Summary: | security/sshguard: configuration inconvenience wrt blacklisting | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Bengt Ahlgren <bahlgren> | ||||||
Component: | Individual Port(s) | Assignee: | Dmitry Marakasov <amdmi3> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Some People | CC: | amdmi3, dan.mcgregor, diizzy, dpetrov67, kevinz5000, swills | ||||||
Priority: | --- | Keywords: | needs-patch | ||||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(dan.mcgregor) |
||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
Description
Bengt Ahlgren
2017-08-18 11:43:10 UTC
The intent in doing that was to make upgrading easier, because then we could just keep the same rc.conf option. Clearly we messed up because you have to set the backend in sshguard.conf anyway. Would you prefer both options to be set in rc.conf or sshguard.conf? Thanks for looking at this! I have no real preference, other than making the configuration in just one place. Please make a patch. Ping Created attachment 222508 [details]
Patch
I've attached a patch with the requested changes. More detail is in the patch body, which is reproduced below:
The sshguard_blacklist rcvar always overrides the setting in
sshguard.conf. Since the rc.d script sets sshguard_blacklist, the
blacklist option in sshguard.conf is never used.
This patch removes the default rcvar setting, and instead enables
blacklisting in the example sshguard.conf. (Note that this is a
traditional FreeBSD ports default, not an upstream default.)
New users (with no existing sshguard.conf) will see no change. Users
with existing sshguard.conf will have blacklisting turned off until they
update their sshguard.conf.
Though, I want to ask those CC'd on the patch here, what do you think about leaving blacklisting off by default?
(In reply to Kevin Zheng from comment #5) IMO at least UPDATING entry is needed here as it's a breaking change. Ping. Please include corresponding UPDATING entry. Created attachment 228131 [details]
Patch
Sorry for the delayed response.
I've amended the patch to simply disable blacklisting by default, with an entry to UPDATING that instructs users to enable blacklisting in sshguard.conf.
So I guess we can close this now? (In reply to Daniel Engberg from comment #9) It doesn't look like this patch has been acted upon, so it should probably be kept open unless we're going to go ahead and close with no changes. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=dc24d9430367984eb0508a5ca5a67572e4678542 commit dc24d9430367984eb0508a5ca5a67572e4678542 Author: Dmitry Marakasov <amdmi3@FreeBSD.org> AuthorDate: 2022-04-01 15:02:25 +0000 Commit: Dmitry Marakasov <amdmi3@FreeBSD.org> CommitDate: 2022-04-01 15:09:49 +0000 security/sshguard: disable blacklisting by default Blacklisting is now disabled by default to avoid overriding the setting in sshguard.conf. To enable blacklisting, uncomment the BLACKLIST_FILE line in sshguard.conf. PR: 221602 Reported by: bahlgren@beah.se Submitted by: kevinz5000@gmail.com UPDATING | 8 ++++++++ security/sshguard/Makefile | 2 +- security/sshguard/files/sshguard.in | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) |