4 files changed, 50 insertions, 15 deletions

diff --git a/libexec/ftpd/blacklist.c b/libexec/ftpd/blacklist.c
index b66a1cd60403..85f90b5352d7 100644
--- a/libexec/ftpd/blacklist.c
+++ b/libexec/ftpd/blacklist.c
@@ -37,16 +37,20 @@
 #include <blacklist.h>
 
 static struct blacklist *blstate;
+extern int use_blacklist;
 
 void
 blacklist_init(void)
 {
-	blstate = blacklist_open();
+
+	if (use_blacklist)
+		blstate = blacklist_open();
 }
 
 void
 blacklist_notify(int action, int fd, char *msg)
 {
+
 	if (blstate == NULL)
 		return;
 	(void)blacklist_r(blstate, action, fd, msg);
diff --git a/libexec/ftpd/blacklist_client.h b/libexec/ftpd/blacklist_client.h
index 596b2bc71a0f..7ac6fd11ed27 100644
--- a/libexec/ftpd/blacklist_client.h
+++ b/libexec/ftpd/blacklist_client.h
@@ -28,5 +28,26 @@
 
 /* $FreeBSD$ */
 
-void blacklist_notify(int, int, char *);
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+enum {
+	BLACKLIST_AUTH_OK = 0,
+	BLACKLIST_AUTH_FAIL
+};
+
+#ifdef USE_BLACKLIST
 void blacklist_init(void);
+void blacklist_notify(int, int, char *);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x, y, z)
+
+#endif
+
+#endif /* BLACKLIST_CLIENT_H */
diff --git a/libexec/ftpd/ftpd.8 b/libexec/ftpd/ftpd.8
index 50565e9cd5e1..0cd62899189c 100644
--- a/libexec/ftpd/ftpd.8
+++ b/libexec/ftpd/ftpd.8
@@ -36,7 +36,7 @@
 .Nd Internet File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm
-.Op Fl 468ADdEhMmOoRrSUvW
+.Op Fl 468ABDdEhMmOoRrSUvW
 .Op Fl l Op Fl l
 .Op Fl a Ar address
 .Op Fl P Ar port
@@ -95,6 +95,14 @@ When
 .Fl D
 is specified, accept connections only on the specified
 .Ar address .
+.It Fl B
+With this option set,
+.Nm
+sends authentication success and failure messages to the
+.Xr blacklistd 8
+daemon.  If this option is not specified, no communcation with the
+.Xr blacklistd 8
+daemon is attempted.
 .It Fl D
 With this option set,
 .Nm
diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index 16c7523b7a0c..95682d5ceb54 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -144,6 +144,7 @@ int	noretr = 0;		/* RETR command is disabled.	*/
 int	noguestretr = 0;	/* RETR command is disabled for anon users. */
 int	noguestmkd = 0;		/* MKD command is disabled for anon users. */
 int	noguestmod = 1;		/* anon users may not modify existing files. */
+int	use_blacklist = 0;
 
 off_t	file_size;
 off_t	byte_count;
@@ -305,7 +306,7 @@ main(int argc, char *argv[], char **envp)
 	openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
 
 	while ((ch = getopt(argc, argv,
-	                    "468a:AdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
+	                    "468a:ABdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
 		switch (ch) {
 		case '4':
 			family = (family == AF_INET6) ? AF_UNSPEC : AF_INET;
@@ -327,6 +328,14 @@ main(int argc, char *argv[], char **envp)
 			anon_only = 1;
 			break;
 
+		case 'B':
+#ifdef USE_BLACKLIST
+			use_blacklist = 1;
+#else
+			syslog(LOG_WARNING, "not compiled with USE_BLACKLIST support");
+#endif
+			break;
+
 		case 'd':
 			ftpdebug++;
 			break;
@@ -644,9 +653,7 @@ gotchild:
 		reply(220, "%s FTP server (%s) ready.", hostname, version);
 	else
 		reply(220, "FTP server ready.");
-#ifdef USE_BLACKLIST
-	blacklist_init();
-#endif
+	BLACKLIST_INIT();
 	for (;;)
 		(void) yyparse();
 	/* NOTREACHED */
@@ -1422,9 +1429,7 @@ skip:
 		 */
 		if (rval) {
 			reply(530, "Login incorrect.");
-#ifdef USE_BLACKLIST
-			blacklist_notify(1, STDIN_FILENO, "Login incorrect");
-#endif
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, STDIN_FILENO, "Login incorrect");
 			if (logging) {
 				syslog(LOG_NOTICE,
 				    "FTP LOGIN FAILED FROM %s",
@@ -1441,12 +1446,9 @@ skip:
 				exit(0);
 			}
 			return;
+		} else {
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, STDIN_FILENO, "Login successful");
 		}
-#ifdef USE_BLACKLIST
-		 else {
-			blacklist_notify(0, STDIN_FILENO, "Login successful");
-		}
-#endif
 	}
 	login_attempts = 0;		/* this time successful */
 	if (setegid(pw->pw_gid) < 0) {