
@@ -198,6 +198,7 @@ typedef struct { |
318 |
|
319 |
int fingerprint_hash; |
320 |
int expose_userauth_info; |
321 |
+ int use_blacklist; |
322 |
} ServerOptions; |
323 |
|
324 |
/* Information about the incoming connection as used by Match */ |
325 |
--- sshd.c.orig 2017-09-30 22:27:30 UTC |
326 |
+++ sshd.c |
327 |
@@ -121,6 +122,7 @@ |
328 |
#include "ssh-sandbox.h" |
329 |
#include "version.h" |
330 |
#include "ssherr.h" |
331 |
+#include "blacklist_client.h" |
332 |
|
333 |
/* Re-exec fds */ |
334 |
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
335 |
@@ -352,6 +368,8 @@ grace_alarm_handler(int sig) |
336 |
kill(0, SIGTERM); |
337 |
} |
338 |
|
339 |
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh"); |
340 |
+ |
341 |
/* Log error and exit. */ |
342 |
sigdie("Timeout before authentication for %s port %d", |
343 |
ssh_remote_ipaddr(active_state), ssh_remote_port(active_state)); |
344 |
@@ -2014,6 +2077,8 @@ main(int ac, char **av) |
345 |
buffer_init(&loginmsg); |
346 |
auth_debug_reset(); |
347 |
|
348 |
+ BLACKLIST_INIT(); |
349 |
+ |
350 |
if (use_privsep) { |
351 |
if (privsep_preauth(authctxt) == 1) |
352 |
goto authenticated; |
353 |
--- sshd_config.orig 2017-09-30 22:27:30 UTC |
354 |
+++ sshd_config |
355 |
@@ -102,6 +102,7 @@ AuthorizedKeysFile .ssh/authorized_keys |
356 |
#MaxStartups 10:30:100 |
357 |
#PermitTunnel no |
358 |
#ChrootDirectory none |
359 |
+#UseBlacklist no |
360 |
#VersionAddendum none |
361 |
|
362 |
# no default banner path |
363 |
--- sshd_config.5.orig 2017-09-30 22:27:30 UTC |
364 |
+++ sshd_config.5 |
365 |
@@ -1460,6 +1460,15 @@ for authentication using |
366 |
.Cm TrustedUserCAKeys . |
367 |
For more details on certificates, see the CERTIFICATES section in |
368 |
.Xr ssh-keygen 1 . |
369 |
+.It Cm UseBlacklist |
370 |
+Specifies whether |
371 |
+.Xr sshd 8 |
372 |
+attempts to send authentication success and failure messages |
373 |
+to the |
374 |
+.Xr blacklistd 8 |
375 |
+daemon. |
376 |
+The default is |
377 |
+.Dq no . |
378 |
.It Cm UseDNS |
379 |
Specifies whether |
380 |
.Xr sshd 8 |