vendor/NetBSD/blacklist/20160409

author: Kurt Lidl <lidl@FreeBSD.org> 2016-06-01 21:48:22 +0000
committer: Kurt Lidl <lidl@FreeBSD.org> 2016-06-01 21:48:22 +0000
commit: df0cfa3b86180bc007aafedfac6685826e8de7ea (patch)
tree: 87b2b18820b6cc1642b930ba61c9228f4f3bb48b /diff
4 files changed, 662 insertions, 0 deletions
diff --git a/diff/ftpd.diff b/diff/ftpd.diff
new file mode 100644
index 000000000000..d28577f3ef5f
--- /dev/null
+++ b/diff/ftpd.diff
@@ -0,0 +1,91 @@
+--- /dev/null	2015-01-23 17:30:40.000000000 -0500
++++ pfilter.c	2015-01-23 17:12:02.000000000 -0500
+@@ -0,0 +1,24 @@
++#include <stdio.h>
++#include <blacklist.h>
++
++#include "pfilter.h"
++
++static struct blacklist *blstate;
++
++void
++pfilter_open(void)
++{
++	if (blstate == NULL)
++		blstate = blacklist_open();
++}
++
++void
++pfilter_notify(int what, const char *msg)
++{
++	pfilter_open();
++
++	if (blstate == NULL)
++		return;
++
++	blacklist_r(blstate, what, 0, msg);
++}
+--- /dev/null	2015-01-23 17:30:40.000000000 -0500
++++ pfilter.h	2015-01-23 17:07:25.000000000 -0500
+@@ -0,0 +1,2 @@
++void pfilter_open(void);
++void pfilter_notify(int, const char *);
+Index: Makefile
+===================================================================
+RCS file: /cvsroot/src/libexec/ftpd/Makefile,v
+retrieving revision 1.63
+diff -u -p -u -r1.63 Makefile
+--- Makefile	14 Aug 2011 11:46:28 -0000	1.63
++++ Makefile	23 Jan 2015 22:32:20 -0000
+@@ -11,6 +11,10 @@ LDADD+=	-lcrypt -lutil
+ MAN=	ftpd.conf.5 ftpusers.5 ftpd.8
+ MLINKS=	ftpusers.5 ftpchroot.5
+ 
++SRCS+=	pfilter.c
++LDADD+=	-lblacklist
++DPADD+=	${LIBBLACKLIST}
++
+ .if defined(NO_INTERNAL_LS)
+ CPPFLAGS+=-DNO_INTERNAL_LS
+ .else
+Index: ftpd.c
+===================================================================
+RCS file: /cvsroot/src/libexec/ftpd/ftpd.c,v
+retrieving revision 1.200
+diff -u -p -u -r1.200 ftpd.c
+--- ftpd.c	31 Jul 2013 19:50:47 -0000	1.200
++++ ftpd.c	23 Jan 2015 22:32:20 -0000
+@@ -165,6 +165,8 @@ __RCSID("$NetBSD: ftpd.c,v 1.200 2013/07
+ #include <security/pam_appl.h>
+ #endif
+ 
++#include "pfilter.h"
++
+ #define	GLOBAL
+ #include "extern.h"
+ #include "pathnames.h"
+@@ -471,6 +473,8 @@ main(int argc, char *argv[])
+ 	if (EMPTYSTR(confdir))
+ 		confdir = _DEFAULT_CONFDIR;
+ 
++	pfilter_open();
++
+ 	if (dowtmp) {
+ #ifdef SUPPORT_UTMPX
+ 		ftpd_initwtmpx();
+@@ -1401,6 +1405,7 @@ do_pass(int pass_checked, int pass_rval,
+ 		if (rval) {
+ 			reply(530, "%s", rval == 2 ? "Password expired." :
+ 			    "Login incorrect.");
++			pfilter_notify(1, rval == 2 ? "exppass" : "badpass");
+ 			if (logging) {
+ 				syslog(LOG_NOTICE,
+ 				    "FTP LOGIN FAILED FROM %s", remoteloghost);
+@@ -1444,6 +1449,7 @@ do_pass(int pass_checked, int pass_rval,
+ 				*remote_ip = 0;
+ 		remote_ip[sizeof(remote_ip) - 1] = 0;
+ 		if (!auth_hostok(lc, remotehost, remote_ip)) {
++			pfilter_notify(1, "bannedhost");
+ 			syslog(LOG_INFO|LOG_AUTH,
+ 			    "FTP LOGIN FAILED (HOST) as %s: permission denied.",
+ 			    pw->pw_name);
diff --git a/diff/named.diff b/diff/named.diff
new file mode 100644
index 000000000000..fcd97ba7ec1f
--- /dev/null
+++ b/diff/named.diff
@@ -0,0 +1,216 @@
+--- /dev/null	2015-01-22 01:48:00.000000000 -0500
