head 1.11; access; symbols perseant-exfatfs-base-20250801:1.11 perseant-exfatfs-base-20240630:1.11 perseant-exfatfs:1.11.0.6 perseant-exfatfs-base:1.11 netbsd-8-3-RELEASE:1.8 netbsd-9-4-RELEASE:1.10 netbsd-9-3-RELEASE:1.10 cjep_sun2x:1.11.0.4 cjep_sun2x-base:1.11 cjep_staticlib_x-base1:1.11 netbsd-9-2-RELEASE:1.10 cjep_staticlib_x:1.11.0.2 cjep_staticlib_x-base:1.11 netbsd-9-1-RELEASE:1.10 phil-wifi-20200421:1.10 phil-wifi-20200411:1.10 is-mlppp:1.10.0.6 is-mlppp-base:1.10 phil-wifi-20200406:1.10 netbsd-8-2-RELEASE:1.8 netbsd-9-0-RELEASE:1.10 netbsd-9-0-RC2:1.10 netbsd-9-0-RC1:1.10 phil-wifi-20191119:1.10 netbsd-9:1.10.0.4 netbsd-9-base:1.10 phil-wifi-20190609:1.10 netbsd-8-1-RELEASE:1.8 netbsd-8-1-RC1:1.8 pgoyette-compat-merge-20190127:1.9.4.1 pgoyette-compat-20190127:1.10 pgoyette-compat-20190118:1.10 pgoyette-compat-1226:1.10 pgoyette-compat-1126:1.10 pgoyette-compat-1020:1.10 pgoyette-compat-0930:1.10 pgoyette-compat-0906:1.10 netbsd-7-2-RELEASE:1.6.2.2 pgoyette-compat-0728:1.10 netbsd-8-0-RELEASE:1.8 phil-wifi:1.10.0.2 phil-wifi-base:1.10 pgoyette-compat-0625:1.10 netbsd-8-0-RC2:1.8 pgoyette-compat-0521:1.9 pgoyette-compat-0502:1.9 pgoyette-compat-0422:1.9 netbsd-8-0-RC1:1.8 pgoyette-compat-0415:1.9 pgoyette-compat-0407:1.9 pgoyette-compat-0330:1.9 pgoyette-compat-0322:1.9 pgoyette-compat-0315:1.9 netbsd-7-1-2-RELEASE:1.6.2.2 pgoyette-compat:1.9.0.4 pgoyette-compat-base:1.9 netbsd-7-1-1-RELEASE:1.6.2.2 matt-nb8-mediatek:1.8.0.10 matt-nb8-mediatek-base:1.8 perseant-stdc-iso10646:1.9.0.2 perseant-stdc-iso10646-base:1.9 netbsd-8:1.8.0.8 netbsd-8-base:1.8 prg-localcount2-base3:1.8 prg-localcount2-base2:1.8 prg-localcount2-base1:1.8 prg-localcount2:1.8.0.6 prg-localcount2-base:1.8 pgoyette-localcount-20170426:1.8 bouyer-socketcan-base1:1.8 pgoyette-localcount-20170320:1.8 netbsd-7-1:1.6.2.2.0.6 netbsd-7-1-RELEASE:1.6.2.2 netbsd-7-1-RC2:1.6.2.2 netbsd-7-nhusb-base-20170116:1.6.2.2 bouyer-socketcan:1.8.0.4 bouyer-socketcan-base:1.8 pgoyette-localcount-20170107:1.8 netbsd-7-1-RC1:1.6.2.2 pgoyette-localcount-20161104:1.8 netbsd-7-0-2-RELEASE:1.6.2.2 localcount-20160914:1.8 netbsd-7-nhusb:1.6.2.2.0.4 netbsd-7-nhusb-base:1.6.2.2 pgoyette-localcount-20160806:1.8 pgoyette-localcount-20160726:1.8 pgoyette-localcount:1.8.0.2 pgoyette-localcount-base:1.8 netbsd-7-0-1-RELEASE:1.6.2.2 netbsd-7-0:1.6.2.2.0.2 netbsd-7-0-RELEASE:1.6.2.2 netbsd-7-0-RC3:1.6.2.2 netbsd-7-0-RC2:1.6.2.2 netbsd-7-0-RC1:1.6.2.2 netbsd-7:1.6.0.2; locks; strict; comment @# @; 1.11 date 2020.06.15.01.57.32; author christos; state dead; branches; next 1.10; commitid 1zJ7owqywyzYigcC; 1.10 date 2018.05.23.16.03.07; author christos; state Exp; branches; next 1.9; commitid kV7sZW3CzF4RdrDA; 1.9 date 2017.06.26.17.12.05; author christos; state Exp; branches 1.9.4.1; next 1.8; commitid NTqaKeRM87Q9fUWz; 1.8 date 2016.01.23.00.05.38; author christos; state Exp; branches; next 1.7; commitid bpOqGrdRj43mhZRy; 1.7 date 2015.05.30.21.05.18; author christos; state Exp; branches; next 1.6; commitid wGiIQXKDFyoNTvny; 1.6 date 2015.02.14.19.05.59; author christos; state Exp; branches 1.6.2.1; next 1.5; commitid 06jxLeft2aM7C0ay; 1.5 date 2015.02.14.15.42.17; author christos; state Exp; branches; next 1.4; commitid ugcQnYwPKc6euZ9y; 1.4 date 2015.01.23.23.28.45; author christos; state Exp; branches; next 1.3; commitid VQ0R7gCSGTCmLc7y; 1.3 date 2015.01.23.04.46.53; author christos; state Exp; branches; next 1.2; commitid GA4c7nBhMLzfz67y; 1.2 date 2015.01.22.21.42.06; author christos; state Exp; branches; next 1.1; commitid WYIvCkXQsl5wd47y; 1.1 date 2015.01.22.15.29.27; author christos; state Exp; branches; next ; commitid vB4nL7RH0mVC927y; 1.9.4.1 date 2018.06.25.07.25.12; author pgoyette; state Exp; branches; next ; commitid 8PtAu9af7VvhiDHA; 1.6.2.1 date 2015.02.14.19.05.59; author riz; state dead; branches; next 1.6.2.2; commitid HvseHc4xVzxnTzjy; 1.6.2.2 date 2015.04.30.06.07.33; author riz; state Exp; branches; next ; commitid HvseHc4xVzxnTzjy; desc @@ 1.11 log @Rename blacklist -> blocklist @ text @--- /dev/null 2015-01-22 23:10:33.000000000 -0500 +++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 @@@@ -0,0 +1,32 @@@@ +#include "namespace.h" +#include "includes.h" +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "pfilter.h" +#include + +static struct blacklist *blstate; + +void +pfilter_init(void) +{ + blstate = blacklist_open(); +} + +void +pfilter_notify(int a) +{ + int fd; + if (blstate == NULL) + pfilter_init(); + if (blstate == NULL) + return; + // XXX: 3? + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; + (void)blacklist_r(blstate, a, fd, "ssh"); + if (a == 0) { + blacklist_close(blstate); + blstate = NULL; + } +} --- /dev/null 2015-01-20 21:14:44.000000000 -0500 +++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 @@@@ -0,0 +1,3 @@@@ + +void pfilter_notify(int); +void pfilter_init(void); Index: bin/sshd/Makefile =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v retrieving revision 1.10 diff -u -u -r1.10 Makefile --- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 +++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 @@@@ -15,7 +15,7 @@@@ auth2-none.c auth2-passwd.c auth2-pubkey.c \ monitor_mm.c monitor.c monitor_wrap.c \ kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ - roaming_common.c roaming_serv.c sandbox-rlimit.c + roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c COPTS.auth-options.c= -Wno-pointer-sign COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix @@@@ -68,3 +68,6 @@@@ LDADD+= -lwrap DPADD+= ${LIBWRAP} + +LDADD+= -lblacklist +DPADD+= ${LIBBLACKLIST} diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c --- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400 @@@@ -103,6 +103,7 @@@@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "pfilter.h" extern ServerOptions options; extern Buffer loginmsg; @@@@ -526,6 +527,7 @@@@ ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer); else ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); + pfilter_notify(1); buffer_free(&buffer); pthread_exit(NULL); @@@@ -804,6 +806,7 @@@@ free(msg); return (0); } + pfilter_notify(1); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, diff -ru openssh-7.7p1/auth2.c dist/auth2.c --- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/auth2.c 2018-05-23 11:57:31.022197317 -0400 @@@@ -51,6 +51,7 @@@@ #include "dispatch.h" #include "pathnames.h" #include "buffer.h" +#include "pfilter.h" #ifdef GSSAPI #include "ssh-gss.h" @@@@ -242,6 +243,7 @@@@ } else { /* Invalid user, fake password information */ authctxt->pw = fakepw(); + pfilter_notify(1); #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_INVALID_USER)); #endif Only in dist: pfilter.c Only in dist: pfilter.h diff -ru openssh-7.7p1/sshd.c dist/sshd.c --- openssh-7.7p1/sshd.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/sshd.c 2018-05-23 11:59:39.573197347 -0400 @@@@ -122,6 +122,7 @@@@ #include "auth-options.h" #include "version.h" #include "ssherr.h" +#include "pfilter.h" /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) @@@@ -346,6 +347,7 @@@@ static void grace_alarm_handler(int sig) { + pfilter_notify(1); if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) kill(pmonitor->m_pid, SIGALRM); @@@@ -1835,6 +1837,8 @@@@ if (test_flag) exit(0); + pfilter_init(); + /* * Clear out any supplemental groups we may have inherited. This * prevents inadvertent creation of files with bad modes (in the @@@@ -2280,6 +2284,9 @@@@ { struct ssh *ssh = active_state; /* XXX */ + if (i == 255) + pfilter_notify(1); + if (the_authctxt) { do_cleanup(ssh, the_authctxt); if (use_privsep && privsep_is_preauth && @ 1.10 log @refresh the diffs to the latest portable @ text @@ 1.9 log @amend the patch to close. @ text @d65 5 a69 63 Index: dist/auth.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v retrieving revision 1.10 diff -u -u -r1.10 auth.c --- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 +++ dist/auth.c 22 Jan 2015 21:39:22 -0000 @@@@ -62,6 +62,7 @@@@ #include "monitor_wrap.h" #include "krl.h" #include "compat.h" +#include "pfilter.h" #ifdef HAVE_LOGIN_CAP #include @@@@ -362,6 +363,8 @@@@ compat20 ? "ssh2" : "ssh1", authctxt->info != NULL ? ": " : "", authctxt->info != NULL ? authctxt->info : ""); + if (!authctxt->postponed) + pfilter_notify(!authenticated); free(authctxt->info); authctxt->info = NULL; } Index: dist/sshd.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v retrieving revision 1.15 diff -u -u -r1.15 sshd.c --- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 +++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 @@@@ -109,6 +109,7 @@@@ #include "roaming.h" #include "ssh-sandbox.h" #include "version.h" +#include "pfilter.h" #ifdef LIBWRAP #include @@@@ -364,6 +365,7 @@@@ killpg(0, SIGTERM); } + pfilter_notify(1); /* Log error and exit. */ sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } @@@@ -1160,6 +1162,7 @@@@ for (i = 0; i < options.max_startups; i++) startup_pipes[i] = -1; + pfilter_init(); /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. Index: auth1.