Bug 258414 - libblacklist: BLACKLIST_BAD_USER does nothing
Summary: libblacklist: BLACKLIST_BAD_USER does nothing
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-10 20:24 UTC by Ed Maste
Modified: 2021-09-13 23:07 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ed Maste freebsd_committer 2021-09-10 20:24:28 UTC
BLACKLIST_BAD_USER has no effect - in contrib/blacklist/lib/blacklist.c translates it to BL_BADUSER

        case BLACKLIST_BAD_USER:
                internal_action = BL_BADUSER;
                break;

then in contrib/blacklist/bin/blacklistd.c

        case BL_BADUSER:
                /* ignore for now */
                break;

In fact this is (barely) documented:

     BLACKLIST_BAD_USER              The sending daemon has determined the
                                     username presented for authentication is
                                     invalid.  The blacklistd(8) daemon
                                     compares the username to a configured
                                     list of forbidden usernames and blocks
                                     the address immediately if a forbidden
                                     username matches.  (The
                                     BLACKLIST_BAD_USER support is not
                                     currently available.)

base system OpenSSH tries to make use of this in two places:

sshpam_query()
                        BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
                            sshpam_authctxt->user);
                        error("PAM: %s for %s%.100s from %.100s", msg,
                            sshpam_authctxt->valid ? "" : "illegal user ",
                            sshpam_authctxt->user, sshpam_rhost);

getpwnamallow()

        if (pw == NULL) {
                BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
                logit("Invalid user %.100s from %.100s port %d",
                    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));