1*0a6a1f1dSLionel Sambuc--- /dev/null 2015-01-22 23:10:33.000000000 -0500 2*0a6a1f1dSLionel Sambuc+++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 3*0a6a1f1dSLionel Sambuc@@ -0,0 +1,27 @@ 4*0a6a1f1dSLionel Sambuc+#include "namespace.h" 5*0a6a1f1dSLionel Sambuc+#include "ssh.h" 6*0a6a1f1dSLionel Sambuc+#include "packet.h" 7*0a6a1f1dSLionel Sambuc+#include "log.h" 8*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 9*0a6a1f1dSLionel Sambuc+#include <blacklist.h> 10*0a6a1f1dSLionel Sambuc+ 11*0a6a1f1dSLionel Sambuc+static struct blacklist *blstate; 12*0a6a1f1dSLionel Sambuc+ 13*0a6a1f1dSLionel Sambuc+void 14*0a6a1f1dSLionel Sambuc+pfilter_init(void) 15*0a6a1f1dSLionel Sambuc+{ 16*0a6a1f1dSLionel Sambuc+ blstate = blacklist_open(); 17*0a6a1f1dSLionel Sambuc+} 18*0a6a1f1dSLionel Sambuc+ 19*0a6a1f1dSLionel Sambuc+void 20*0a6a1f1dSLionel Sambuc+pfilter_notify(int a) 21*0a6a1f1dSLionel Sambuc+{ 22*0a6a1f1dSLionel Sambuc+ int fd; 23*0a6a1f1dSLionel Sambuc+ if (blstate == NULL) 24*0a6a1f1dSLionel Sambuc+ pfilter_init(); 25*0a6a1f1dSLionel Sambuc+ if (blstate == NULL) 26*0a6a1f1dSLionel Sambuc+ return; 27*0a6a1f1dSLionel Sambuc+ // XXX: 3? 28*0a6a1f1dSLionel Sambuc+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; 29*0a6a1f1dSLionel Sambuc+ (void)blacklist_r(blstate, a, fd, "ssh"); 30*0a6a1f1dSLionel Sambuc+} 31*0a6a1f1dSLionel Sambuc--- /dev/null 2015-01-20 21:14:44.000000000 -0500 32*0a6a1f1dSLionel Sambuc+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 33*0a6a1f1dSLionel Sambuc@@ -0,0 +1,3 @@ 34*0a6a1f1dSLionel Sambuc+ 35*0a6a1f1dSLionel Sambuc+void pfilter_notify(int); 36*0a6a1f1dSLionel Sambuc+void pfilter_init(void); 37*0a6a1f1dSLionel SambucIndex: bin/sshd/Makefile 38*0a6a1f1dSLionel Sambuc=================================================================== 39*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v 40*0a6a1f1dSLionel Sambucretrieving revision 1.10 41*0a6a1f1dSLionel Sambucdiff -u -u -r1.10 Makefile 42*0a6a1f1dSLionel Sambuc--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 43*0a6a1f1dSLionel Sambuc+++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 44*0a6a1f1dSLionel Sambuc@@ -15,7 +15,7 @@ 45*0a6a1f1dSLionel Sambuc auth2-none.c auth2-passwd.c auth2-pubkey.c \ 46*0a6a1f1dSLionel Sambuc monitor_mm.c monitor.c monitor_wrap.c \ 47*0a6a1f1dSLionel Sambuc kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ 48*0a6a1f1dSLionel Sambuc- roaming_common.c roaming_serv.c sandbox-rlimit.c 49*0a6a1f1dSLionel Sambuc+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c 50*0a6a1f1dSLionel Sambuc 51*0a6a1f1dSLionel Sambuc COPTS.auth-options.c= -Wno-pointer-sign 52*0a6a1f1dSLionel Sambuc COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix 53*0a6a1f1dSLionel Sambuc@@ -68,3 +68,6 @@ 54*0a6a1f1dSLionel Sambuc 55*0a6a1f1dSLionel Sambuc LDADD+= -lwrap 56*0a6a1f1dSLionel Sambuc DPADD+= ${LIBWRAP} 57*0a6a1f1dSLionel Sambuc+ 58*0a6a1f1dSLionel Sambuc+LDADD+= -lblacklist 59*0a6a1f1dSLionel Sambuc+DPADD+= ${LIBBLACKLIST} 60*0a6a1f1dSLionel SambucIndex: dist/auth.c 61*0a6a1f1dSLionel