++++ dist/bin/named/pfilter.c	2015-01-22 01:35:16.000000000 -0500
+@@ -0,0 +1,42 @@
++#include <config.h>
++
++#include <isc/platform.h>
++#include <isc/util.h>
++#include <named/types.h>
++#include <named/client.h>
++
++#include <blacklist.h>
++
++#include "pfilter.h"
++
++static struct blacklist *blstate;
++
++void
++pfilter_open(void)
++{
++	if (blstate == NULL)
++		blstate = blacklist_open();
++}
++
++#define TCP_CLIENT(c)  (((c)->attributes & NS_CLIENTATTR_TCP) != 0)
++
++void
++pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg)
++{
++	isc_socket_t *socket;
++
++	pfilter_open();
++
++	if (TCP_CLIENT(client))
++		socket = client->tcpsocket;
++	else {
++		socket = client->udpsocket;
++		if (!client->peeraddr_valid)
++			return;
++	}
++	if (socket == NULL)
++		return;
++	blacklist_sa_r(blstate, 
++	    res != ISC_R_SUCCESS, isc_socket_getfd(socket),
++	    &client->peeraddr.type.sa, client->peeraddr.length, msg);
++}
+--- /dev/null	2015-01-22 01:48:00.000000000 -0500
++++ dist/bin/named/pfilter.h	2015-01-22 01:16:56.000000000 -0500
+@@ -0,0 +1,2 @@
++void pfilter_open(void);
++void pfilter_notify(isc_result_t, ns_client_t *, const char *);
+Index: bin/named/Makefile
+===================================================================
+RCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v
+retrieving revision 1.8
+diff -u -u -r1.8 Makefile
+--- bin/named/Makefile	31 Dec 2013 20:23:12 -0000	1.8
++++ bin/named/Makefile	23 Jan 2015 21:37:09 -0000
+@@ -33,7 +33,9 @@
+ 	lwaddr.c lwdclient.c lwderror.c \
+ 	lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \
+ 	main.c notify.c query.c server.c sortlist.c statschannel.c \
+-	tkeyconf.c tsigconf.c \
++	pfilter.c tkeyconf.c tsigconf.c \
+ 	update.c xfrout.c zoneconf.c ${SRCS_UNIX}
+ 
++LDADD+=-lblacklist
++DPADD+=${LIBBLACKLIST}
+ .include <bsd.prog.mk>
+Index: dist/bin/named/client.c
+===================================================================
+RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v
+retrieving revision 1.11
+diff -u -u -r1.11 client.c
+--- dist/bin/named/client.c	10 Dec 2014 04:37:51 -0000	1.11
++++ dist/bin/named/client.c	23 Jan 2015 21:37:09 -0000
+@@ -65,6 +65,8 @@
+ #include <named/server.h>
+ #include <named/update.h>
+ 
++#include "pfilter.h"
++
+ /***
+  *** Client
+  ***/
+@@ -3101,6 +3103,7 @@
+ 	result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
+ 					  acl, default_allow);
+ 
++	pfilter_notify(result, client, opname);
+ 	if (result == ISC_R_SUCCESS)
+ 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+Index: dist/bin/named/main.c
+===================================================================
+RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v
+retrieving revision 1.15
+diff -u -u -r1.15 main.c
+--- dist/bin/named/main.c	10 Dec 2014 04:37:51 -0000	1.15
++++ dist/bin/named/main.c	23 Jan 2015 21:37:09 -0000
+@@ -83,6 +83,9 @@
+ #ifdef HAVE_LIBXML2
+ #include <libxml/xmlversion.h>
+ #endif
++
++#include "pfilter.h"
++
+ /*
+  * Include header files for database drivers here.
+  */
+@@ -1206,6 +1209,8 @@
+ 
+ 	parse_command_line(argc, argv);
+ 
++	pfilter_open();
++
+ 	/*
+ 	 * Warn about common configuration error.