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v retrieving revision 1.9 diff -u -u -r1.9 auth1.c --- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 +++ auth1.c 14 Feb 2015 15:40:51 -0000 @@@@ -41,6 +41,7 @@@@ a71 1 #include "buffer.h" a73 1 /* import */ d75 8 a82 6 @@@@ -445,6 +446,7 @@@@ else { debug("do_authentication: invalid user %s", user); authctxt->pw = fakepw(); + pfilter_notify(1); } d84 13 a96 9 /* Configuration may have changed as a result of Match */ Index: auth2.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v retrieving revision 1.9 diff -u -u -r1.9 auth2.c --- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 +++ auth2.c 14 Feb 2015 15:40:51 -0000 @@@@ -52,6 +52,7 @@@@ a98 1 #include "canohost.h" d103 1 a103 1 @@@@ -256,6 +257,7 @@@@ d105 1 a105 1 logit("input_userauth_request: invalid user %s", user); d108 27 a134 13 } #ifdef USE_PAM if (options.use_pam) Index: sshd.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v retrieving revision 1.16 diff -u -r1.16 sshd.c --- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 +++ sshd.c 14 Feb 2015 09:55:06 -0000 @@@@ -628,6 +628,8 @@@@ explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); endpwent(); d138 6 a143 16 /* Change our root directory */ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, Index: auth-pam.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v retrieving revision 1.7 diff -u -u -r1.7 auth-pam.c --- auth-pam.c 3 Jul 2015 00:59:59 -0000 1.7 +++ auth-pam.c 23 Jan 2016 00:01:16 -0000 @@@@ -114,6 +114,7 @@@@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "pfilter.h" d145 1 a145 21 extern ServerOptions options; extern Buffer loginmsg; @@@@ -809,6 +810,7 @@@@ free(msg); return (0); } + pfilter_notify(1); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, Index: auth.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v retrieving revision 1.15 diff -u -u -r1.15 auth.c --- auth.c 21 Aug 2015 08:20:59 -0000 1.15 +++ auth.c 23 Jan 2016 00:01:16 -0000 @@@@ -656,6 +656,7 @@@@ pw = getpwnam(user); if (pw == NULL) { d147 4 a150 18 logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); return (NULL); Index: auth1.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v retrieving revision 1.12 diff -u -u -r1.12 auth1.c --- auth1.c 3 Jul 2015 00:59:59 -0000 1.12 +++ auth1.c 23 Jan 2016 00:01:16 -0000 @@@@ -376,6 +376,7 @@@@ char *msg; size_t len; + pfilter_notify(1); error("Access denied for user %s by PAM account " "configuration", authctxt->user); len = buffer_len(&loginmsg); @ 1.9.4.1 log @Sync with HEAD @ text @d65 63 a127 5 diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c --- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400 @@@@ -103,6 +103,7 @@@@ #include "ssh-gss.h" d130 1 d133 1 d135 6 a140 8 extern Buffer loginmsg; @@@@ -526,6 +527,7 @@@@ ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer); else ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); + pfilter_notify(1); buffer_free(&buffer); pthread_exit(NULL); d142 9 a150 13 @@@@ -804,6 +806,7 @@@@ free(msg); return (0); } + pfilter_notify(1); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, diff -ru openssh-7.7p1/auth2.c dist/auth2.c --- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/auth2.c 2018-05-23 11:57:31.022197317 -0400 @@@@ -51,6 +51,7 @@@@ #include "dispatch.h" d153 1 d158 1 a158 1 @@@@ -242,6 +243,7 @@@@ d160 1 a160 1 /* Invalid user, fake password information */ d163 29 a191 2 #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_INVALID_USER)); d193 1 a193 9 Only in dist: pfilter.c Only in dist: pfilter.h diff -ru openssh-7.7p1/sshd.c dist/sshd.c --- openssh-7.7p1/sshd.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/sshd.c 2018-05-23 11:59:39.573197347 -0400 @@@@ -122,6 +122,7 @@@@ #include "auth-options.h" #include "version.h" #include "ssherr.h" d196 18 a213 9 /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) @@@@ -346,6 +347,7 @@@@ static void grace_alarm_handler(int sig) { + pfilter_notify(1); if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) kill(pmonitor->m_pid, SIGALRM); d215 16 a230 3 @@@@ -1835,6 +1837,8 @@@@ if (test_flag) exit(0); d232 4 a235 15 + pfilter_init(); + /* * Clear out any supplemental groups we may have inherited. This * prevents inadvertent creation of files with bad modes (in the @@@@ -2280,6 +2284,9 @@@@ { struct ssh *ssh = active_state; /* XXX */ + if (i == 255) + pfilter_notify(1); + if (the_authctxt) { do_cleanup(ssh, the_authctxt); if (use_privsep && privsep_is_preauth && @ 1.8 log @add more points. @ text @d3 1 a3 1 @@@@ -0,0 +1,28 @@@@ d31 4 @ 1.7 log @add prototype @ text @d3 1 a3 1 @@@@ -0,0 +1,27 @@@@ d5 1 