mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-12-04 08:09:08 +00:00
Add blacklist support to sshd
Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915
This commit is contained in:
parent
3707d4d3e3
commit
c0cc364181
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=301551
@ -98,6 +98,9 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#ifdef USE_BLACKLIST
|
||||
#include "blacklist_client.h"
|
||||
#endif
|
||||
|
||||
extern ServerOptions options;
|
||||
extern Buffer loginmsg;
|
||||
@ -794,6 +797,9 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
free(msg);
|
||||
return (0);
|
||||
}
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_notify(1);
|
||||
#endif
|
||||
error("PAM: %s for %s%.100s from %.100s", msg,
|
||||
sshpam_authctxt->valid ? "" : "illegal user ",
|
||||
sshpam_authctxt->user,
|
||||
|
@ -75,6 +75,9 @@ __RCSID("$FreeBSD$");
|
||||
#include "authfile.h"
|
||||
#include "ssherr.h"
|
||||
#include "compat.h"
|
||||
#ifdef USE_BLACKLIST
|
||||
#include "blacklist_client.h"
|
||||
#endif
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
@ -306,6 +309,10 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
|
||||
compat20 ? "ssh2" : "ssh1",
|
||||
authctxt->info != NULL ? ": " : "",
|
||||
authctxt->info != NULL ? authctxt->info : "");
|
||||
#ifdef USE_BLACKLIST
|
||||
if (!authctxt->postponed)
|
||||
blacklist_notify(!authenticated);
|
||||
#endif
|
||||
free(authctxt->info);
|
||||
authctxt->info = NULL;
|
||||
|
||||
@ -640,6 +647,9 @@ getpwnamallow(const char *user)
|
||||
}
|
||||
#endif
|
||||
if (pw == NULL) {
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_notify(1);
|
||||
#endif
|
||||
logit("Invalid user %.100s from %.100s",
|
||||
user, get_remote_ipaddr());
|
||||
#ifdef CUSTOM_FAILED_LOGIN
|
||||
|
@ -43,6 +43,9 @@
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "buffer.h"
|
||||
#ifdef USE_BLACKLIST
|
||||
#include "blacklist_client.h"
|
||||
#endif
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
@ -337,6 +340,9 @@ do_authloop(Authctxt *authctxt)
|
||||
char *msg;
|
||||
size_t len;
|
||||
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_notify(1);
|
||||
#endif
|
||||
error("Access denied for user %s by PAM account "
|
||||
"configuration", authctxt->user);
|
||||
len = buffer_len(&loginmsg);
|
||||
@ -404,6 +410,9 @@ do_authentication(Authctxt *authctxt)
|
||||
else {
|
||||
debug("do_authentication: invalid user %s", user);
|
||||
authctxt->pw = fakepw();
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_notify(1);
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Configuration may have changed as a result of Match */
|
||||
|
@ -52,6 +52,9 @@ __RCSID("$FreeBSD$");
|
||||
#include "pathnames.h"
|
||||
#include "buffer.h"
|
||||
#include "canohost.h"
|
||||
#ifdef USE_BLACKLIST
|
||||
#include "blacklist_client.h"
|
||||
#endif
|
||||
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
@ -248,6 +251,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
} else {
|
||||
logit("input_userauth_request: invalid user %s", user);
|
||||
authctxt->pw = fakepw();
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_notify(1);
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_INVALID_USER));
|
||||
#endif
|
||||
|
64
crypto/openssh/blacklist.c
Normal file
64
crypto/openssh/blacklist.c
Normal file
@ -0,0 +1,64 @@
|
||||
/*-
|
||||
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This code is derived from software contributed to The NetBSD Foundation
|
||||
