bin/59214: blocklist: ssh: Add Failed PAM authentication probe

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/59214: blocklist: ssh: Add Failed PAM authentication probe
From: jlduran%gmail.com@localhost
Date: Tue, 25 Mar 2025 21:10:00 +0000 (UTC)

>Number:         59214
>Category:       bin
>Synopsis:       blocklist: ssh: Add Failed PAM authentication probe
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 25 21:10:00 +0000 2025
>Originator:     Jose Luis Duran
>Release:        trunk
>Organization:
>Environment:
>Description:
When a failed PAM authentication attempt is received, blocklistd should count it towards the total allowed number of failures.
Also there is a probe under monitor.c that often gets logged along with other offenses, effectively counting as two (+2) failures towards the maximum allowed.

>How-To-Repeat:
Try to authenticate an SSH session using PAM and check blocklistd logs.

>Fix:
Subject: [PATCH] blocklist: ssh: Add Failed PAM authentication probe

Also remove the probe from monitor.c, as it will count twice towards
nfails.

Obtained from:	FreeBSD
---
 crypto/external/bsd/openssh/dist/auth-pam.c | 2 ++
 crypto/external/bsd/openssh/dist/monitor.c  | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/external/bsd/openssh/dist/auth-pam.c b/crypto/external/bsd/openssh/dist/auth-pam.c
index ce60b9898f7f..834298ca08d8 100644
--- a/crypto/external/bsd/openssh/dist/auth-pam.c
+++ b/crypto/external/bsd/openssh/dist/auth-pam.c
@@ -119,6 +119,7 @@ __RCSID("$NetBSD: auth-pam.c,v 1.23 2024/07/11 17:26:53 riastradh Exp $");
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
+#include "pfilter.h"

 extern ServerOptions options;
 extern struct sshbuf *loginmsg;
@@ -958,6 +959,7 @@ sshpam_query(void *ctx, char **name, char **info,
 				sshbuf_free(buffer);
 				return (0);
 			}
+			pfilter_notify(1);
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user, sshpam_rhost);
diff --git a/crypto/external/bsd/openssh/dist/monitor.c b/crypto/external/bsd/openssh/dist/monitor.c
index bd9ab72fc72f..ca10b4ab5968 100644
--- a/crypto/external/bsd/openssh/dist/monitor.c
+++ b/crypto/external/bsd/openssh/dist/monitor.c
@@ -1273,7 +1273,6 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m)
 	} else {
 		/* Log failed attempt */
 		auth_log(ssh, 0, 0, auth_method, NULL);
-		pfilter_notify(1);
 		free(cuser);
 		free(chost);
 	}
--
Jose Luis Duran

Prev by Date: bin/59213: blocklistd/ftpd: Allow the nfail counter to be reset once a valid login occurs
Next by Date: Re: port-amd64/59207: unexpected behavior of dev command in bootstrap code
Previous by Thread: bin/59213: blocklistd/ftpd: Allow the nfail counter to be reset once a valid login occurs
Next by Thread: kern/59215: npf crash at startup
Indexes:

Home | Main Index | Thread Index | Old Index