+ 	 */
+Index: dist/bin/named/query.c
+===================================================================
+RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v
+retrieving revision 1.17
+diff -u -u -r1.17 query.c
+--- dist/bin/named/query.c	10 Dec 2014 04:37:52 -0000	1.17
++++ dist/bin/named/query.c	23 Jan 2015 21:37:09 -0000
+@@ -65,6 +65,8 @@
+ #include <named/sortlist.h>
+ #include <named/xfrout.h>
+ 
++#include "pfilter.h"
++
+ #if 0
+ /*
+  * It has been recommended that DNS64 be changed to return excluded
+@@ -762,6 +764,8 @@
+ 	}
+ 
+ 	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
++	if (result != ISC_R_SUCCESS)
++		pfilter_notify(result, client, "validatezonedb");
+ 	if ((options & DNS_GETDB_NOLOG) == 0) {
+ 		char msg[NS_CLIENT_ACLMSGSIZE("query")];
+ 		if (result == ISC_R_SUCCESS) {
+@@ -1026,6 +1030,8 @@
+ 		result = ns_client_checkaclsilent(client, NULL,
+ 						  client->view->cacheacl,
+ 						  ISC_TRUE);
++		if (result == ISC_R_SUCCESS)
++			pfilter_notify(result, client, "cachedb");
+ 		if (result == ISC_R_SUCCESS) {
+ 			/*
+ 			 * We were allowed by the "allow-query-cache" ACL.
+Index: dist/bin/named/update.c
+===================================================================
+RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v
+retrieving revision 1.9
+diff -u -u -r1.9 update.c
+--- dist/bin/named/update.c	10 Dec 2014 04:37:52 -0000	1.9
++++ dist/bin/named/update.c	23 Jan 2015 21:37:09 -0000
+@@ -59,6 +59,8 @@
+ #include <named/server.h>
+ #include <named/update.h>
+ 
++#include "pfilter.h"
++
+ /*! \file
+  * \brief
+  * This module implements dynamic update as in RFC2136.
+@@ -307,6 +309,7 @@
+ 
+ 	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+ 	if (result != ISC_R_SUCCESS) {
++		pfilter_notify(result, client, "queryacl");
+ 		dns_name_format(zonename, namebuf, sizeof(namebuf));
+ 		dns_rdataclass_format(client->view->rdclass, classbuf,
+ 				      sizeof(classbuf));
+@@ -324,6 +327,7 @@
+ 				      sizeof(classbuf));
+ 
+ 		result = DNS_R_REFUSED;
++		pfilter_notify(result, client, "updateacl");
+ 		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+ 			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
+ 			      "update '%s/%s' denied", namebuf, classbuf);
+@@ -362,6 +366,7 @@
+ 		msg = "disabled";
+ 	} else {
+ 		result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
++		pfilter_notify(result, client, "updateacl");
+ 		if (result == ISC_R_SUCCESS) {
+ 			level = ISC_LOG_DEBUG(3);
+ 			msg = "approved";
+Index: dist/bin/named/xfrout.c
+===================================================================
+RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v
+retrieving revision 1.7
+diff -u -u -r1.7 xfrout.c
+--- dist/bin/named/xfrout.c	10 Dec 2014 04:37:52 -0000	1.7
++++ dist/bin/named/xfrout.c	23 Jan 2015 21:37:09 -0000
+@@ -54,6 +54,8 @@
+ #include <named/server.h>
+ #include <named/xfrout.h>
+ 
++#include "pfilter.h"
++
+ /*! \file
+  * \brief
+  * Outgoing AXFR and IXFR.