d179 53 @ 1.6 log @one more pfilter_init() @ text @d14 1 a14 1 +pfilter_init() @ 1.6.2.1 log @file ssh.diff was added on branch netbsd-7 on 2015-04-30 06:07:33 +0000 @ text @d1 177 @ 1.6.2.2 log @Pull up blacklistd(8), requested by christos in ticket #711: crypto/external/bsd/openssh/dist/moduli-gen/Makefile up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli-gen.sh up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.1024 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.1536 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 up to 1.1.1.1 crypto/external/bsd/openssh/dist/bcrypt_pbkdf.c up to 1.2 crypto/external/bsd/openssh/dist/kexc25519.c up to 1.3 crypto/external/bsd/openssh/dist/smult_curve25519_ref.c up to 1.3 crypto/external/bsd/openssh/dist/bitmap.c up to 1.2 plus patch crypto/external/bsd/openssh/dist/PROTOCOL.chacha20poly1305 up to 1.1.1.1 crypto/external/bsd/openssh/dist/PROTOCOL.key up to 1.1.1.1 crypto/external/bsd/openssh/dist/blf.h up to 1.1 crypto/external/bsd/openssh/dist/blocks.c up to 1.3 crypto/external/bsd/openssh/dist/blowfish.c up to 1.2 crypto/external/bsd/openssh/dist/chacha.c up to 1.3 crypto/external/bsd/openssh/dist/chacha.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/cipher-aesctr.c up to 1.1.1.2 crypto/external/bsd/openssh/dist/cipher-aesctr.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/cipher-chachapoly.c up to 1.3 crypto/external/bsd/openssh/dist/cipher-chachapoly.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/crypto_api.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/digest-libc.c up to 1.3 crypto/external/bsd/openssh/dist/digest-openssl.c up to 1.3 crypto/external/bsd/openssh/dist/digest.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/ed25519.c up to 1.3 crypto/external/bsd/openssh/dist/fe25519.c up to 1.3 crypto/external/bsd/openssh/dist/fe25519.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ge25519.c up to 1.3 crypto/external/bsd/openssh/dist/ge25519.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/ge25519_base.data up to 1.1.1.1 crypto/external/bsd/openssh/dist/hash.c up to 1.3 crypto/external/bsd/openssh/dist/hmac.c up to 1.3 crypto/external/bsd/openssh/dist/hmac.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/kexc25519c.c up to 1.3 crypto/external/bsd/openssh/dist/kexc25519s.c up to 1.3 crypto/external/bsd/openssh/dist/poly1305.c up to 1.3 crypto/external/bsd/openssh/dist/poly1305.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/rijndael.c up to 1.1.1.2 crypto/external/bsd/openssh/dist/rijndael.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/sc25519.c up to 1.3 crypto/external/bsd/openssh/dist/sc25519.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ssh-ed25519.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-getput-basic.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-getput-crypto.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-misc.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf.h up to 1.4 crypto/external/bsd/openssh/dist/ssherr.c up to 1.3 crypto/external/bsd/openssh/dist/ssherr.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/sshkey.c up to 1.3 crypto/external/bsd/openssh/dist/sshkey.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/verify.c up to 1.3 crypto/external/bsd/openssh/dist/opacket.c up to 1.2 crypto/external/bsd/openssh/dist/umac128.c up to 1.1 crypto/external/bsd/openssh/dist/pfilter.c up to 1.2 crypto/external/bsd/openssh/dist/pfilter.h up to 1.1 crypto/external/bsd/openssh/dist/bitmap.h up to 1.2 crypto/external/bsd/openssh/dist/opacket.h up to 1.2 crypto/external/bsd/openssh/dist/ssh_api.c up to 1.2 crypto/external/bsd/openssh/dist/ssh_api.h up to 1.2 crypto/external/bsd/openssh/dist/auth2-jpake.c delete crypto/external/bsd/openssh/dist/compress.c delete crypto/external/bsd/openssh/dist/compress.h delete crypto/external/bsd/openssh/dist/jpake.c delete crypto/external/bsd/openssh/dist/jpake.h delete crypto/external/bsd/openssh/dist/schnorr.c delete crypto/external/bsd/openssh/dist/schnorr.h delete crypto/external/bsd/openssh/dist/strtonum.c 1.1 crypto/external/bsd/openssh/Makefile.inc up to 1.8 crypto/external/bsd/openssh/bin/Makefile.inc up to 1.3 crypto/external/bsd/openssh/bin/ssh-keyscan/Makefile up to 1.2 crypto/external/bsd/openssh/bin/sshd/Makefile up to 1.12 crypto/external/bsd/openssh/dist/PROTOCOL up to 1.5 crypto/external/bsd/openssh/dist/PROTOCOL.krl up to 1.1.1.2 crypto/external/bsd/openssh/dist/addrmatch.c up to 1.8 crypto/external/bsd/openssh/dist/atomicio.c up to 1.6 crypto/external/bsd/openssh/dist/auth-bsdauth.c