Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src blacklist hooks
details: https://anonhg.NetBSD.org/src/rev/a51a1e18f484
branches: trunk
changeset: 335826:a51a1e18f484
user: christos <christos%NetBSD.org@localhost>
date: Sun Jan 25 15:52:44 2015 +0000
description:
blacklist hooks
diffstat:
crypto/external/bsd/openssh/bin/sshd/Makefile | 7 +++++--
crypto/external/bsd/openssh/dist/auth.c | 7 +++++--
crypto/external/bsd/openssh/dist/pfilter.c | 27 +++++++++++++++++++++++++++
crypto/external/bsd/openssh/dist/pfilter.h | 3 +++
crypto/external/bsd/openssh/dist/sshd.c | 7 +++++--
libexec/ftpd/Makefile | 6 +++++-
libexec/ftpd/ftpd.c | 10 ++++++++--
libexec/ftpd/pfilter.c | 24 ++++++++++++++++++++++++
libexec/ftpd/pfilter.h | 2 ++
9 files changed, 84 insertions(+), 9 deletions(-)
diffs (246 lines):
diff -r 710881567b0b -r a51a1e18f484 crypto/external/bsd/openssh/bin/sshd/Makefile
--- a/crypto/external/bsd/openssh/bin/sshd/Makefile Sun Jan 25 15:52:12 2015 +0000
+++ b/crypto/external/bsd/openssh/bin/sshd/Makefile Sun Jan 25 15:52:44 2015 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.10 2014/10/19 16:30:58 christos Exp $
+# $NetBSD: Makefile,v 1.11 2015/01/25 15:52:44 christos Exp $
.include <bsd.own.mk>
@@ -15,7 +15,7 @@
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
- roaming_common.c roaming_serv.c sandbox-rlimit.c
+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
COPTS.auth-options.c= -Wno-pointer-sign
COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix
@@ -68,3 +68,6 @@
LDADD+= -lwrap
DPADD+= ${LIBWRAP}
+
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
diff -r 710881567b0b -r a51a1e18f484 crypto/external/bsd/openssh/dist/auth.c
--- a/crypto/external/bsd/openssh/dist/auth.c Sun Jan 25 15:52:12 2015 +0000
+++ b/crypto/external/bsd/openssh/dist/auth.c Sun Jan 25 15:52:44 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: auth.c,v 1.10 2014/10/19 16:30:58 christos Exp $ */
+/* $NetBSD: auth.c,v 1.11 2015/01/25 15:52:44 christos Exp $ */
/* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth.c,v 1.10 2014/10/19 16:30:58 christos Exp $");
+__RCSID("$NetBSD: auth.c,v 1.11 2015/01/25 15:52:44 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>
@@ -62,6 +62,7 @@
#include "monitor_wrap.h"
#include "krl.h"
#include "compat.h"
+#include "pfilter.h"
#ifdef HAVE_LOGIN_CAP
#include <login_cap.h>
@@ -362,6 +363,8 @@
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
+ if (!authctxt->postponed)
+ pfilter_notify(!authenticated);
free(authctxt->info);
authctxt->info = NULL;
}
diff -r 710881567b0b -r a51a1e18f484 crypto/external/bsd/openssh/dist/pfilter.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/external/bsd/openssh/dist/pfilter.c Sun Jan 25 15:52:44 2015 +0000
@@ -0,0 +1,27 @@
+#include "namespace.h"
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "pfilter.h"
+#include <blacklist.h>
+
+static struct blacklist *blstate;
+
+void
+pfilter_init()
+{
+ blstate = blacklist_open();
+}
+
+void
+pfilter_notify(int a)
+{
+ int fd;
+ if (blstate == NULL)
+ pfilter_init();
+ if (blstate == NULL)
+ return;
+ // XXX: 3?
+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
+ (void)blacklist_r(blstate, a, fd, "ssh");
+}
diff -r 710881567b0b -r a51a1e18f484 crypto/external/bsd/openssh/dist/pfilter.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/external/bsd/openssh/dist/pfilter.h Sun Jan 25 15:52:44 2015 +0000
@@ -0,0 +1,3 @@
+
+void pfilter_notify(int);
+void pfilter_init(void);
diff -r 710881567b0b -r a51a1e18f484 crypto/external/bsd/openssh/dist/sshd.c
--- a/crypto/external/bsd/openssh/dist/sshd.c Sun Jan 25 15:52:12 2015 +0000
+++ b/crypto/external/bsd/openssh/dist/sshd.c Sun Jan 25 15:52:44 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: sshd.c,v 1.15 2014/10/28 21:36:16 joerg Exp $ */
+/* $NetBSD: sshd.c,v 1.16 2015/01/25 15:52:44 christos Exp $ */
/* $OpenBSD: sshd.c,v 1.428 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -44,7 +44,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: sshd.c,v 1.15 2014/10/28 21:36:16 joerg Exp $");
+__RCSID("$NetBSD: sshd.c,v 1.16 2015/01/25 15:52:44 christos Exp $");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/ioctl.h>
@@ -109,6 +109,7 @@
#include "roaming.h"
#include "ssh-sandbox.h"
#include "version.h"
+#include "pfilter.h"
#ifdef LIBWRAP
#include <tcpd.h>
@@ -364,6 +365,7 @@
killpg(0, SIGTERM);
}
+ pfilter_notify(1);
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -1160,6 +1162,7 @@
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
+ pfilter_init();
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.
