Add blacklist support to sshd

Reviewed by:	rpaulo
Approved by:	rpaulo (earlier version of changes)
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5915

crypto/openssh/auth-pam.c

@@ -98,6 +98,9 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 extern ServerOptions options;
 extern Buffer loginmsg;
@@ -794,6 +797,9 @@ sshpam_query(void *ctx, char **name, char **info,
 				free(msg);
 				return (0);
 			}
+#ifdef USE_BLACKLIST
+			blacklist_notify(1);
+#endif
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user,

crypto/openssh/auth.c

@@ -75,6 +75,9 @@ __RCSID("$FreeBSD$");
 #include "authfile.h"
 #include "ssherr.h"
 #include "compat.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 /* import */
 extern ServerOptions options;
@@ -306,6 +309,10 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 	    compat20 ? "ssh2" : "ssh1",
 	    authctxt->info != NULL ? ": " : "",
 	    authctxt->info != NULL ? authctxt->info : "");
+#ifdef USE_BLACKLIST
+	if (!authctxt->postponed)
+		blacklist_notify(!authenticated);
+#endif
 	free(authctxt->info);
 	authctxt->info = NULL;
 
@@ -640,6 +647,9 @@ getpwnamallow(const char *user)
 	}
 #endif
 	if (pw == NULL) {
+#ifdef USE_BLACKLIST
+		blacklist_notify(1);
+#endif
 		logit("Invalid user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN

crypto/openssh/auth1.c

@@ -43,6 +43,9 @@
 #endif
 #include "monitor_wrap.h"
 #include "buffer.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 /* import */
 extern ServerOptions options;
@@ -337,6 +340,9 @@ do_authloop(Authctxt *authctxt)
 			char *msg;
 			size_t len;
 
+#ifdef USE_BLACKLIST
+			blacklist_notify(1);
+#endif
 			error("Access denied for user %s by PAM account "
 			    "configuration", authctxt->user);
 			len = buffer_len(&loginmsg);
@@ -404,6 +410,9 @@ do_authentication(Authctxt *authctxt)
 	else {
 		debug("do_authentication: invalid user %s", user);
 		authctxt->pw = fakepw();
+#ifdef USE_BLACKLIST
+		blacklist_notify(1);
+#endif
 	}
 
 	/* Configuration may have changed as a result of Match */

crypto/openssh/auth2.c

@@ -52,6 +52,9 @@ __RCSID("$FreeBSD$");
 #include "pathnames.h"
 #include "buffer.h"
 #include "canohost.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -248,6 +251,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		} else {
 			logit("input_userauth_request: invalid user %s", user);
 			authctxt->pw = fakepw();
+#ifdef USE_BLACKLIST
+			blacklist_notify(1);
+#endif
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif

crypto/openssh/blacklist.c

@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "blacklist_client.h"
+#include <blacklist.h>
+
+static struct blacklist *blstate;
+
+void
+blacklist_init(void)
+{
+	blstate = blacklist_open();
+}
+
+void
+blacklist_notify(int action)
+{
+	int fd;
+	if (blstate == NULL)
+		blacklist_init();
+	if (blstate == NULL)
+		return;
+	fd = packet_get_connection_in();
+	if (!packet_connection_is_on_socket()) {
+		fprintf(stderr, "packet_connection_is_on_socket: false "
+			"(fd = %d)\n", fd);
+	}
+	(void)blacklist_r(blstate, action, fd, "ssh");
+}

crypto/openssh/blacklist_client.h

@@ -0,0 +1,31 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+void blacklist_notify(int);
+void blacklist_init(void);

crypto/openssh/packet.c

@@ -86,6 +86,9 @@ __RCSID("$FreeBSD$");
 #include "packet.h"
 #include "ssherr.h"
 #include "sshbuf.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 #ifdef PACKET_DEBUG
 #define DBG(x) x
@@ -2071,6 +2074,9 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
 	case SSH_ERR_NO_KEX_ALG_MATCH:
 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
 		if (ssh && ssh->kex && ssh->kex->failed_choice) {
+#ifdef USE_BLACKLIST
+			blacklist_notify(1);
+#endif
 			fatal("Unable to negotiate with %.200s port %d: %s. "
 			    "Their offer: %s", ssh_remote_ipaddr(ssh),
 			    ssh_remote_port(ssh), ssh_err(r),

crypto/openssh/sshd.c

@@ -135,6 +135,9 @@ __RCSID("$FreeBSD$");
 #include "ssh-sandbox.h"
 #include "version.h"
 #include "ssherr.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 #ifdef LIBWRAP
 #include <tcpd.h>
@@ -388,6 +391,9 @@ grace_alarm_handler(int sig)
 		kill(0, SIGTERM);
 	}
 
+#ifdef USE_BLACKLIST
+	blacklist_notify(1);
+#endif
 	/* Log error and exit. */
 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
 }
@@ -649,6 +655,10 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
 
+#ifdef USE_BLACKLIST
+	blacklist_init();
+#endif
+
 	/* Demote the child */
 	if (getuid() == 0 || geteuid() == 0) {
 		/* Change our root directory */
@@ -1272,6 +1282,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 	for (i = 0; i < options.max_startups; i++)
 		startup_pipes[i] = -1;
 
+#ifdef USE_BLACKLIST
+	blacklist_init();
+#endif
 	/*
 	 * Stay listening for connections until the system crashes or
 	 * the daemon is killed with a signal.

secure/usr.sbin/sshd/Makefile

@@ -40,6 +40,13 @@ CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
 LIBADD+=	bsm
 .endif
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
+SRCS+= blacklist.c
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -include krb5_config.h
 SRCS+=	krb5_config.h