Sambuc=================================================================== 62*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v 63*0a6a1f1dSLionel Sambucretrieving revision 1.10 64*0a6a1f1dSLionel Sambucdiff -u -u -r1.10 auth.c 65*0a6a1f1dSLionel Sambuc--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 66*0a6a1f1dSLionel Sambuc+++ dist/auth.c 22 Jan 2015 21:39:22 -0000 67*0a6a1f1dSLionel Sambuc@@ -62,6 +62,7 @@ 68*0a6a1f1dSLionel Sambuc #include "monitor_wrap.h" 69*0a6a1f1dSLionel Sambuc #include "krl.h" 70*0a6a1f1dSLionel Sambuc #include "compat.h" 71*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 72*0a6a1f1dSLionel Sambuc 73*0a6a1f1dSLionel Sambuc #ifdef HAVE_LOGIN_CAP 74*0a6a1f1dSLionel Sambuc #include <login_cap.h> 75*0a6a1f1dSLionel Sambuc@@ -362,6 +363,8 @@ 76*0a6a1f1dSLionel Sambuc compat20 ? "ssh2" : "ssh1", 77*0a6a1f1dSLionel Sambuc authctxt->info != NULL ? ": " : "", 78*0a6a1f1dSLionel Sambuc authctxt->info != NULL ? authctxt->info : ""); 79*0a6a1f1dSLionel Sambuc+ if (!authctxt->postponed) 80*0a6a1f1dSLionel Sambuc+ pfilter_notify(!authenticated); 81*0a6a1f1dSLionel Sambuc free(authctxt->info); 82*0a6a1f1dSLionel Sambuc authctxt->info = NULL; 83*0a6a1f1dSLionel Sambuc } 84*0a6a1f1dSLionel SambucIndex: dist/sshd.c 85*0a6a1f1dSLionel Sambuc=================================================================== 86*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 87*0a6a1f1dSLionel Sambucretrieving revision 1.15 88*0a6a1f1dSLionel Sambucdiff -u -u -r1.15 sshd.c 89*0a6a1f1dSLionel Sambuc--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 90*0a6a1f1dSLionel Sambuc+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 91*0a6a1f1dSLionel Sambuc@@ -109,6 +109,7 @@ 92*0a6a1f1dSLionel Sambuc #include "roaming.h" 93*0a6a1f1dSLionel Sambuc #include "ssh-sandbox.h" 94*0a6a1f1dSLionel Sambuc #include "version.h" 95*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 96*0a6a1f1dSLionel Sambuc 97*0a6a1f1dSLionel Sambuc #ifdef LIBWRAP 98*0a6a1f1dSLionel Sambuc #include <tcpd.h> 99*0a6a1f1dSLionel Sambuc@@ -364,6 +365,7 @@ 100*0a6a1f1dSLionel Sambuc killpg(0, SIGTERM); 101*0a6a1f1dSLionel Sambuc } 102*0a6a1f1dSLionel Sambuc 103*0a6a1f1dSLionel Sambuc+ pfilter_notify(1); 104*0a6a1f1dSLionel Sambuc /* Log error and exit. */ 105*0a6a1f1dSLionel Sambuc sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 106*0a6a1f1dSLionel Sambuc } 107*0a6a1f1dSLionel Sambuc@@ -1160,6 +1162,7 @@ 108*0a6a1f1dSLionel Sambuc for (i = 0; i < options.max_startups; i++) 109*0a6a1f1dSLionel Sambuc startup_pipes[i] = -1; 110*0a6a1f1dSLionel Sambuc 111*0a6a1f1dSLionel Sambuc+ pfilter_init(); 112*0a6a1f1dSLionel Sambuc /* 113*0a6a1f1dSLionel Sambuc * Stay listening for connections until the system crashes or 114*0a6a1f1dSLionel Sambuc * the daemon is killed with a signal. 