+@@ -822,6 +824,7 @@
+ 						     &client->peeraddr,
+ 						     &db);
+ 
++			pfilter_notify(result, client, "zonexfr");
+ 			if (result == ISC_R_NOPERM) {
+ 				char _buf1[DNS_NAME_FORMATSIZE];
+ 				char _buf2[DNS_RDATACLASS_FORMATSIZE];
diff --git a/diff/proftpd.diff b/diff/proftpd.diff
new file mode 100644
index 000000000000..c811c9cf50bc
--- /dev/null
+++ b/diff/proftpd.diff
@@ -0,0 +1,124 @@
+--- Make.rules.in.orig	2015-05-27 20:25:54.000000000 -0400
++++ Make.rules.in	2016-01-25 21:48:47.000000000 -0500
+@@ -110,3 +110,8 @@
+ 
+ FTPWHO_OBJS=ftpwho.o scoreboard.o misc.o
+ BUILD_FTPWHO_OBJS=utils/ftpwho.o utils/scoreboard.o utils/misc.o
++
++CPPFLAGS+=-DHAVE_BLACKLIST
++LIBS+=-lblacklist
++OBJS+= pfilter.o
++BUILD_OBJS+= src/pfilter.o
+--- /dev/null	2016-01-22 17:30:55.000000000 -0500
++++ include/pfilter.h	2016-01-22 16:18:33.000000000 -0500
+@@ -0,0 +1,3 @@
++
++void pfilter_notify(int);
++void pfilter_init(void);
+--- modules/mod_auth.c.orig	2015-05-27 20:25:54.000000000 -0400
++++ modules/mod_auth.c	2016-01-22 16:21:06.000000000 -0500
+@@ -30,6 +30,7 @@
+ 
+ #include "conf.h"
+ #include "privs.h"
++#include "pfilter.h"
+ 
+ extern pid_t mpid;
+ 
+@@ -84,6 +85,8 @@
+     _("Login timeout (%d %s): closing control connection"), TimeoutLogin,
+     TimeoutLogin != 1 ? "seconds" : "second");
+ 
++  pfilter_notify(1);
++
+   /* It's possible that any listeners of this event might terminate the
+    * session process themselves (e.g. mod_ban).  So write out that the
+    * TimeoutLogin has been exceeded to the log here, in addition to the
+@@ -913,6 +916,7 @@
+         pr_memscrub(pass, strlen(pass));
+       }
+ 
++      pfilter_notify(1);
+       pr_log_auth(PR_LOG_NOTICE, "SECURITY VIOLATION: Root login attempted");
+       return 0;
+     }
+@@ -1726,6 +1730,7 @@
+   return 1;
+ 
+ auth_failure:
++  pfilter_notify(1);
+   if (pass)
+     pr_memscrub(pass, strlen(pass));
+   session.user = session.group = NULL;
+--- src/main.c.orig	2016-01-22 17:36:43.000000000 -0500
++++ src/main.c	2016-01-22 17:37:58.000000000 -0500
+@@ -49,6 +49,7 @@
+ #endif
+ 
+ #include "privs.h"
++#include "pfilter.h"
+ 
+ int (*cmd_auth_chk)(cmd_rec *);
+ void (*cmd_handler)(server_rec *, conn_t *);
+@@ -1050,6 +1051,7 @@
+   pid_t pid;
+   sigset_t sig_set;
+ 
++  pfilter_init();
+   if (!nofork) {
+ 
+     /* A race condition exists on heavily loaded servers where the parent
+@@ -1169,7 +1171,8 @@
+ 
+   /* Reseed pseudo-randoms */
+   srand((unsigned int) (time(NULL) * getpid()));
+-
++#else
++  pfilter_init();
+ #endif /* PR_DEVEL_NO_FORK */
+ 
+   /* Child is running here */
+--- /dev/null	2016-01-22 17:30:55.000000000 -0500
++++ src/pfilter.c	2016-01-22 16:37:55.000000000 -0500
+@@ -0,0 +1,41 @@
++#include "pfilter.h"
++#include "conf.h"
++#include "privs.h"
++#ifdef HAVE_BLACKLIST
++#include <blacklist.h>
++#endif
++
++static struct blacklist *blstate;
++
++void
++pfilter_init(void)
++{
++#ifdef HAVE_BLACKLIST
++	if (blstate == NULL)
++		blstate = blacklist_open();
++#endif
++}
++
++void
++pfilter_notify(int a)
++{
++#ifdef HAVE_BLACKLIST
++	conn_t *c = session.c;
++	int fd;
++
++	if (c == NULL)
++		return;
++	if (c->rfd != -1)
++		fd = c->rfd;
++	else if (c->wfd != -1)
++		fd = c->wfd;
++	else
++		return;
++
++	if (blstate == NULL)
++		pfilter_init();
++	if (blstate == NULL)
++		return;
++	(void)blacklist_r(blstate, a, fd, "proftpd");
++#endif
++}
diff --git a/diff/ssh.diff b/diff/ssh.diff
new file mode 100644
index 000000000000..bc0b75c05674
--- /dev/null
+++ b/diff/ssh.diff
@@ -0,0 +1,231 @@
+--- /dev/null	2015-01-22 23:10:33.000000000 -0500
++++ dist/pfilter.c	2015-01-22 23:46:03.000000000 -0500
+@@ -0,0 +1,28 @@
++#include "namespace.h"
++#include "includes.h"
++#include "ssh.h"
++#include "packet.h"
++#include "log.h"
++#include "pfilter.h"
++#include <blacklist.h>
++
++static struct blacklist *blstate;
++
++void
++pfilter_init(void)
++{
++	blstate = blacklist_open();
++}
++
++void
++pfilter_notify(int a)
++{
++	int fd;
++	if (blstate == NULL)
++		pfilter_init();
++	if (blstate == NULL)
++		return;
++	// XXX: 3?