up to 1.4 crypto/external/bsd/openssh/dist/auth-chall.c up to 1.6 crypto/external/bsd/openssh/dist/auth-krb5.c up to 1.7 crypto/external/bsd/openssh/dist/auth-options.c up to 1.9 crypto/external/bsd/openssh/dist/auth-options.h up to 1.6 crypto/external/bsd/openssh/dist/auth-passwd.c up to 1.4 crypto/external/bsd/openssh/dist/auth-rh-rsa.c up to 1.6 crypto/external/bsd/openssh/dist/auth-rhosts.c up to 1.5 crypto/external/bsd/openssh/dist/auth-rsa.c up to 1.10 crypto/external/bsd/openssh/dist/auth.c up to 1.12 crypto/external/bsd/openssh/dist/auth.h up to 1.10 crypto/external/bsd/openssh/dist/auth1.c up to 1.11 crypto/external/bsd/openssh/dist/auth2-chall.c up to 1.7 crypto/external/bsd/openssh/dist/auth2-gss.c up to 1.8 crypto/external/bsd/openssh/dist/auth2-hostbased.c up to 1.7 crypto/external/bsd/openssh/dist/auth2-kbdint.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-krb5.c up to 1.4 crypto/external/bsd/openssh/dist/auth2-none.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-passwd.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-pubkey.c up to 1.11 crypto/external/bsd/openssh/dist/auth2.c up to 1.11 crypto/external/bsd/openssh/dist/authfd.c up to 1.8 crypto/external/bsd/openssh/dist/authfd.h up to 1.5 crypto/external/bsd/openssh/dist/authfile.c up to 1.10 crypto/external/bsd/openssh/dist/authfile.h up to 1.6 crypto/external/bsd/openssh/dist/bufaux.c up to 1.7 crypto/external/bsd/openssh/dist/bufbn.c up to 1.5 crypto/external/bsd/openssh/dist/bufec.c up to 1.5 crypto/external/bsd/openssh/dist/buffer.c up to 1.6 crypto/external/bsd/openssh/dist/buffer.h up to 1.7 crypto/external/bsd/openssh/dist/canohost.c up to 1.8 crypto/external/bsd/openssh/dist/channels.c up to 1.13 crypto/external/bsd/openssh/dist/channels.h up to 1.10 crypto/external/bsd/openssh/dist/cipher-3des1.c up to 1.7 crypto/external/bsd/openssh/dist/cipher-bf1.c up to 1.6 crypto/external/bsd/openssh/dist/cipher.c up to 1.7 crypto/external/bsd/openssh/dist/cipher.h up to 1.7 crypto/external/bsd/openssh/dist/clientloop.c up to 1.13 crypto/external/bsd/openssh/dist/compat.c up to 1.9 crypto/external/bsd/openssh/dist/compat.h up to 1.6 crypto/external/bsd/openssh/dist/deattack.c up to 1.4 crypto/external/bsd/openssh/dist/deattack.h up to 1.4 crypto/external/bsd/openssh/dist/dh.c up to 1.8 crypto/external/bsd/openssh/dist/dh.h up to 1.4 crypto/external/bsd/openssh/dist/dispatch.c up to 1.5 crypto/external/bsd/openssh/dist/dispatch.h up to 1.4 crypto/external/bsd/openssh/dist/dns.c up to 1.11 crypto/external/bsd/openssh/dist/dns.h up to 1.6 crypto/external/bsd/openssh/dist/groupaccess.c up to 1.5 crypto/external/bsd/openssh/dist/gss-genr.c up to 1.7 crypto/external/bsd/openssh/dist/gss-serv-krb5.c up to 1.8 crypto/external/bsd/openssh/dist/gss-serv.c up to 1.7 crypto/external/bsd/openssh/dist/hostfile.c up to 1.7 crypto/external/bsd/openssh/dist/hostfile.h up to 1.7 crypto/external/bsd/openssh/dist/includes.h up to 1.4 crypto/external/bsd/openssh/dist/kex.c up to 1.10 crypto/external/bsd/openssh/dist/kex.h up to 1.9 crypto/external/bsd/openssh/dist/kexdh.c up to 1.4 crypto/external/bsd/openssh/dist/kexdhc.c up to 1.6 crypto/external/bsd/openssh/dist/kexdhs.c up to 1.8 crypto/external/bsd/openssh/dist/kexecdh.c up to 1.5 crypto/external/bsd/openssh/dist/kexecdhc.c up to 1.5 crypto/external/bsd/openssh/dist/kexecdhs.c up to 1.5 crypto/external/bsd/openssh/dist/kexgex.c up to 1.4 crypto/external/bsd/openssh/dist/kexgexc.c up to 1.6 crypto/external/bsd/openssh/dist/kexgexs.c up to 1.8 crypto/external/bsd/openssh/dist/key.c up to 1.16 crypto/external/bsd/openssh/dist/key.h up to 1.9 crypto/external/bsd/openssh/dist/krl.c up to 1.5 crypto/external/bsd/openssh/dist/krl.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/mac.c up to 1.11 crypto/external/bsd/openssh/dist/mac.h up to 1.5 crypto/external/bsd/openssh/dist/match.c up to 1.5 crypto/external/bsd/openssh/dist/misc.c up to 1.10 crypto/external/bsd/openssh/dist/misc.h up to 1.9 plus patch crypto/external/bsd/openssh/dist/moduli.c up to 1.8 crypto/external/bsd/openssh/dist/monitor.c up to 1.14 crypto/external/bsd/openssh/dist/monitor.h up to 1.7 crypto/external/bsd/openssh/dist/monitor_fdpass.c up to 1.5 crypto/external/bsd/openssh/dist/monitor_mm.c up to 1.6 crypto/external/bsd/openssh/dist/monitor_mm.h up to 1.4 crypto/external/bsd/openssh/dist/monitor_wrap.c up to 1.11 crypto/external/bsd/openssh/dist/monitor_wrap.h up to 1.8 crypto/external/bsd/openssh/dist/msg.c up to 1.4 crypto/external/bsd/openssh/dist/msg.h up to 1.4 