115*0a6a1f1dSLionel SambucIndex: auth1.c 116*0a6a1f1dSLionel Sambuc=================================================================== 117*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v 118*0a6a1f1dSLionel Sambucretrieving revision 1.9 119*0a6a1f1dSLionel Sambucdiff -u -u -r1.9 auth1.c 120*0a6a1f1dSLionel Sambuc--- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 121*0a6a1f1dSLionel Sambuc+++ auth1.c 14 Feb 2015 15:40:51 -0000 122*0a6a1f1dSLionel Sambuc@@ -41,6 +41,7 @@ 123*0a6a1f1dSLionel Sambuc #endif 124*0a6a1f1dSLionel Sambuc #include "monitor_wrap.h" 125*0a6a1f1dSLionel Sambuc #include "buffer.h" 126*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 127*0a6a1f1dSLionel Sambuc 128*0a6a1f1dSLionel Sambuc /* import */ 129*0a6a1f1dSLionel Sambuc extern ServerOptions options; 130*0a6a1f1dSLionel Sambuc@@ -445,6 +446,7 @@ 131*0a6a1f1dSLionel Sambuc else { 132*0a6a1f1dSLionel Sambuc debug("do_authentication: invalid user %s", user); 133*0a6a1f1dSLionel Sambuc authctxt->pw = fakepw(); 134*0a6a1f1dSLionel Sambuc+ pfilter_notify(1); 135*0a6a1f1dSLionel Sambuc } 136*0a6a1f1dSLionel Sambuc 137*0a6a1f1dSLionel Sambuc /* Configuration may have changed as a result of Match */ 138*0a6a1f1dSLionel SambucIndex: auth2.c 139*0a6a1f1dSLionel Sambuc=================================================================== 140*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v 141*0a6a1f1dSLionel Sambucretrieving revision 1.9 142*0a6a1f1dSLionel Sambucdiff -u -u -r1.9 auth2.c 143*0a6a1f1dSLionel Sambuc--- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 144*0a6a1f1dSLionel Sambuc+++ auth2.c 14 Feb 2015 15:40:51 -0000 145*0a6a1f1dSLionel Sambuc@@ -52,6 +52,7 @@ 146*0a6a1f1dSLionel Sambuc #include "pathnames.h" 147*0a6a1f1dSLionel Sambuc #include "buffer.h" 148*0a6a1f1dSLionel Sambuc #include "canohost.h" 149*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 150*0a6a1f1dSLionel Sambuc 151*0a6a1f1dSLionel Sambuc #ifdef GSSAPI 152*0a6a1f1dSLionel Sambuc #include "ssh-gss.h" 153*0a6a1f1dSLionel Sambuc@@ -256,6 +257,7 @@ 154*0a6a1f1dSLionel Sambuc } else { 155*0a6a1f1dSLionel Sambuc logit("input_userauth_request: invalid user %s", user); 156*0a6a1f1dSLionel Sambuc authctxt->pw = fakepw(); 157*0a6a1f1dSLionel Sambuc+ pfilter_notify(1); 158*0a6a1f1dSLionel Sambuc } 159*0a6a1f1dSLionel Sambuc #ifdef USE_PAM 160*0a6a1f1dSLionel Sambuc if (options.use_pam) 161*0a6a1f1dSLionel SambucIndex: sshd.c 162*0a6a1f1dSLionel Sambuc=================================================================== 163*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v 164*0a6a1f1dSLionel Sambucretrieving revision 1.16 165*0a6a1f1dSLionel Sambucdiff -u -r1.16 sshd.c 166*0a6a1f1dSLionel Sambuc--- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 167*0a6a1f1dSLionel Sambuc+++ sshd.c 14 Feb 2015 09:55:06 -0000 168*0a6a1f1dSLionel Sambuc@@ -628,6 +628,8 @@ 169*0a6a1f1dSLionel Sambuc explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); 170*0a6a1f1dSLionel Sambuc endpwent(); 171*0a6a1f1dSLionel Sambuc 172*0a6a1f1dSLionel Sambuc+ pfilter_init(); 173*0a6a1f1dSLionel Sambuc+ 174*0a6a1f1dSLionel Sambuc /* Change our root directory */ 175*0a6a1f1dSLionel Sambuc if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 176*0a6a1f1dSLionel Sambuc fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 177*0a6a1f1dSLionel Sambuc 178