++ 	fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
++	(void)blacklist_r(blstate, a, fd, "ssh");
++}
+--- /dev/null	2015-01-20 21:14:44.000000000 -0500
++++ dist/pfilter.h	2015-01-20 20:16:20.000000000 -0500
+@@ -0,0 +1,3 @@
++
++void pfilter_notify(int);
++void pfilter_init(void);
+Index: bin/sshd/Makefile
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
+retrieving revision 1.10
+diff -u -u -r1.10 Makefile
+--- bin/sshd/Makefile	19 Oct 2014 16:30:58 -0000	1.10
++++ bin/sshd/Makefile	22 Jan 2015 21:39:21 -0000
+@@ -15,7 +15,7 @@
+ 	auth2-none.c auth2-passwd.c auth2-pubkey.c \
+ 	monitor_mm.c monitor.c monitor_wrap.c \
+ 	kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
+-	roaming_common.c roaming_serv.c sandbox-rlimit.c
++	roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
+ 
+ COPTS.auth-options.c=	-Wno-pointer-sign
+ COPTS.ldapauth.c=	-Wno-format-nonliteral	# XXX: should fix
+@@ -68,3 +68,6 @@
+ 
+ LDADD+=	-lwrap
+ DPADD+=	${LIBWRAP}
++
++LDADD+=	-lblacklist
++DPADD+=	${LIBBLACKLIST}
+Index: dist/auth.c
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
+retrieving revision 1.10
+diff -u -u -r1.10 auth.c
+--- dist/auth.c	19 Oct 2014 16:30:58 -0000	1.10
++++ dist/auth.c	22 Jan 2015 21:39:22 -0000
+@@ -62,6 +62,7 @@
+ #include "monitor_wrap.h"
+ #include "krl.h"
+ #include "compat.h"
++#include "pfilter.h"
+ 
+ #ifdef HAVE_LOGIN_CAP
+ #include <login_cap.h>
+@@ -362,6 +363,8 @@
+ 	    compat20 ? "ssh2" : "ssh1",
+ 	    authctxt->info != NULL ? ": " : "",
+ 	    authctxt->info != NULL ? authctxt->info : "");
++	if (!authctxt->postponed)
++		pfilter_notify(!authenticated);
+ 	free(authctxt->info);
+ 	authctxt->info = NULL;
+ }
+Index: dist/sshd.c
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
+retrieving revision 1.15
+diff -u -u -r1.15 sshd.c
+--- dist/sshd.c	28 Oct 2014 21:36:16 -0000	1.15
++++ dist/sshd.c	22 Jan 2015 21:39:22 -0000
+@@ -109,6 +109,7 @@
+ #include "roaming.h"
+ #include "ssh-sandbox.h"
+ #include "version.h"
++#include "pfilter.h"
+ 
+ #ifdef LIBWRAP
+ #include <tcpd.h>
+@@ -364,6 +365,7 @@
+ 		killpg(0, SIGTERM);
+ 	}
+ 
++	pfilter_notify(1);
+ 	/* Log error and exit. */
+ 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
+ }
+@@ -1160,6 +1162,7 @@
+ 	for (i = 0; i < options.max_startups; i++)
+ 		startup_pipes[i] = -1;
+ 
++	pfilter_init();
+ 	/*
+ 	 * Stay listening for connections until the system crashes or
+ 	 * the daemon is killed with a signal.