crypto/external/bsd/openssh/dist/mux.c up to 1.11 crypto/external/bsd/openssh/dist/myproposal.h up to 1.10 crypto/external/bsd/openssh/dist/namespace.h up to 1.5 crypto/external/bsd/openssh/dist/packet.c up to 1.18 crypto/external/bsd/openssh/dist/packet.h up to 1.11 crypto/external/bsd/openssh/dist/pathnames.h up to 1.9 crypto/external/bsd/openssh/dist/pkcs11.h up to 1.4 crypto/external/bsd/openssh/dist/progressmeter.c up to 1.7 crypto/external/bsd/openssh/dist/progressmeter.h up to 1.4 crypto/external/bsd/openssh/dist/reallocarray.c new crypto/external/bsd/openssh/dist/readconf.c up to 1.13 crypto/external/bsd/openssh/dist/readconf.h up to 1.12 crypto/external/bsd/openssh/dist/readpass.c up to 1.6 crypto/external/bsd/openssh/dist/roaming_client.c up to 1.7 crypto/external/bsd/openssh/dist/roaming_common.c up to 1.9 crypto/external/bsd/openssh/dist/roaming_dummy.c up to 1.4 crypto/external/bsd/openssh/dist/rsa.c up to 1.5 crypto/external/bsd/openssh/dist/rsa.h up to 1.4 crypto/external/bsd/openssh/dist/sandbox-systrace.c up to 1.1.1.5 crypto/external/bsd/openssh/dist/scp.1 up to 1.9 crypto/external/bsd/openssh/dist/scp.c up to 1.11 crypto/external/bsd/openssh/dist/servconf.c up to 1.17 crypto/external/bsd/openssh/dist/servconf.h up to 1.11 crypto/external/bsd/openssh/dist/serverloop.c up to 1.12 crypto/external/bsd/openssh/dist/session.c up to 1.14 crypto/external/bsd/openssh/dist/session.h up to 1.4 crypto/external/bsd/openssh/dist/sftp-client.c up to 1.13 crypto/external/bsd/openssh/dist/sftp-client.h up to 1.7 crypto/external/bsd/openssh/dist/sftp-common.c up to 1.7 crypto/external/bsd/openssh/dist/sftp-common.h up to 1.5 crypto/external/bsd/openssh/dist/sftp-glob.c up to 1.8 crypto/external/bsd/openssh/dist/sftp-server.8 up to 1.9 crypto/external/bsd/openssh/dist/sftp-server.c up to 1.11 crypto/external/bsd/openssh/dist/sftp.1 up to 1.11 crypto/external/bsd/openssh/dist/sftp.c up to 1.15 crypto/external/bsd/openssh/dist/ssh-add.1 up to 1.9 crypto/external/bsd/openssh/dist/ssh-add.c up to 1.10 crypto/external/bsd/openssh/dist/ssh-agent.1 up to 1.8 crypto/external/bsd/openssh/dist/ssh-agent.c up to 1.14 crypto/external/bsd/openssh/dist/ssh-dss.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-ecdsa.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-gss.h up to 1.5 crypto/external/bsd/openssh/dist/ssh-keygen.1 up to 1.13 crypto/external/bsd/openssh/dist/ssh-keygen.c up to 1.16 crypto/external/bsd/openssh/dist/ssh-keyscan.1 up to 1.10 crypto/external/bsd/openssh/dist/ssh-keyscan.c up to 1.13 crypto/external/bsd/openssh/dist/ssh-keysign.8 up to 1.9 crypto/external/bsd/openssh/dist/ssh-keysign.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-pkcs11.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-pkcs11.h up to 1.4 crypto/external/bsd/openssh/dist/ssh-rsa.c up to 1.7 crypto/external/bsd/openssh/dist/ssh.1 up to 1.14 crypto/external/bsd/openssh/dist/ssh.c up to 1.16 crypto/external/bsd/openssh/dist/ssh2.h up to 1.6 crypto/external/bsd/openssh/dist/ssh_config up to 1.8 crypto/external/bsd/openssh/dist/ssh_config.5 up to 1.13 crypto/external/bsd/openssh/dist/sshconnect.c up to 1.11 crypto/external/bsd/openssh/dist/sshconnect.h up to 1.6 crypto/external/bsd/openssh/dist/sshconnect1.c up to 1.6 crypto/external/bsd/openssh/dist/sshconnect2.c up to 1.19 crypto/external/bsd/openssh/dist/sshd.8 up to 1.13 crypto/external/bsd/openssh/dist/sshd.c up to 1.18 crypto/external/bsd/openssh/dist/sshd_config up to 1.13 crypto/external/bsd/openssh/dist/sshd_config.5 up to 1.17 crypto/external/bsd/openssh/dist/sshlogin.c up to 1.6 crypto/external/bsd/openssh/dist/sshpty.c up to 1.4 crypto/external/bsd/openssh/dist/uidswap.c up to 1.4 crypto/external/bsd/openssh/dist/umac.c up to 1.9 crypto/external/bsd/openssh/dist/version.h up to 1.14 crypto/external/bsd/openssh/dist/xmalloc.c up to 1.5 crypto/external/bsd/openssh/lib/Makefile up to 1.17 plus patch crypto/external/bsd/openssh/lib/shlib_version up to 1.13 distrib/sets/lists/base/ad.aarch64 patch distrib/sets/lists/base/ad.arm patch distrib/sets/lists/base/ad.mips patch distrib/sets/lists/base/ad.powerpc patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/mi patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/comp/ad.aarch64 patch distrib/sets/lists/comp/ad.arm patch distrib/sets/lists/comp/ad.mips patch distrib/sets/lists/comp/ad.powerpc patch distrib/sets/lists/comp/md.amd64 patch distrib/sets/lists/comp/md.sparc64 patch distrib/sets/lists/comp/mi patch distrib/sets/lists/comp/shl.mi patch distrib/sets/lists/debug/ad.aarch64 patch