Description Ed Maste 2021-09-10 20:24:28 UTC

BLACKLIST_BAD_USER has no effect - in contrib/blacklist/lib/blacklist.c translates it to BL_BADUSER

        case BLACKLIST_BAD_USER:
                internal_action = BL_BADUSER;
                break;

then in contrib/blacklist/bin/blacklistd.c

        case BL_BADUSER:
                /* ignore for now */
                break;

In fact this is (barely) documented:

     BLACKLIST_BAD_USER              The sending daemon has determined the
                                     username presented for authentication is
                                     invalid.  The blacklistd(8) daemon
                                     compares the username to a configured
                                     list of forbidden usernames and blocks
                                     the address immediately if a forbidden
                                     username matches.  (The
                                     BLACKLIST_BAD_USER support is not
                                     currently available.)

base system OpenSSH tries to make use of this in two places:

sshpam_query()
                        BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
                            sshpam_authctxt->user);
                        error("PAM: %s for %s%.100s from %.100s", msg,
                            sshpam_authctxt->valid ? "" : "illegal user ",
                            sshpam_authctxt->user, sshpam_rhost);

getpwnamallow()

        if (pw == NULL) {
                BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
                logit("Invalid user %.100s from %.100s port %d",
                    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));