diff -r 710881567b0b -r a51a1e18f484 libexec/ftpd/Makefile
--- a/libexec/ftpd/Makefile Sun Jan 25 15:52:12 2015 +0000
+++ b/libexec/ftpd/Makefile Sun Jan 25 15:52:44 2015 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.63 2011/08/14 11:46:28 christos Exp $
+# $NetBSD: Makefile,v 1.64 2015/01/25 15:53:49 christos Exp $
# @(#)Makefile 8.2 (Berkeley) 4/4/94
.include <bsd.own.mk>
@@ -11,6 +11,10 @@
MAN= ftpd.conf.5 ftpusers.5 ftpd.8
MLINKS= ftpusers.5 ftpchroot.5
+SRCS+= pfilter.c
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
+
.if defined(NO_INTERNAL_LS)
CPPFLAGS+=-DNO_INTERNAL_LS
.else
diff -r 710881567b0b -r a51a1e18f484 libexec/ftpd/ftpd.c
--- a/libexec/ftpd/ftpd.c Sun Jan 25 15:52:12 2015 +0000
+++ b/libexec/ftpd/ftpd.c Sun Jan 25 15:52:44 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ftpd.c,v 1.200 2013/07/31 19:50:47 christos Exp $ */
+/* $NetBSD: ftpd.c,v 1.201 2015/01/25 15:53:49 christos Exp $ */
/*
* Copyright (c) 1997-2009 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
#if 0
static char sccsid[] = "@(#)ftpd.c 8.5 (Berkeley) 4/28/95";
#else
-__RCSID("$NetBSD: ftpd.c,v 1.200 2013/07/31 19:50:47 christos Exp $");
+__RCSID("$NetBSD: ftpd.c,v 1.201 2015/01/25 15:53:49 christos Exp $");
#endif
#endif /* not lint */
@@ -165,6 +165,8 @@
#include <security/pam_appl.h>
#endif
+#include "pfilter.h"
+
#define GLOBAL
#include "extern.h"
#include "pathnames.h"
@@ -471,6 +473,8 @@
if (EMPTYSTR(confdir))
confdir = _DEFAULT_CONFDIR;
+ pfilter_open();
+
if (dowtmp) {
#ifdef SUPPORT_UTMPX
ftpd_initwtmpx();
@@ -1401,6 +1405,7 @@
if (rval) {
reply(530, "%s", rval == 2 ? "Password expired." :
"Login incorrect.");
+ pfilter_notify(1, rval == 2 ? "exppass" : "badpass");
if (logging) {
syslog(LOG_NOTICE,
"FTP LOGIN FAILED FROM %s", remoteloghost);
@@ -1444,6 +1449,7 @@
*remote_ip = 0;
remote_ip[sizeof(remote_ip) - 1] = 0;
if (!auth_hostok(lc, remotehost, remote_ip)) {
+ pfilter_notify(1, "bannedhost");
syslog(LOG_INFO|LOG_AUTH,
"FTP LOGIN FAILED (HOST) as %s: permission denied.",
pw->pw_name);
diff -r 710881567b0b -r a51a1e18f484 libexec/ftpd/pfilter.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/libexec/ftpd/pfilter.c Sun Jan 25 15:52:44 2015 +0000
@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <blacklist.h>
+
+#include "pfilter.h"
+
+static struct blacklist *blstate;
+
+void
+pfilter_open(void)
+{
+ if (blstate == NULL)
+ blstate = blacklist_open();
+}
+
+void
+pfilter_notify(int what, const char *msg)
+{
+ pfilter_open();
+
+ if (blstate == NULL)
+ return;
+
+ blacklist_r(blstate, what, 0, msg);
+}
diff -r 710881567b0b -r a51a1e18f484 libexec/ftpd/pfilter.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/libexec/ftpd/pfilter.h Sun Jan 25 15:52:44 2015 +0000
@@ -0,0 +1,2 @@
+void pfilter_open(void);
+void pfilter_notify(int, const char *);
Home |
Main Index |
Thread Index |
Old Index