distrib/sets/lists/debug/ad.arm patch distrib/sets/lists/debug/ad.mips patch distrib/sets/lists/debug/ad.powerpc patch distrib/sets/lists/debug/md.amd64 patch distrib/sets/lists/debug/md.sparc64 patch distrib/sets/lists/debug/shl.mi patch distrib/sets/lists/etc/mi patch distrib/sets/lists/man/mi patch etc/defaults/rc.conf 1.130 etc/mtree/NetBSD.dist.base 1.142 external/bsd/Makefile up to 1.48 external/bsd/blacklist/bin/Makefile up to 1.11 plus patch external/bsd/blacklist/bin/blacklistctl.8 up to 1.6 external/bsd/blacklist/bin/blacklistctl.c up to 1.17 external/bsd/blacklist/bin/blacklistd.8 up to 1.10 external/bsd/blacklist/bin/blacklistd.c up to 1.32 external/bsd/blacklist/bin/blacklistd.conf.5 up to 1.2 external/bsd/blacklist/bin/conf.c up to 1.18 external/bsd/blacklist/bin/conf.h up to 1.6 external/bsd/blacklist/bin/internal.c up to 1.5 external/bsd/blacklist/bin/internal.h up to 1.12 external/bsd/blacklist/bin/run.c up to 1.12 external/bsd/blacklist/bin/run.h up to 1.5 external/bsd/blacklist/bin/state.c up to 1.15 external/bsd/blacklist/bin/state.h up to 1.5 external/bsd/blacklist/bin/support.c up to 1.6 external/bsd/blacklist/bin/support.h up to 1.5 external/bsd/blacklist/etc/rc.d/Makefile up to 1.1 external/bsd/blacklist/etc/rc.d/blacklistd up to 1.1 external/bsd/blacklist/etc/Makefile up to 1.3 external/bsd/blacklist/etc/blacklistd.conf up to 1.3 external/bsd/blacklist/etc/npf.conf up to 1.1 external/bsd/blacklist/Makefile up to 1.2 external/bsd/blacklist/Makefile.inc up to 1.3 external/bsd/blacklist/README up to 1.7 external/bsd/blacklist/TODO up to 1.7 external/bsd/blacklist/diff/ftpd.diff up to 1.1 external/bsd/blacklist/diff/named.diff up to 1.6 external/bsd/blacklist/diff/ssh.diff up to 1.6 external/bsd/blacklist/include/Makefile up to 1.1 external/bsd/blacklist/include/bl.h up to 1.12 external/bsd/blacklist/include/blacklist.h up to 1.3 external/bsd/blacklist/include/config.h new external/bsd/blacklist/lib/Makefile up to 1.3 external/bsd/blacklist/lib/bl.c up to 1.24 external/bsd/blacklist/lib/blacklist.c up to 1.5 external/bsd/blacklist/lib/libblacklist.3 up to 1.3 external/bsd/blacklist/lib/shlib_version up to 1.1 external/bsd/blacklist/libexec/Makefile up to 1.1 external/bsd/blacklist/libexec/blacklistd-helper up to 1.4 external/bsd/blacklist/port/m4/.cvsignore up to 1.1 external/bsd/blacklist/port/Makefile.am up to 1.4 external/bsd/blacklist/port/_strtoi.h up to 1.1 external/bsd/blacklist/port/clock_gettime.c up to 1.2 external/bsd/blacklist/port/configure.ac up to 1.7 external/bsd/blacklist/port/fgetln.c up to 1.1 external/bsd/blacklist/port/fparseln.c up to 1.1 external/bsd/blacklist/port/getprogname.c up to 1.4 external/bsd/blacklist/port/pidfile.c up to 1.1 external/bsd/blacklist/port/popenve.c up to 1.2 external/bsd/blacklist/port/port.h up to 1.6 external/bsd/blacklist/port/sockaddr_snprintf.c up to 1.9 external/bsd/blacklist/port/strlcat.c up to 1.2 external/bsd/blacklist/port/strlcpy.c up to 1.2 external/bsd/blacklist/port/strtoi.c up to 1.3 external/bsd/blacklist/test/Makefile up to 1.2 external/bsd/blacklist/test/cltest.c up to 1.6 external/bsd/blacklist/test/srvtest.c up to 1.9 lib/libpam/modules/pam_ssh/pam_ssh.c up to 1.23 libexec/ftpd/pfilter.c up to 1.1 libexec/ftpd/pfilter.h up to 1.1 libexec/ftpd/Makefile up to 1.64 libexec/ftpd/ftpd.c up to 1.201 Add blacklistd(8), a daemon to block and release network ports on demand to mitigate abuse, and related changes to system daemons to support it. [christos, ticket #711] @ text @a0 177 --- /dev/null 2015-01-22 23:10:33.000000000 -0500 +++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 @@@@ -0,0 +1,27 @@@@ +#include "namespace.h" +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "pfilter.h" +#include + +static struct blacklist *blstate; + +void +pfilter_init() +{ + blstate = blacklist_open(); +} + +void +pfilter_notify(int a) +{ + int fd; + if (blstate == NULL) + pfilter_init(); + if (blstate == NULL) + return; + // XXX: 3? + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; + (void)blacklist_r(blstate, a, fd, "ssh"); +} --- /dev/null 2015-01-20 21:14:44.000000000 -0500 +++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 @@@@ -0,0 +1,3 @@@@ + +void pfilter_notify(int); +void pfilter_init(void); Index: bin/sshd/Makefile =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v retrieving revision 1.10 diff -u -u -r1.10 Makefile --- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 +++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 @@@@ -15,7 +15,7 @@@@ auth2-none.c auth2-passwd.c auth2-pubkey.c \ monitor_mm.c monitor.c monitor_wrap.c \ kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ - roaming_common.c roaming_serv.c sandbox-rlimit.c + roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c COPTS.auth-options.c= -Wno-pointer-sign COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix @@@@ -68,3 +68,6 @@@@ LDADD+= -lwrap DPADD+= ${LIBWRAP} + +LDADD+= -lblacklist +DPADD+= ${LIBBLACKLIST} Index: dist/auth.