* by Christos Zoulas.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <ctype.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "ssh.h"
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "blacklist_client.h"
|
||||
#include <blacklist.h>
|
||||
|
||||
static struct blacklist *blstate;
|
||||
|
||||
void
|
||||
blacklist_init(void)
|
||||
{
|
||||
blstate = blacklist_open();
|
||||
}
|
||||
|
||||
void
|
||||
blacklist_notify(int action)
|
||||
{
|
||||
int fd;
|
||||
if (blstate == NULL)
|
||||
blacklist_init();
|
||||
if (blstate == NULL)
|
||||
return;
|
||||
fd = packet_get_connection_in();
|
||||
if (!packet_connection_is_on_socket()) {
|
||||
fprintf(stderr, "packet_connection_is_on_socket: false "
|
||||
"(fd = %d)\n", fd);
|
||||
}
|
||||
(void)blacklist_r(blstate, action, fd, "ssh");
|
||||
}
|
31
crypto/openssh/blacklist_client.h
Normal file
31
crypto/openssh/blacklist_client.h
Normal file
@ -0,0 +1,31 @@
|
||||
/*-
|
||||
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This code is derived from software contributed to The NetBSD Foundation
|
||||
* by Christos Zoulas.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
void blacklist_notify(int);
|
||||
void blacklist_init(void);
|
@ -86,6 +86,9 @@ __RCSID("$FreeBSD$");
|
||||
#include "packet.h"
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#ifdef USE_BLACKLIST
|
||||
#include "blacklist_client.h"
|
||||
#endif
|
||||
|
||||
#ifdef PACKET_DEBUG
|
||||
#define DBG(x) x
|
||||
@ -2071,6 +2074,9 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
|
||||
case SSH_ERR_NO_KEX_ALG_MATCH:
|
||||
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
|
||||
if (ssh && ssh->kex && ssh->kex->failed_choice) {
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_notify(1);
|
||||
#endif
|
||||
fatal("Unable to negotiate with %.200s port %d: %s. "
|
||||
"Their offer: %s", ssh_remote_ipaddr(ssh),
|
||||
ssh_remote_port(ssh), ssh_err(r),
|
||||
|
@ -135,6 +135,9 @@ __RCSID("$FreeBSD$");
|
||||
#include "ssh-sandbox.h"
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
#ifdef USE_BLACKLIST
|
||||
#include "blacklist_client.h"
|
||||
#endif
|
||||
|
||||
#ifdef LIBWRAP
|
||||
#include <tcpd.h>
|
||||
@ -388,6 +391,9 @@ grace_alarm_handler(int sig)
|
||||
kill(0, SIGTERM);
|
||||
}
|
||||
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_notify(1);
|
||||
#endif
|
||||
/* Log error and exit. */
|
||||
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
|
||||
}
|
||||
@ -649,6 +655,10 @@ privsep_preauth_child(void)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data();
|
||||
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_init();
|
||||
#endif
|
||||
|
||||
/* Demote the child */
|
||||
if (getuid() == 0 || geteuid() == 0) {
|
||||
/* Change our root directory */
|
||||
@ -1272,6 +1282,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
for (i = 0; i < options.max_startups; i++)
|
||||
startup_pipes[i] = -1;
|
||||
|
||||
#ifdef USE_BLACKLIST
|
||||
blacklist_init();
|
||||
#endif
|
||||
/*
|
||||
* Stay listening for connections until the system crashes or
|
||||
* the daemon is killed with a signal.
|
||||
|
@ -40,6 +40,13 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
|
||||
LIBADD+= bsm
|
||||
.endif
|
||||
|
||||
.if ${MK_BLACKLIST_SUPPORT} != "no"
|
||||
CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
|
||||
SRCS+= blacklist.c
|
||||
LIBADD+= blacklist
|
||||
LDFLAGS+=-L${LIBBLACKLISTDIR}
|
||||
.endif
|
||||
|
||||
.if ${MK_KERBEROS_SUPPORT} != "no"
|
||||
CFLAGS+= -include krb5_config.h
|
||||
SRCS+= krb5_config.h
|
||||
|
Loading…
Reference in New Issue
Block a user