MFC r305065: Add refactored blacklist support to sshd

Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file.  This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.

Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().

Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.

Approved by:	des
Sponsored by:	The FreeBSD Foundation

1 files changed, 6 insertions, 1 deletions

diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index ba908801..1259385 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -75,6 +75,7 @@ __RCSID("$FreeBSD$");
 #include "authfile.h"
 #include "ssherr.h"
 #include "compat.h"
+#include "blacklist_client.h"
 
 /* import */
 extern ServerOptions options;
@@ -292,8 +293,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 		authmsg = "Postponed";
 	else if (partial)
 		authmsg = "Partial";
-	else
+	else {
 		authmsg = authenticated ? "Accepted" : "Failed";
+		BLACKLIST_NOTIFY(authenticated ?
+		    BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
+	}
 
 	authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
 	    authmsg,
@@ -640,6 +644,7 @@ getpwnamallow(const char *user)
 	}
 #endif
 	if (pw == NULL) {
+		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
 		logit("Invalid user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN