Add blacklist support to sshd

Reviewed by:	rpaulo
Approved by:	rpaulo (earlier version of changes)
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5915
This commit is contained in:
Kurt Lidl 2016-06-07 16:18:09 +00:00
parent 3707d4d3e3
commit c0cc364181
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=301551
9 changed files with 152 additions and 0 deletions

View File

@ -98,6 +98,9 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
extern ServerOptions options;
extern Buffer loginmsg;
@ -794,6 +797,9 @@ sshpam_query(void *ctx, char **name, char **info,
free(msg);
return (0);
}
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,

View File

@ -75,6 +75,9 @@ __RCSID("$FreeBSD$");
#include "authfile.h"
#include "ssherr.h"
#include "compat.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
/* import */
extern ServerOptions options;
@ -306,6 +309,10 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
#ifdef USE_BLACKLIST
if (!authctxt->postponed)
blacklist_notify(!authenticated);
#endif
free(authctxt->info);
authctxt->info = NULL;
@ -640,6 +647,9 @@ getpwnamallow(const char *user)
}
#endif
if (pw == NULL) {
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
#ifdef CUSTOM_FAILED_LOGIN

View File

@ -43,6 +43,9 @@
#endif
#include "monitor_wrap.h"
#include "buffer.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
/* import */
extern ServerOptions options;
@ -337,6 +340,9 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
@ -404,6 +410,9 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
}
/* Configuration may have changed as a result of Match */

View File

@ -52,6 +52,9 @@ __RCSID("$FreeBSD$");
#include "pathnames.h"
#include "buffer.h"
#include "canohost.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
#ifdef GSSAPI
#include "ssh-gss.h"
@ -248,6 +251,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif

View File

@ -0,0 +1,64 @@
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Christos Zoulas.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <ctype.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include "ssh.h"
#include "packet.h"
#include "log.h"
#include "blacklist_client.h"
#include <blacklist.h>
static struct blacklist *blstate;
void
blacklist_init(void)
{
blstate = blacklist_open();
}
void
blacklist_notify(int action)
{
int fd;
if (blstate == NULL)
blacklist_init();
if (blstate == NULL)
return;
fd = packet_get_connection_in();
if (!packet_connection_is_on_socket()) {
fprintf(stderr, "packet_connection_is_on_socket: false "
"(fd = %d)\n", fd);
}
(void)blacklist_r(blstate, action, fd, "ssh");
}

View File

@ -0,0 +1,31 @@
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Christos Zoulas.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
void blacklist_notify(int);
void blacklist_init(void);

View File

@ -86,6 +86,9 @@ __RCSID("$FreeBSD$");
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
#ifdef PACKET_DEBUG
#define DBG(x) x
@ -2071,6 +2074,9 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
fatal("Unable to negotiate with %.200s port %d: %s. "
"Their offer: %s", ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh), ssh_err(r),

View File

@ -135,6 +135,9 @@ __RCSID("$FreeBSD$");
#include "ssh-sandbox.h"
#include "version.h"
#include "ssherr.h"
#ifdef USE_BLACKLIST
#include "blacklist_client.h"
#endif
#ifdef LIBWRAP
#include <tcpd.h>
@ -388,6 +391,9 @@ grace_alarm_handler(int sig)
kill(0, SIGTERM);
}
#ifdef USE_BLACKLIST
blacklist_notify(1);
#endif
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@ -649,6 +655,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
#ifdef USE_BLACKLIST
blacklist_init();
#endif
/* Demote the child */
if (getuid() == 0 || geteuid() == 0) {
/* Change our root directory */
@ -1272,6 +1282,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
#ifdef USE_BLACKLIST
blacklist_init();
#endif
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.

View File

@ -40,6 +40,13 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
LIBADD+= bsm
.endif
.if ${MK_BLACKLIST_SUPPORT} != "no"
CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
SRCS+= blacklist.c
LIBADD+= blacklist
LDFLAGS+=-L${LIBBLACKLISTDIR}
.endif
.if ${MK_KERBEROS_SUPPORT} != "no"
CFLAGS+= -include krb5_config.h
SRCS+= krb5_config.h