Bug 221602 - security/sshguard: configuration inconvenience wrt blacklisting
Summary: security/sshguard: configuration inconvenience wrt blacklisting
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Dmitry Marakasov
URL:
Keywords: needs-patch
Depends on:
Blocks:
 
Reported: 2017-08-18 11:43 UTC by Bengt Ahlgren
Modified: 2022-04-01 15:11 UTC (History)
6 users (show)

See Also:
bugzilla: maintainer-feedback? (dan.mcgregor)


Attachments
Patch (2.72 KB, patch)
2021-02-17 07:39 UTC, Kevin Zheng
no flags Details | Diff
Patch (2.03 KB, patch)
2021-09-23 06:59 UTC, Kevin Zheng
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bengt Ahlgren 2017-08-18 11:43:10 UTC
The sshguard rc-script supplied with the FreeBSD port always sets the commandline parameter for blacklisting.  This means that any blacklist configuration in sshguard.conf will never be used.

So, if you want to tweak the blacklisting, you need to do that in rc.conf, and since you anyway need to edit sshguard.conf to set the backend, it means that you have to configure sshguard in two places.  I find that inconvenient.

I therefore propose that the port removes the default setting of sshguard_blacklist from the rc.d script, and changes the default in sshguard.conf instead!

(As this is a simple change, I didn't attach a patch - I would be happy to create one if needed!)
Comment 1 Kevin Zheng 2017-12-06 22:02:18 UTC
The intent in doing that was to make upgrading easier, because then we could just keep the same rc.conf option. Clearly we messed up because you have to set the backend in sshguard.conf anyway.

Would you prefer both options to be set in rc.conf or sshguard.conf?
Comment 2 Bengt Ahlgren 2017-12-07 09:06:11 UTC
Thanks for looking at this!

I have no real preference, other than making the configuration in just one place.
Comment 3 Steve Wills freebsd_committer freebsd_triage 2019-05-26 20:38:47 UTC
Please make a patch.
Comment 4 Dmitry Marakasov freebsd_committer freebsd_triage 2021-02-16 12:23:20 UTC
Ping
Comment 5 Kevin Zheng 2021-02-17 07:39:37 UTC
Created attachment 222508 [details]
Patch

I've attached a patch with the requested changes. More detail is in the patch body, which is reproduced below:

The sshguard_blacklist rcvar always overrides the setting in
sshguard.conf. Since the rc.d script sets sshguard_blacklist, the
blacklist option in sshguard.conf is never used.

This patch removes the default rcvar setting, and instead enables
blacklisting in the example sshguard.conf. (Note that this is a
traditional FreeBSD ports default, not an upstream default.)

New users (with no existing sshguard.conf) will see no change. Users
with existing sshguard.conf will have blacklisting turned off until they
update their sshguard.conf.

Though, I want to ask those CC'd on the patch here, what do you think about leaving blacklisting off by default?
Comment 6 Dmitry Marakasov freebsd_committer freebsd_triage 2021-02-18 21:39:35 UTC
(In reply to Kevin Zheng from comment #5)
IMO at least UPDATING entry is needed here as it's a breaking change.
Comment 7 Dmitry Marakasov freebsd_committer freebsd_triage 2021-09-09 19:23:21 UTC
Ping. Please include corresponding UPDATING entry.
Comment 8 Kevin Zheng 2021-09-23 06:59:18 UTC
Created attachment 228131 [details]
Patch

Sorry for the delayed response.

I've amended the patch to simply disable blacklisting by default, with an entry to UPDATING that instructs users to enable blacklisting in sshguard.conf.
Comment 9 Daniel Engberg freebsd_committer freebsd_triage 2022-03-26 17:09:22 UTC
So I guess we can close this now?
Comment 10 Kevin Zheng 2022-03-27 01:04:17 UTC
(In reply to Daniel Engberg from comment #9)
It doesn't look like this patch has been acted upon, so it should probably be kept open unless we're going to go ahead and close with no changes.
Comment 11 commit-hook freebsd_committer freebsd_triage 2022-04-01 15:11:54 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dc24d9430367984eb0508a5ca5a67572e4678542

commit dc24d9430367984eb0508a5ca5a67572e4678542
Author:     Dmitry Marakasov <amdmi3@FreeBSD.org>
AuthorDate: 2022-04-01 15:02:25 +0000
Commit:     Dmitry Marakasov <amdmi3@FreeBSD.org>
CommitDate: 2022-04-01 15:09:49 +0000

    security/sshguard: disable blacklisting by default

      Blacklisting is now disabled by default to avoid overriding the setting in
      sshguard.conf. To enable blacklisting, uncomment the BLACKLIST_FILE line in
      sshguard.conf.

    PR:             221602
    Reported by:    bahlgren@beah.se
    Submitted by:   kevinz5000@gmail.com

 UPDATING                            | 8 ++++++++
 security/sshguard/Makefile          | 2 +-
 security/sshguard/files/sshguard.in | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)