xref: /netbsd-src/external/bsd/blocklist/diff/ssh.diff (revision a51582d48a7984d3551d20318093f58613235f76) 
1df83713dSchristos--- /dev/null	2015-01-22 23:10:33.000000000 -0500
2df83713dSchristos+++ dist/pfilter.c	2015-01-22 23:46:03.000000000 -0500
3df83713dSchristos@@ -0,0 +1,32 @@
4df83713dSchristos+#include "namespace.h"
5df83713dSchristos+#include "includes.h"
6df83713dSchristos+#include "ssh.h"
7df83713dSchristos+#include "packet.h"
8df83713dSchristos+#include "log.h"
9df83713dSchristos+#include "pfilter.h"
10df83713dSchristos+#include <blocklist.h>
11df83713dSchristos+
12df83713dSchristos+static struct blocklist *blstate;
13df83713dSchristos+
14df83713dSchristos+void
15df83713dSchristos+pfilter_init(void)
16df83713dSchristos+{
17df83713dSchristos+	blstate = blocklist_open();
18df83713dSchristos+}
19df83713dSchristos+
20df83713dSchristos+void
21df83713dSchristos+pfilter_notify(int a)
22df83713dSchristos+{
23df83713dSchristos+	int fd;
24df83713dSchristos+	if (blstate == NULL)
25df83713dSchristos+		pfilter_init();
26df83713dSchristos+	if (blstate == NULL)
27df83713dSchristos+		return;
28df83713dSchristos+	// XXX: 3?
29df83713dSchristos+ 	fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
30df83713dSchristos+	(void)blocklist_r(blstate, a, fd, "ssh");
31df83713dSchristos+	if (a == 0) {
32df83713dSchristos+		blocklist_close(blstate);
33df83713dSchristos+		blstate = NULL;
34df83713dSchristos+	}
35df83713dSchristos+}
36df83713dSchristos--- /dev/null	2015-01-20 21:14:44.000000000 -0500
37df83713dSchristos+++ dist/pfilter.h	2015-01-20 20:16:20.000000000 -0500
38df83713dSchristos@@ -0,0 +1,3 @@
39df83713dSchristos+
40df83713dSchristos+void pfilter_notify(int);
41df83713dSchristos+void pfilter_init(void);
42df83713dSchristosIndex: bin/sshd/Makefile
43df83713dSchristos===================================================================
44df83713dSchristosRCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
45df83713dSchristosretrieving revision 1.10
46df83713dSchristosdiff -u -u -r1.10 Makefile
47df83713dSchristos--- bin/sshd/Makefile	19 Oct 2014 16:30:58 -0000	1.10
48df83713dSchristos+++ bin/sshd/Makefile	22 Jan 2015 21:39:21 -0000
49df83713dSchristos@@ -15,7 +15,7 @@
50df83713dSchristos 	auth2-none.c auth2-passwd.c auth2-pubkey.c \
51df83713dSchristos 	monitor_mm.c monitor.c monitor_wrap.c \
52df83713dSchristos 	kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
53df83713dSchristos-	roaming_common.c roaming_serv.c sandbox-rlimit.c
54df83713dSchristos+	roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
55df83713dSchristos
56df83713dSchristos COPTS.auth-options.c=	-Wno-pointer-sign
57df83713dSchristos COPTS.ldapauth.c=	-Wno-format-nonliteral	# XXX: should fix
58df83713dSchristos@@ -68,3 +68,6 @@
59df83713dSchristos
60df83713dSchristos LDADD+=	-lwrap
61df83713dSchristos DPADD+=	${LIBWRAP}
62df83713dSchristos+
63df83713dSchristos+LDADD+=	-lblocklist
64*a51582d4Schristos+DPADD+=	${LIBBLOCKLIST}
65df83713dSchristosdiff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c
66df83713dSchristos--- openssh-7.7p1/auth-pam.c	2018-04-02 01:38:28.000000000 -0400
67df83713dSchristos+++ dist/auth-pam.c	2018-05-23 11:56:22.206661484 -0400
68df83713dSchristos@@ -103,6 +103,7 @@
69df83713dSchristos #include "ssh-gss.h"
70df83713dSchristos #endif
71df83713dSchristos #include "monitor_wrap.h"
72df83713dSchristos+#include "pfilter.h"
73df83713dSchristos
74df83713dSchristos extern ServerOptions options;
