--- /dev/null 2015-01-22 23:10:33.000000000 -0500 +++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500 @@ -0,0 +1,32 @@ +#include "namespace.h" +#include "includes.h" +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "pfilter.h" +#include + +static struct blacklist *blstate; + +void +pfilter_init(void) +{ + blstate = blacklist_open(); +} + +void +pfilter_notify(int a) +{ + int fd; + if (blstate == NULL) + pfilter_init(); + if (blstate == NULL) + return; + // XXX: 3? + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; + (void)blacklist_r(blstate, a, fd, "ssh"); + if (a == 0) { + blacklist_close(blstate); + blstate = NULL; + } +} --- /dev/null 2015-01-20 21:14:44.000000000 -0500 +++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 @@ -0,0 +1,3 @@ + +void pfilter_notify(int); +void pfilter_init(void); Index: bin/sshd/Makefile =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v retrieving revision 1.10 diff -u -u -r1.10 Makefile --- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 +++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 @@ -15,7 +15,7 @@ auth2-none.c auth2-passwd.c auth2-pubkey.c \ monitor_mm.c monitor.c monitor_wrap.c \ kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ - roaming_common.c roaming_serv.c sandbox-rlimit.c + roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c COPTS.auth-options.c= -Wno-pointer-sign COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix @@ -68,3 +68,6 @@ LDADD+= -lwrap DPADD+= ${LIBWRAP} + +LDADD+= -lblacklist +DPADD+= ${LIBBLACKLIST} diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c --- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400 @@ -103,6 +103,7 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "pfilter.h" extern ServerOptions options; extern Buffer loginmsg; @@ -526,6 +527,7 @@ ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer); else ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); + pfilter_notify(1); buffer_free(&buffer); pthread_exit(NULL); @@ -804,6 +806,7 @@ free(msg); return (0); } + pfilter_notify(1); error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, diff -ru openssh-7.7p1/auth2.c dist/auth2.c --- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/auth2.c 2018-05-23 11:57:31.022197317 -0400 @@ -51,6 +51,7 @@ #include "dispatch.h" #include "pathnames.h" #include "buffer.h" +#include "pfilter.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -242,6 +243,7 @@ } else { /* Invalid user, fake password information */ authctxt->pw = fakepw(); + pfilter_notify(1); #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_INVALID_USER)); #endif Only in dist: pfilter.c Only in dist: pfilter.h diff -ru openssh-7.7p1/sshd.c dist/sshd.c --- openssh-7.7p1/sshd.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/sshd.c 2018-05-23 11:59:39.573197347 -0400 @@ -122,6 +122,7 @@ #include "auth-options.h" #include "version.h" #include "ssherr.h" +#include "pfilter.h" /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) @@ -346,6 +347,7 @@ static void grace_alarm_handler(int sig) { + pfilter_notify(1); if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) kill(pmonitor->m_pid, SIGALRM); @@ -1835,6 +1837,8 @@ if (test_flag) exit(0); + pfilter_init(); + /* * Clear out any supplemental groups we may have inherited. This * prevents inadvertent creation of files with bad modes (in the @@ -2280,6 +2284,9 @@ { struct ssh *ssh = active_state; /* XXX */ + if (i == 255) + pfilter_notify(1); + if (the_authctxt) { do_cleanup(ssh, the_authctxt); if (use_privsep && privsep_is_preauth &&