summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorgjb <gjb@FreeBSD.org>2016-06-24 23:22:42 +0000
committergjb <gjb@FreeBSD.org>2016-06-24 23:22:42 +0000
commit70951739503fef6ff99a71f0515ee1eba2dbf895 (patch)
treed6dfc00fb63fa1abb42bf72a0fd03692230e25ed
parent889a34531d5bbe582fe89dd7ac79ff196cefa035 (diff)
downloadFreeBSD-src-70951739503fef6ff99a71f0515ee1eba2dbf895.zip
FreeBSD-src-70951739503fef6ff99a71f0515ee1eba2dbf895.tar.gz
Revert r301551, which added blacklistd(8) to sshd(8).
This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation
-rw-r--r--crypto/openssh/auth-pam.c6
-rw-r--r--crypto/openssh/auth.c10
-rw-r--r--crypto/openssh/auth1.c9
-rw-r--r--crypto/openssh/auth2.c6
-rw-r--r--crypto/openssh/blacklist.c64
-rw-r--r--crypto/openssh/blacklist_client.h31
-rw-r--r--crypto/openssh/packet.c6
-rw-r--r--crypto/openssh/sshd.c13
-rw-r--r--secure/usr.sbin/sshd/Makefile7
-rw-r--r--secure/usr.sbin/sshd/Makefile.depend1
10 files changed, 0 insertions, 153 deletions
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index 53b9dbe..8425af1 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -98,9 +98,6 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
extern ServerOptions options;
extern Buffer loginmsg;
@@ -797,9 +794,6 @@ sshpam_query(void *ctx, char **name, char **info,
free(msg);
return (0);
}
-#ifdef USE_BLACKLIST
- blacklist_notify(1);
-#endif
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index c23b55d..ba908801 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -75,9 +75,6 @@ __RCSID("$FreeBSD$");
#include "authfile.h"
#include "ssherr.h"
#include "compat.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
/* import */
extern ServerOptions options;
@@ -309,10 +306,6 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
-#ifdef USE_BLACKLIST
- if (!authctxt->postponed)
- blacklist_notify(!authenticated);
-#endif
free(authctxt->info);
authctxt->info = NULL;
@@ -647,9 +640,6 @@ getpwnamallow(const char *user)
}
#endif
if (pw == NULL) {
-#ifdef USE_BLACKLIST
- blacklist_notify(1);
-#endif
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
#ifdef CUSTOM_FAILED_LOGIN
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 539e56c..5073c49 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -43,9 +43,6 @@
#endif
#include "monitor_wrap.h"
#include "buffer.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
/* import */
extern ServerOptions options;
@@ -340,9 +337,6 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
-#ifdef USE_BLACKLIST
- blacklist_notify(1);
-#endif
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
@@ -410,9 +404,6 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
-#ifdef USE_BLACKLIST
- blacklist_notify(1);
-#endif
}
/* Configuration may have changed as a result of Match */
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index eec196a..1d9aab0 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -52,9 +52,6 @@ __RCSID("$FreeBSD$");
#include "pathnames.h"
#include "buffer.h"
#include "canohost.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -251,9 +248,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
-#ifdef USE_BLACKLIST
- blacklist_notify(1);
-#endif
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
diff --git a/crypto/openssh/blacklist.c b/crypto/openssh/blacklist.c
deleted file mode 100644
index d172945..0000000
--- a/crypto/openssh/blacklist.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*-
- * Copyright (c) 2015 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Christos Zoulas.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <ctype.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "ssh.h"
-#include "packet.h"
-#include "log.h"
-#include "blacklist_client.h"
-#include <blacklist.h>
-
-static struct blacklist *blstate;
-
-void
-blacklist_init(void)
-{
- blstate = blacklist_open();
-}
-
-void
-blacklist_notify(int action)
-{
- int fd;
- if (blstate == NULL)
- blacklist_init();
- if (blstate == NULL)
- return;
- fd = packet_get_connection_in();
- if (!packet_connection_is_on_socket()) {
- fprintf(stderr, "packet_connection_is_on_socket: false "
- "(fd = %d)\n", fd);
- }
- (void)blacklist_r(blstate, action, fd, "ssh");
-}
diff --git a/crypto/openssh/blacklist_client.h b/crypto/openssh/blacklist_client.h
deleted file mode 100644
index e63554d..0000000
--- a/crypto/openssh/blacklist_client.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*-
- * Copyright (c) 2015 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Christos Zoulas.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-void blacklist_notify(int);
-void blacklist_init(void);
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
index 9e1165a..f3b3ce9 100644
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@@ -86,9 +86,6 @@ __RCSID("$FreeBSD$");
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
#ifdef PACKET_DEBUG
#define DBG(x) x
@@ -2074,9 +2071,6 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
-#ifdef USE_BLACKLIST
- blacklist_notify(1);
-#endif
fatal("Unable to negotiate with %.200s port %d: %s. "
"Their offer: %s", ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh), ssh_err(r),
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index d1159291..dd7fcdd 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -135,9 +135,6 @@ __RCSID("$FreeBSD$");
#include "ssh-sandbox.h"
#include "version.h"
#include "ssherr.h"
-#ifdef USE_BLACKLIST
-#include "blacklist_client.h"
-#endif
#ifdef LIBWRAP
#include <tcpd.h>
@@ -391,9 +388,6 @@ grace_alarm_handler(int sig)
kill(0, SIGTERM);
}
-#ifdef USE_BLACKLIST
- blacklist_notify(1);
-#endif
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -655,10 +649,6 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
-#ifdef USE_BLACKLIST
- blacklist_init();
-#endif
-
/* Demote the child */
if (getuid() == 0 || geteuid() == 0) {
/* Change our root directory */
@@ -1282,9 +1272,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
-#ifdef USE_BLACKLIST
- blacklist_init();
-#endif
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index bab2901..f9589a3 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -40,13 +40,6 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
LIBADD+= bsm
.endif
-.if ${MK_BLACKLIST_SUPPORT} != "no"
-CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
-SRCS+= blacklist.c
-LIBADD+= blacklist
-LDFLAGS+=-L${LIBBLACKLISTDIR}
-.endif
-
.if ${MK_KERBEROS_SUPPORT} != "no"
CFLAGS+= -include krb5_config.h
SRCS+= krb5_config.h
diff --git a/secure/usr.sbin/sshd/Makefile.depend b/secure/usr.sbin/sshd/Makefile.depend
index 220aae3..d24b0be 100644
--- a/secure/usr.sbin/sshd/Makefile.depend
+++ b/secure/usr.sbin/sshd/Makefile.depend
@@ -17,7 +17,6 @@ DIRDEPS = \
kerberos5/lib/libroken \
kerberos5/lib/libwind \
lib/${CSU_DIR} \
- lib/libblacklist \
lib/libbsm \
lib/libc \
lib/libcom_err \
OpenPOWER on IntegriCloud