| Summary: | libblacklist: BLACKLIST_BAD_USER does nothing | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Ed Maste <emaste> |
| Component: | misc | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | New --- | ||
| Severity: | Affects Only Me | ||
| Priority: | --- | ||
| Version: | CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
| See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236312 | ||
BLACKLIST_BAD_USER has no effect - in contrib/blacklist/lib/blacklist.c translates it to BL_BADUSER case BLACKLIST_BAD_USER: internal_action = BL_BADUSER; break; then in contrib/blacklist/bin/blacklistd.c case BL_BADUSER: /* ignore for now */ break; In fact this is (barely) documented: BLACKLIST_BAD_USER The sending daemon has determined the username presented for authentication is invalid. The blacklistd(8) daemon compares the username to a configured list of forbidden usernames and blocks the address immediately if a forbidden username matches. (The BLACKLIST_BAD_USER support is not currently available.) base system OpenSSH tries to make use of this in two places: sshpam_query() BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, sshpam_authctxt->user); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, sshpam_rhost); getpwnamallow() if (pw == NULL) { BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user); logit("Invalid user %.100s from %.100s port %d", user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));