MFC r318242: Refine and update blacklist support in sshd

Adjust notification points slightly to catch all auth failures, rather
than just the ones caused by bad usernames.  Modify notification point
for bad usernames to send new type of BLACKLIST_BAD_USER.  (Support in
libblacklist will be forthcoming soon.)  Add guards to allow library
headers to expose the enum of action values.

Reviewed by:	des
Relnotes:	yes
Sponsored by:	The FreeBSD Foundation

8 files changed, 23 insertions, 16 deletions

diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index bbd18e5..aa83913 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -795,7 +795,8 @@ sshpam_query(void *ctx, char **name, char **info,
 				free(msg);
 				return (0);
 			}
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+			BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+			    sshpam_authctxt->user);
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user,
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index c5dac04..4a7c8ed 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -296,7 +296,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 	else {
 		authmsg = authenticated ? "Accepted" : "Failed";
 		if (authenticated)
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
 	}
 
 	authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
@@ -644,7 +644,7 @@ getpwnamallow(const char *user)
 	}
 #endif
 	if (pw == NULL) {
-		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+		BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
 		logit("Invalid user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 71eb0c2..1899544 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -338,7 +338,7 @@ do_authloop(Authctxt *authctxt)
 			char *msg;
 			size_t len;
 
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
 			error("Access denied for user %s by PAM account "
 			    "configuration", authctxt->user);
 			len = buffer_len(&loginmsg);
@@ -364,6 +364,7 @@ do_authloop(Authctxt *authctxt)
 		if (authenticated)
 			return;
 
+		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
 		if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
@@ -406,7 +407,7 @@ do_authentication(Authctxt *authctxt)
 	else {
 		debug("do_authentication: invalid user %s", user);
 		authctxt->pw = fakepw();
-		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+		BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
 	}
 
 	/* Configuration may have changed as a result of Match */
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index ee3c5dd..8f9817a 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -249,7 +249,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		} else {
 			logit("input_userauth_request: invalid user %s", user);
 			authctxt->pw = fakepw();
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
@@ -389,8 +388,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
 
 		/* Allow initial try of "none" auth without failure penalty */
 		if (!partial && !authctxt->server_caused_failure &&
-		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
 			authctxt->failures++;
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
+		}
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
diff --git a/crypto/openssh/blacklist.c b/crypto/openssh/blacklist.c
index 4c9d91d..b4f5d3e 100644
--- a/crypto/openssh/blacklist.c
+++ b/crypto/openssh/blacklist.c
@@ -46,8 +46,8 @@
 #include "log.h"
 #include "misc.h"
 #include "servconf.h"
-#include "blacklist_client.h"
 #include <blacklist.h>
+#include "blacklist_client.h"
 
 static struct blacklist *blstate = NULL;
 
@@ -88,10 +88,10 @@ blacklist_init(void)
 }
 
 void
-blacklist_notify(int action)
+blacklist_notify(int action, const char *msg)
 {
 
 	if (blstate != NULL && packet_connection_is_on_socket())
 		(void)blacklist_r(blstate, action,
-		packet_get_connection_in(), "ssh");
+		packet_get_connection_in(), msg);
 }
diff --git a/crypto/openssh/blacklist_client.h b/crypto/openssh/blacklist_client.h
index 9479bb2..af5a2a6 100644
--- a/crypto/openssh/blacklist_client.h
+++ b/crypto/openssh/blacklist_client.h
@@ -34,22 +34,26 @@
 #ifndef BLACKLIST_CLIENT_H
 #define BLACKLIST_CLIENT_H
 
+#ifndef BLACKLIST_API_ENUM
 enum {
 	BLACKLIST_AUTH_OK = 0,
-	BLACKLIST_AUTH_FAIL
+	BLACKLIST_AUTH_FAIL,
+	BLACKLIST_ABUSIVE_BEHAVIOR,
+	BLACKLIST_BAD_USER
 };
+#endif
 
 #ifdef USE_BLACKLIST
 void blacklist_init(void);
-void blacklist_notify(int);
+void blacklist_notify(int, const char *);
 
 #define BLACKLIST_INIT() blacklist_init()
-#define BLACKLIST_NOTIFY(x) blacklist_notify(x)
+#define BLACKLIST_NOTIFY(x,msg) blacklist_notify(x,msg)
 
 #else
 
 #define BLACKLIST_INIT()
-#define BLACKLIST_NOTIFY(x)
+#define BLACKLIST_NOTIFY(x,msg)
 
 #endif
 
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
index be4b4b6..5d745a0 100644
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@@ -2072,7 +2072,7 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
 	case SSH_ERR_NO_KEX_ALG_MATCH:
 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
 		if (ssh && ssh->kex && ssh->kex->failed_choice) {
-			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
 			fatal("Unable to negotiate with %.200s port %d: %s. "
 			    "Their offer: %s", ssh_remote_ipaddr(ssh),
 			    ssh_remote_port(ssh), ssh_err(r),
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index 38b772d..448b64b 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -389,7 +389,7 @@ grace_alarm_handler(int sig)
 		kill(0, SIGTERM);
 	}
 
-	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
 
 	/* Log error and exit. */
 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());