blocklist: Add back probes
The banner exchange was moved to the sshd-auth process in upstream
commit bb781f02d4efd178e329a62a838962bee16e3e9b. Add it back.
Add back fatal exit probe.
NetBSD PR: bin/60270 (GNATS)
Reviewed by: emaste
Fixes: 2574974648 ("OpenSSH: Update to 10.3p1")
Differential Revision: https://reviews.freebsd.org/D57027
This commit is contained in:
@@ -96,6 +96,7 @@
|
||||
#include "srclimit.h"
|
||||
#include "ssh-sandbox.h"
|
||||
#include "dh.h"
|
||||
#include "blocklist_client.h"
|
||||
|
||||
/* Privsep fds */
|
||||
#define PRIVSEP_MONITOR_FD (STDERR_FILENO + 1)
|
||||
@@ -812,8 +813,10 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
free(hkalgs);
|
||||
|
||||
if ((r = kex_exchange_identification(ssh, -1,
|
||||
options.version_addendum)) != 0)
|
||||
options.version_addendum)) != 0) {
|
||||
BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, "Banner exchange");
|
||||
sshpkt_fatal(ssh, r, "banner exchange");
|
||||
}
|
||||
mm_sshkey_setcompat(ssh); /* tell monitor */
|
||||
|
||||
if ((ssh->compat & SSH_BUG_NOREKEY))
|
||||
|
||||
@@ -1369,8 +1369,11 @@ cleanup_exit(int i)
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
/* Override default fatal exit value when auth was attempted */
|
||||
if (i == 255 && monitor_auth_attempted())
|
||||
if (i == 255 && monitor_auth_attempted()) {
|
||||
BLOCKLIST_NOTIFY(the_active_state, BLOCKLIST_AUTH_FAIL,
|
||||
"Fatal exit");
|
||||
_exit(EXIT_AUTH_ATTEMPTED);
|
||||
}
|
||||
if (i == 255 && monitor_invalid_user())
|
||||
_exit(EXIT_INVALID_USER);
|
||||
_exit(i);
|
||||
|
||||
Reference in New Issue
Block a user