75df83713dSchristos extern Buffer loginmsg;
76df83713dSchristos@@ -526,6 +527,7 @@
77df83713dSchristos 		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
78df83713dSchristos 	else
79df83713dSchristos 		ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
80df83713dSchristos+	pfilter_notify(1);
81df83713dSchristos 	buffer_free(&buffer);
82df83713dSchristos 	pthread_exit(NULL);
83df83713dSchristos
84df83713dSchristos@@ -804,6 +806,7 @@
85df83713dSchristos 				free(msg);
86df83713dSchristos 				return (0);
87df83713dSchristos 			}
88df83713dSchristos+			pfilter_notify(1);
89df83713dSchristos 			error("PAM: %s for %s%.100s from %.100s", msg,
90df83713dSchristos 			    sshpam_authctxt->valid ? "" : "illegal user ",
91df83713dSchristos 			    sshpam_authctxt->user,
92df83713dSchristosdiff -ru openssh-7.7p1/auth2.c dist/auth2.c
93df83713dSchristos--- openssh-7.7p1/auth2.c	2018-04-02 01:38:28.000000000 -0400
94df83713dSchristos+++ dist/auth2.c	2018-05-23 11:57:31.022197317 -0400
95df83713dSchristos@@ -51,6 +51,7 @@
96df83713dSchristos #include "dispatch.h"
97df83713dSchristos #include "pathnames.h"
98df83713dSchristos #include "buffer.h"
99df83713dSchristos+#include "pfilter.h"
100df83713dSchristos
101df83713dSchristos #ifdef GSSAPI
102df83713dSchristos #include "ssh-gss.h"
103df83713dSchristos@@ -242,6 +243,7 @@
104df83713dSchristos 		} else {
105df83713dSchristos 			/* Invalid user, fake password information */
106df83713dSchristos 			authctxt->pw = fakepw();
107df83713dSchristos+			pfilter_notify(1);
108df83713dSchristos #ifdef SSH_AUDIT_EVENTS
109df83713dSchristos 			PRIVSEP(audit_event(SSH_INVALID_USER));
110df83713dSchristos #endif
111df83713dSchristosOnly in dist: pfilter.c
112df83713dSchristosOnly in dist: pfilter.h
113df83713dSchristosdiff -ru openssh-7.7p1/sshd.c dist/sshd.c
114df83713dSchristos--- openssh-7.7p1/sshd.c	2018-04-02 01:38:28.000000000 -0400
115df83713dSchristos+++ dist/sshd.c	2018-05-23 11:59:39.573197347 -0400
116df83713dSchristos@@ -122,6 +122,7 @@
117df83713dSchristos #include "auth-options.h"
118df83713dSchristos #include "version.h"
119df83713dSchristos #include "ssherr.h"
120df83713dSchristos+#include "pfilter.h"
121df83713dSchristos
122df83713dSchristos /* Re-exec fds */
123df83713dSchristos #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
124df83713dSchristos@@ -346,6 +347,7 @@
125df83713dSchristos static void
126df83713dSchristos grace_alarm_handler(int sig)
127df83713dSchristos {
128df83713dSchristos+	pfilter_notify(1);
129df83713dSchristos 	if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
130df83713dSchristos 		kill(pmonitor->m_pid, SIGALRM);
131df83713dSchristos
132df83713dSchristos@@ -1835,6 +1837,8 @@
133df83713dSchristos 	if (test_flag)
134df83713dSchristos 		exit(0);
135df83713dSchristos
136df83713dSchristos+	pfilter_init();
137df83713dSchristos+
138df83713dSchristos 	/*
139df83713dSchristos 	 * Clear out any supplemental groups we may have inherited.  This
140df83713dSchristos 	 * prevents inadvertent creation of files with bad modes (in the
141df83713dSchristos@@ -2280,6 +2284,9 @@
142df83713dSchristos {
143df83713dSchristos 	struct ssh *ssh = active_state; /* XXX */
144df83713dSchristos
145df83713dSchristos+	if (i == 255)
146df83713dSchristos+		pfilter_notify(1);
147df83713dSchristos+
148df83713dSchristos 	if (the_authctxt) {
149df83713dSchristos 		do_cleanup(ssh, the_authctxt);
150df83713dSchristos 		if (use_privsep && privsep_is_preauth &&
151