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v retrieving revision 1.10 diff -u -u -r1.10 auth.c --- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 +++ dist/auth.c 22 Jan 2015 21:39:22 -0000 @@@@ -62,6 +62,7 @@@@ #include "monitor_wrap.h" #include "krl.h" #include "compat.h" +#include "pfilter.h" #ifdef HAVE_LOGIN_CAP #include @@@@ -362,6 +363,8 @@@@ compat20 ? "ssh2" : "ssh1", authctxt->info != NULL ? ": " : "", authctxt->info != NULL ? authctxt->info : ""); + if (!authctxt->postponed) + pfilter_notify(!authenticated); free(authctxt->info); authctxt->info = NULL; } Index: dist/sshd.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v retrieving revision 1.15 diff -u -u -r1.15 sshd.c --- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 +++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 @@@@ -109,6 +109,7 @@@@ #include "roaming.h" #include "ssh-sandbox.h" #include "version.h" +#include "pfilter.h" #ifdef LIBWRAP #include @@@@ -364,6 +365,7 @@@@ killpg(0, SIGTERM); } + pfilter_notify(1); /* Log error and exit. */ sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } @@@@ -1160,6 +1162,7 @@@@ for (i = 0; i < options.max_startups; i++) startup_pipes[i] = -1; + pfilter_init(); /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. Index: auth1.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v retrieving revision 1.9 diff -u -u -r1.9 auth1.c --- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 +++ auth1.c 14 Feb 2015 15:40:51 -0000 @@@@ -41,6 +41,7 @@@@ #endif #include "monitor_wrap.h" #include "buffer.h" +#include "pfilter.h" /* import */ extern ServerOptions options; @@@@ -445,6 +446,7 @@@@ else { debug("do_authentication: invalid user %s", user); authctxt->pw = fakepw(); + pfilter_notify(1); } /* Configuration may have changed as a result of Match */ Index: auth2.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v retrieving revision 1.9 diff -u -u -r1.9 auth2.c --- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 +++ auth2.c 14 Feb 2015 15:40:51 -0000 @@@@ -52,6 +52,7 @@@@ #include "pathnames.h" #include "buffer.h" #include "canohost.h" +#include "pfilter.h" #ifdef GSSAPI #include "ssh-gss.h" @@@@ -256,6 +257,7 @@@@ } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); + pfilter_notify(1); } #ifdef USE_PAM if (options.use_pam) Index: sshd.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v retrieving revision 1.16 diff -u -r1.16 sshd.c --- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 +++ sshd.c 14 Feb 2015 09:55:06 -0000 @@@@ -628,6 +628,8 @@@@ explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); endpwent(); + pfilter_init(); + /* Change our root directory */ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, @ 1.5 log @Add the bad user diff. @ text @d161 17 @ 1.4 log @remove unneeded include @ text @d115 46 @ 1.3 log @include socket.h @ text @d3 1 a3 1 @@@@ -0,0 +1,28 @@@@ a8 1 +#include @ 1.2 log @new diffs from the top @ text @d1 3 a3 3 --- /dev/null 2015-01-20 21:14:44.000000000 -0500 +++ dist/pfilter.c 2015-01-20 21:17:22.000000000 -0500 @@@@ -0,0 +1,27 @@@@ d9 1 @ 1.1 log @- move diffs - always log through lfun @ text @d1 36 d41 1 a41 1 diff -u -r1.10 Makefile d43 1 a43 1 +++ bin/sshd/Makefile 21 Jan 2015 02:16:08 -0000 d64 1 a64 1 diff -u -r1.10 auth.c d66 1 a66 1 +++ dist/auth.c 21 Jan 2015 02:16:09 -0000 d90 1 a90 1 +++ dist/sshd.c 21 Jan 2015 02:49:39 -0000 a114 36 --- /dev/null 2015-01-20 21:14:44.000000000 -0500 +++ dist/pfilter.c 2015-01-20 21:17:22.000000000 -0500 @@@@ -0,0 +1,27 @@@@ +#include "namespace.h" +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "pfilter.h" +#include + +static struct blacklist *blstate; + +void +pfilter_init() +{ + blstate = blacklist_open(); +} + +void +pfilter_notify(int a) +{ + int fd; + if (blstate == NULL) + pfilter_init(); + if (blstate == NULL) + return; + // XXX: 3? + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; + (void)blacklist_r(blstate, a, fd, "ssh"); +} --- /dev/null 2015-01-20 21:14:44.000000000 -0500 +++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 @@@@ -0,0 +1,3 @@@@ + +void pfilter_notify(int); +void pfilter_init(void); @