diff options
Diffstat (limited to 'diff/ssh.diff')
| -rw-r--r-- | diff/ssh.diff | 223 |
1 files changed, 71 insertions, 152 deletions
diff --git a/diff/ssh.diff b/diff/ssh.diff index bc0b75c05674..9427fc8ddb36 100644 --- a/diff/ssh.diff +++ b/diff/ssh.diff @@ -1,6 +1,6 @@ --- /dev/null 2015-01-22 23:10:33.000000000 -0500 +++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 -@@ -0,0 +1,28 @@ +@@ -0,0 +1,32 @@ +#include "namespace.h" +#include "includes.h" +#include "ssh.h" @@ -28,6 +28,10 @@ + // XXX: 3? + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; + (void)blacklist_r(blstate, a, fd, "ssh"); ++ if (a == 0) { ++ blacklist_close(blstate); ++ blstate = NULL; ++ } +} --- /dev/null 2015-01-20 21:14:44.000000000 -0500 +++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 @@ -58,174 +62,89 @@ diff -u -u -r1.10 Makefile + +LDADD+= -lblacklist +DPADD+= ${LIBBLACKLIST} -Index: dist/auth.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v -retrieving revision 1.10 -diff -u -u -r1.10 auth.c ---- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 -+++ dist/auth.c 22 Jan 2015 21:39:22 -0000 -@@ -62,6 +62,7 @@ - #include "monitor_wrap.h" - #include "krl.h" - #include "compat.h" -+#include "pfilter.h" - - #ifdef HAVE_LOGIN_CAP - #include <login_cap.h> -@@ -362,6 +363,8 @@ - compat20 ? "ssh2" : "ssh1", - authctxt->info != NULL ? ": " : "", - authctxt->info != NULL ? authctxt->info : ""); -+ if (!authctxt->postponed) -+ pfilter_notify(!authenticated); - free(authctxt->info); - authctxt->info = NULL; - } -Index: dist/sshd.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v -retrieving revision 1.15 -diff -u -u -r1.15 sshd.c ---- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 -+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 -@@ -109,6 +109,7 @@ - #include "roaming.h" - #include "ssh-sandbox.h" - #include "version.h" -+#include "pfilter.h" - - #ifdef LIBWRAP - #include <tcpd.h> -@@ -364,6 +365,7 @@ - killpg(0, SIGTERM); - } - -+ pfilter_notify(1); - /* Log error and exit. */ - sigdie("Timeout before authentication for %s", get_remote_ipaddr()); - } -@@ -1160,6 +1162,7 @@ - for (i = 0; i < options.max_startups; i++) - startup_pipes[i] = -1; - -+ pfilter_init(); - /* - * Stay listening for connections until the system crashes or - * the daemon is killed with a signal. -Index: auth1.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v -retrieving revision 1.9 -diff -u -u -r1.9 auth1.c ---- auth1.c 19 Oct 2014 16:30:58 -0000 1.9 -+++ auth1.c 14 Feb 2015 15:40:51 -0000 -@@ -41,6 +41,7 @@ +diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c +--- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400 ++++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400 +@@ -103,6 +103,7 @@ + #include "ssh-gss.h" #endif #include "monitor_wrap.h" - #include "buffer.h" +#include "pfilter.h" - /* import */ extern ServerOptions options; -@@ -445,6 +446,7 @@ - else { - debug("do_authentication: invalid user %s", user); - authctxt->pw = fakepw(); -+ pfilter_notify(1); - } + extern Buffer loginmsg; +@@ -526,6 +527,7 @@ + ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer); + else + ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); ++ pfilter_notify(1); + buffer_free(&buffer); + pthread_exit(NULL); - /* Configuration may have changed as a result of Match */ -Index: auth2.