openssh: blocklist: Use NetBSD probes

Use NetBSD probe locations for consistency.  We have submitted all
improved or missing probes, keeping them synchronized with NetBSD (our
blocklist upstream) should simplify upgrades and maintenance, as the
locations of these probes are a moving target, depending on upstream
OpenSSH changes.

Additionally, use BLACKLIST_AUTH_FAIL exclusively for now.  At the time
of this commit BLACKLIST_BAD_USER, is a no-op.  However, it will change
in a future upgrade.

Also, enhance blacklist notification messages for better debugging by
making them more descriptive.

Reviewed by:	emaste
Approved by:	emaste (mentor)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D52749
This commit is contained in:
Jose Luis Duran
2025-09-29 16:32:36 +00:00
parent 1060684b04
commit e02003bce7
6 changed files with 30 additions and 16 deletions
+2 -2
View File
@@ -937,8 +937,8 @@ sshpam_query(void *ctx, char **name, char **info,
sshbuf_free(buffer);
return (0);
}
BLACKLIST_NOTIFY(NULL, BLACKLIST_BAD_USER,
sshpam_authctxt->user);
BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL,
"PAM illegal user");
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user, sshpam_rhost);
+4 -2
View File
@@ -289,7 +289,8 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
else {
authmsg = authenticated ? "Accepted" : "Failed";
if (authenticated)
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh");
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK,
"Authenticated");
}
if ((extra = format_method_key(authctxt)) == NULL) {
@@ -338,6 +339,7 @@ auth_maxtries_exceeded(struct ssh *ssh)
{
Authctxt *authctxt = (Authctxt *)ssh->authctxt;
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded");
error("maximum authentication attempts exceeded for "
"%s%.100s from %.200s port %d ssh2",
authctxt->valid ? "" : "invalid user ",
@@ -498,7 +500,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
aix_restoreauthdb();
#endif
if (pw == NULL) {
BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user);
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Invalid user");
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
#ifdef CUSTOM_FAILED_LOGIN
+1 -4
View File
@@ -52,7 +52,6 @@
#include "dispatch.h"
#include "pathnames.h"
#include "ssherr.h"
#include "blacklist_client.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
@@ -443,10 +442,8 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
} else {
/* Allow initial try of "none" auth without failure penalty */
if (!partial && !authctxt->server_caused_failure &&
(authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
authctxt->failures++;
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
}
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES);
+12 -2
View File
@@ -85,6 +85,8 @@
#include "misc.h"
#include "servconf.h"
#include "monitor.h"
#include "blacklist_client.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
@@ -353,16 +355,24 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
}
}
if (authctxt->failures > options.max_authtries) {
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
"Too many authentication attempts");
/* Shouldn't happen */
fatal_f("privsep child made too many authentication "
"attempts");
}
}
if (!authctxt->valid)
if (!authctxt->valid) {
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
"Authenticated invalid user");
fatal_f("authenticated invalid user");
if (strcmp(auth_method, "unknown") == 0)
}
if (strcmp(auth_method, "unknown") == 0) {
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
"Authentication method name unknown");
fatal_f("authentication method name unknown");
}
debug_f("user %s authenticated by privileged process", authctxt->user);
auth_attempted = 0;
-2
View File
@@ -96,7 +96,6 @@
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
#include "blacklist_client.h"
#ifdef PACKET_DEBUG
#define DBG(x) x
@@ -2022,7 +2021,6 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, va_list ap)
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh->kex && ssh->kex->failed_choice) {
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
ssh_packet_clear_keys(ssh);
errno = oerrno;
logdie("Unable to negotiate with %s: %s. "
+11 -4
View File
@@ -217,6 +217,8 @@ mm_is_monitor(void)
static void
grace_alarm_handler(int sig)
{
BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
"Grace period expired");
/*
* Try to kill any processes that we have spawned, E.g. authorized
* keys command helpers or privsep children.
@@ -1201,6 +1203,8 @@ main(int ac, char **av)
ssh_signal(SIGCHLD, SIG_DFL);
ssh_signal(SIGINT, SIG_DFL);
BLACKLIST_INIT();
/*
* Register our connection. This turns encryption off because we do
* not have a key.
@@ -1277,8 +1281,10 @@ main(int ac, char **av)
}
if ((r = kex_exchange_identification(ssh, -1,
options.version_addendum)) != 0)
options.version_addendum)) != 0) {
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
sshpkt_fatal(ssh, r, "banner exchange");
}
ssh_packet_set_nonblocking(ssh);
@@ -1298,8 +1304,6 @@ main(int ac, char **av)
fatal("sshbuf_new loginmsg failed");
auth_debug_reset();
BLACKLIST_INIT();
if (privsep_preauth(ssh) != 1)
fatal("privsep_preauth failed");
@@ -1425,7 +1429,10 @@ cleanup_exit(int i)
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
/* Override default fatal exit value when auth was attempted */
if (i == 255 && auth_attempted)
if (i == 255 && auth_attempted) {
BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
"Fatal exit");
_exit(EXIT_AUTH_ATTEMPTED);
}
_exit(i);
}