xref: /minix3/external/bsd/blacklist/diff/ssh.diff (revision 0a6a1f1d05b60e214de2f05a7310ddd1f0e590e7) 
1--- /dev/null	2015-01-22 23:10:33.000000000 -0500
2+++ dist/pfilter.c	2015-01-22 23:46:03.000000000 -0500
3@@ -0,0 +1,27 @@
4+#include "namespace.h"
5+#include "ssh.h"
6+#include "packet.h"
7+#include "log.h"
8+#include "pfilter.h"
9+#include <blacklist.h>
10+
11+static struct blacklist *blstate;
12+
13+void
14+pfilter_init(void)
15+{
16+	blstate = blacklist_open();
17+}
18+
19+void
20+pfilter_notify(int a)
21+{
22+	int fd;
23+	if (blstate == NULL)
24+		pfilter_init();
25+	if (blstate == NULL)
26+		return;
27+	// XXX: 3?
28+ 	fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
29+	(void)blacklist_r(blstate, a, fd, "ssh");
30+}
31--- /dev/null	2015-01-20 21:14:44.000000000 -0500
32+++ dist/pfilter.h	2015-01-20 20:16:20.000000000 -0500
33@@ -0,0 +1,3 @@
34+
35+void pfilter_notify(int);
36+void pfilter_init(void);
37Index: bin/sshd/Makefile
38===================================================================
39RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
40retrieving revision 1.10
41diff -u -u -r1.10 Makefile
42--- bin/sshd/Makefile	19 Oct 2014 16:30:58 -0000	1.10
43+++ bin/sshd/Makefile	22 Jan 2015 21:39:21 -0000
44@@ -15,7 +15,7 @@
45 	auth2-none.c auth2-passwd.c auth2-pubkey.c \
46 	monitor_mm.c monitor.c monitor_wrap.c \
47 	kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
48-	roaming_common.c roaming_serv.c sandbox-rlimit.c
49+	roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
50
51 COPTS.auth-options.c=	-Wno-pointer-sign
52 COPTS.ldapauth.c=	-Wno-format-nonliteral	# XXX: should fix
53@@ -68,3 +68,6 @@
54
55 LDADD+=	-lwrap
56 DPADD+=	${LIBWRAP}
57+
58+LDADD+=	-lblacklist
59+DPADD+=	${LIBBLACKLIST}
60Index: dist/auth.c
61===================================================================
62RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
63retrieving revision 1.10
64diff -u -u -r1.10 auth.c
65--- dist/auth.c	19 Oct 2014 16:30:58 -0000	1.10
66+++ dist/auth.c	22 Jan 2015 21:39:22 -0000
67@@ -62,6 +62,7 @@
68 #include "monitor_wrap.h"
69 #include "krl.h"
70 #include "compat.h"
71+#include "pfilter.h"
72
73 #ifdef HAVE_LOGIN_CAP
74 #include <login_cap.h>
75@@ -362,6 +363,8 @@
76 	    compat20 ? "ssh2" : "ssh1",
77 	    authctxt->info != NULL ? ": " : "",
78 	    authctxt->info != NULL ? authctxt->info : "");
79+	if (!authctxt->postponed)
80+		pfilter_notify(!authenticated);
81 	free(authctxt->info);
82 	authctxt->info = NULL;
83 }
84Index: dist/sshd.c
85===================================================================
86RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
87retrieving revision 1.15
88diff -u -u -r1.15 sshd.c
89--- dist/sshd.c	28 Oct 2014 21:36:16 -0000	1.15
90+++ dist/sshd.c	22 Jan 2015 21:39:22 -0000
91@@ -109,6 +109,7 @@
92 #include "roaming.h"
93 #include "ssh-sandbox.h"
94 #include "version.h"
95+#include "pfilter.h"
96
97 #ifdef LIBWRAP
98 #include <tcpd.h>
99@@ -364,6 +365,7 @@
100 		killpg(0, SIGTERM);
101 	}
102
103+	pfilter_notify(1);
104 	/* Log error and exit. */
105 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
106 }
107@@ -1160,6 +1162,7 @@
108 	for (i = 0; i < options.max_startups; i++)
109 		startup_pipes[i] = -1;
110
111+	pfilter_init();
112 	/*
113 	 * Stay listening for connections until the system crashes or
114 	 * the daemon is killed with a signal.
115Index: auth1.c
116===================================================================
117RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
118retrieving revision 1.9
119diff -u -u -r1.9 auth1.c
120--- auth1.c	19 Oct 2014 16:30:58 -0000	1.9
121+++ auth1.c	14 Feb 2015 15:40:51 -0000
122@@ -41,6 +41,7 @@
123 #endif
124 #include "monitor_wrap.h"
125 #include "buffer.h"
126+#include "pfilter.h"
127
128 /* import */
129 extern ServerOptions options;
130@@ -445,6 +446,7 @@
131 	else {
132 		debug("do_authentication: invalid user %s", user);
133 		authctxt->pw = fakepw();
134+		pfilter_notify(1);
135 	}
136
137 	/* Configuration may have changed as a result of Match */
138Index: auth2.c
139===================================================================
140RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v
141retrieving revision 1.9
142diff -u -u -r1.9 auth2.c
143--- auth2.c	19 Oct 2014 16:30:58 -0000	1.9
144+++ auth2.c	14 Feb 2015 15:40:51 -0000
145@@ -52,6 +52,7 @@
146 #include "pathnames.h"
147 #include "buffer.h"
148 #include "canohost.h"
149+#include "pfilter.h"
150
151 #ifdef GSSAPI
152 #include "ssh-gss.h"
153@@ -256,6 +257,7 @@
154 		} else {
155 			logit("input_userauth_request: invalid user %s", user);
156 			authctxt->pw = fakepw();
157+			pfilter_notify(1);
158 		}
159 #ifdef USE_PAM
160 		if (options.use_pam)
161Index: sshd.c
162===================================================================
163RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
164retrieving revision 1.16
165diff -u -r1.16 sshd.c
166--- sshd.c	25 Jan 2015 15:52:44 -0000	1.16
167+++ sshd.c	14 Feb 2015 09:55:06 -0000
168@@ -628,6 +628,8 @@
169 	explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd));
170 	endpwent();
171
172+	pfilter_init();
173+
174 	/* Change our root directory */
175 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
176 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
177
178