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v -retrieving revision 1.9 -diff -u -u -r1.9 auth2.c ---- auth2.c 19 Oct 2014 16:30:58 -0000 1.9 -+++ auth2.c 14 Feb 2015 15:40:51 -0000 -@@ -52,6 +52,7 @@ +@@ -804,6 +806,7 @@ + free(msg); + return (0); + } ++ pfilter_notify(1); + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, +diff -ru openssh-7.7p1/auth2.c dist/auth2.c +--- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.000000000 -0400 ++++ dist/auth2.c 2018-05-23 11:57:31.022197317 -0400 +@@ -51,6 +51,7 @@ + #include "dispatch.h" #include "pathnames.h" #include "buffer.h" - #include "canohost.h" +#include "pfilter.h" #ifdef GSSAPI #include "ssh-gss.h" -@@ -256,6 +257,7 @@ +@@ -242,6 +243,7 @@ } else { - logit("input_userauth_request: invalid user %s", user); + /* Invalid user, fake password information */ authctxt->pw = fakepw(); + pfilter_notify(1); - } - #ifdef USE_PAM - if (options.use_pam) -Index: sshd.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v -retrieving revision 1.16 -diff -u -r1.16 sshd.c ---- sshd.c 25 Jan 2015 15:52:44 -0000 1.16 -+++ sshd.c 14 Feb 2015 09:55:06 -0000 -@@ -628,6 +628,8 @@ - explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd)); - endpwent(); - -+ pfilter_init(); -+ - /* Change our root directory */ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, - -Index: auth-pam.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v -retrieving revision 1.7 -diff -u -u -r1.7 auth-pam.c ---- auth-pam.c 3 Jul 2015 00:59:59 -0000 1.7 -+++ auth-pam.c 23 Jan 2016 00:01:16 -0000 -@@ -114,6 +114,7 @@ - #include "ssh-gss.h" + #ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_INVALID_USER)); #endif - #include "monitor_wrap.h" +Only in dist: pfilter.c +Only in dist: pfilter.h +diff -ru openssh-7.7p1/sshd.c dist/sshd.c +--- openssh-7.7p1/sshd.c 2018-04-02 01:38:28.000000000 -0400 ++++ dist/sshd.c 2018-05-23 11:59:39.573197347 -0400 +@@ -122,6 +122,7 @@ + #include "auth-options.h" + #include "version.h" + #include "ssherr.h" +#include "pfilter.h" - extern ServerOptions options; - extern Buffer loginmsg; -@@ -809,6 +810,7 @@ - free(msg); - return (0); - } -+ pfilter_notify(1); - error("PAM: %s for %s%.100s from %.100s", msg, - sshpam_authctxt->valid ? "" : "illegal user ", - sshpam_authctxt->user, -Index: auth.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v -retrieving revision 1.15 -diff -u -u -r1.15 auth.c ---- auth.c 21 Aug 2015 08:20:59 -0000 1.15 -+++ auth.c 23 Jan 2016 00:01:16 -0000 -@@ -656,6 +656,7 @@ + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) +@@ -346,6 +347,7 @@ + static void + grace_alarm_handler(int sig) + { ++ pfilter_notify(1); + if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) + kill(pmonitor->m_pid, SIGALRM); - pw = getpwnam(user); - if (pw == NULL) { -+ pfilter_notify(1); - logit("Invalid user %.100s from %.100s", - user, get_remote_ipaddr()); - return (NULL); -Index: auth1.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v -retrieving revision 1.12 -diff -u -u -r1.12 auth1.c ---- auth1.c 3 Jul 2015 00:59:59 -0000 1.12 -+++ auth1.c 23 Jan 2016 00:01:16 -0000 -@@ -376,6 +376,7 @@ - char *msg; - size_t len; +@@ -1835,6 +1837,8 @@ + if (test_flag) + exit(0); -+ pfilter_notify(1); - error("Access denied for user %s by PAM account " - "configuration", authctxt->user); - len = buffer_len(&loginmsg); ++ pfilter_init(); ++ + /* + * Clear out any supplemental groups we may have inherited. This + * prevents inadvertent creation of files with bad modes (in the +@@ -2280,6 +2284,9 @@ + { + struct ssh *ssh = active_state; /* XXX */ + ++ if (i == 255) ++ pfilter_notify(1); ++ + if (the_authctxt) { + do_cleanup(ssh, the_authctxt); + if (use_privsep && privsep_is_preauth && |