+Index: auth1.c
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
+retrieving revision 1.9
+diff -u -u -r1.9 auth1.c
+--- auth1.c	19 Oct 2014 16:30:58 -0000	1.9
++++ auth1.c	14 Feb 2015 15:40:51 -0000
+@@ -41,6 +41,7 @@
+ #endif
+ #include "monitor_wrap.h"
+ #include "buffer.h"
++#include "pfilter.h"
+ 
+ /* import */
+ extern ServerOptions options;
+@@ -445,6 +446,7 @@
+ 	else {
+ 		debug("do_authentication: invalid user %s", user);
+ 		authctxt->pw = fakepw();
++		pfilter_notify(1);
+ 	}
+ 
+ 	/* Configuration may have changed as a result of Match */
+Index: auth2.c
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v
+retrieving revision 1.9
+diff -u -u -r1.9 auth2.c
+--- auth2.c	19 Oct 2014 16:30:58 -0000	1.9
++++ auth2.c	14 Feb 2015 15:40:51 -0000
+@@ -52,6 +52,7 @@
+ #include "pathnames.h"
+ #include "buffer.h"
+ #include "canohost.h"
++#include "pfilter.h"
+ 
+ #ifdef GSSAPI
+ #include "ssh-gss.h"
+@@ -256,6 +257,7 @@
+ 		} else {
+ 			logit("input_userauth_request: invalid user %s", user);
+ 			authctxt->pw = fakepw();
++			pfilter_notify(1);
+ 		}
+ #ifdef USE_PAM
+ 		if (options.use_pam)
+Index: sshd.c
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
+retrieving revision 1.16
+diff -u -r1.16 sshd.c
+--- sshd.c	25 Jan 2015 15:52:44 -0000	1.16
++++ sshd.c	14 Feb 2015 09:55:06 -0000
+@@ -628,6 +628,8 @@
+ 	explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd));
+ 	endpwent();
+ 
++	pfilter_init();
++
+ 	/* Change our root directory */
+ 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+ 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+
+Index: auth-pam.c
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v
+retrieving revision 1.7
+diff -u -u -r1.7 auth-pam.c
+--- auth-pam.c	3 Jul 2015 00:59:59 -0000	1.7
++++ auth-pam.c	23 Jan 2016 00:01:16 -0000
+@@ -114,6 +114,7 @@
+ #include "ssh-gss.h"
+ #endif
+ #include "monitor_wrap.h"
++#include "pfilter.h"
+ 
+ extern ServerOptions options;
+ extern Buffer loginmsg;
+@@ -809,6 +810,7 @@
+ 				free(msg);
+ 				return (0);
+ 			}
++			pfilter_notify(1);
+ 			error("PAM: %s for %s%.100s from %.100s", msg,
+ 			    sshpam_authctxt->valid ? "" : "illegal user ",
+ 			    sshpam_authctxt->user,
+Index: auth.c
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
+retrieving revision 1.15
+diff -u -u -r1.15 auth.c
+--- auth.c	21 Aug 2015 08:20:59 -0000	1.15
++++ auth.c	23 Jan 2016 00:01:16 -0000
+@@ -656,6 +656,7 @@
+ 
+ 	pw = getpwnam(user);
+ 	if (pw == NULL) {
++		pfilter_notify(1);
+ 		logit("Invalid user %.100s from %.100s",
+ 		    user, get_remote_ipaddr());
+ 		return (NULL);
+Index: auth1.c
+===================================================================
+RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
+retrieving revision 1.12
+diff -u -u -r1.12 auth1.c
+--- auth1.c	3 Jul 2015 00:59:59 -0000	1.12
++++ auth1.c	23 Jan 2016 00:01:16 -0000
+@@ -376,6 +376,7 @@
+ 			char *msg;
+ 			size_t len;
+ 
++			pfilter_notify(1);
+ 			error("Access denied for user %s by PAM account "
+ 			    "configuration", authctxt->user);
+ 			len = buffer_len(&loginmsg);
author	Kurt Lidl <lidl@FreeBSD.org>	2016-06-01 21:48:22 +0000
committer	Kurt Lidl <lidl@FreeBSD.org>	2016-06-01 21:48:22 +0000
commit	df0cfa3b86180bc007aafedfac6685826e8de7ea (patch)
tree	87b2b18820b6cc1642b930ba61c9228f4f3bb48b /diff