NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/59200: blocklistd: Exit probe location considers a normal session exit as an nfail
>Number: 59200
>Category: bin
>Synopsis: blocklistd: Exit probe location considers a normal session exit as an nfail
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 20 21:15:00 +0000 2025
>Originator: Jose Luis Duran
>Release: 10.99.12
>Organization:
>Environment:
NetBSD netbsd.home.arpa 10.99.12 NetBSD 10.99.12 (GENERIC) #1: Wed Mar 19 21:01:56 UTC 2025 jlduran%netbsd.home.arpa@localhost:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
On a system with blocklistd configured to ban SSH, whenever a normal SSH session exits, a count towards nfail is generated.
>How-To-Repeat:
Configure a system with blocklistd following this procedure:
https://wiki.netbsd.org/tutorials/setting_up_blocklistd/
SSH into the system and exit, inspect the logs (/var/log/messages):
processing type=4 fd=6 remote=192.0.2.1:1234 msg=ssh uid=0 gid=0
(type and msg change submitted elsewhere, but irrelevant to this issue)
>Fix:
The fix I have been using is the following:
Subject: [PATCH] blocklistd: Change exit probe location
Move the probe where not only an exit status 255 is checked, but also an
authentication was attempted. This facility was added by OpenSSH commit
81c1099d2 ("upstream: Add a facility to sshd(8) to penalise particular")
which affords us to remove all occurrences of cleanup exit renumbering,
as well as to avoid counting a normal session exit as an nfail.
---
crypto/external/bsd/openssh/dist/log.c | 2 +-
crypto/external/bsd/openssh/dist/monitor.c | 2 +-
crypto/external/bsd/openssh/dist/mux.c | 2 +-
crypto/external/bsd/openssh/dist/packet.c | 2 +-
crypto/external/bsd/openssh/dist/serverloop.c | 2 +-
crypto/external/bsd/openssh/dist/session.c | 2 +-
crypto/external/bsd/openssh/dist/sshd-session.c | 7 +++----
7 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/crypto/external/bsd/openssh/dist/log.c b/crypto/external/bsd/openssh/dist/log.c
index 3476a525bf77..c97f07626fd4 100644
--- a/crypto/external/bsd/openssh/dist/log.c
+++ b/crypto/external/bsd/openssh/dist/log.c
@@ -415,7 +415,7 @@ sshlogdie(const char *file, const char *func, int line, int showfunc,
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_INFO,
suffix, fmt, args);
va_end(args);
- cleanup_exit(254);
+ cleanup_exit(255);
}
void
diff --git a/crypto/external/bsd/openssh/dist/monitor.c b/crypto/external/bsd/openssh/dist/monitor.c
index 716cfdb73227..d0222023d9e8 100644
--- a/crypto/external/bsd/openssh/dist/monitor.c
+++ b/crypto/external/bsd/openssh/dist/monitor.c
@@ -1575,7 +1575,7 @@ mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw)
if (getpeername(ssh_packet_get_connection_in(ssh),
(struct sockaddr *)&from, &fromlen) == -1) {
debug("getpeername: %.100s", strerror(errno));
- cleanup_exit(254);
+ cleanup_exit(255);
}
}
/* Record that there was a login on that tty from the remote host. */
diff --git a/crypto/external/bsd/openssh/dist/mux.c b/crypto/external/bsd/openssh/dist/mux.c
index b24b838a16cb..ecb366fd57c9 100644
--- a/crypto/external/bsd/openssh/dist/mux.c
+++ b/crypto/external/bsd/openssh/dist/mux.c
@@ -1311,7 +1311,7 @@ muxserver_listen(struct ssh *ssh)
return;
} else {
/* unix_listener() logs the error */
- cleanup_exit(254);
+ cleanup_exit(255);
}
}
diff --git a/crypto/external/bsd/openssh/dist/packet.c b/crypto/external/bsd/openssh/dist/packet.c
index dc78a1674283..8ec85ac1fb19 100644
--- a/crypto/external/bsd/openssh/dist/packet.c
+++ b/crypto/external/bsd/openssh/dist/packet.c
@@ -2085,7 +2085,7 @@ ssh_packet_disconnect(struct ssh *ssh, const char *fmt,...)
/* Close the connection. */
ssh_packet_close(ssh);
- cleanup_exit(254);
+ cleanup_exit(255);
}
/*
diff --git a/crypto/external/bsd/openssh/dist/serverloop.c b/crypto/external/bsd/openssh/dist/serverloop.c
index 9c64ffc21796..39451557e1a5 100644
--- a/crypto/external/bsd/openssh/dist/serverloop.c
+++ b/crypto/external/bsd/openssh/dist/serverloop.c
@@ -289,7 +289,7 @@ process_input(struct ssh *ssh, int connection_in)
logit("Read error from remote host %s port %d: %s",
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
strerror(errno));
- cleanup_exit(254);
+ cleanup_exit(255);
}
return -1;
}
diff --git a/crypto/external/bsd/openssh/dist/session.c b/crypto/external/bsd/openssh/dist/session.c
index 2c75688750d6..3c162408aadf 100644
--- a/crypto/external/bsd/openssh/dist/session.c
+++ b/crypto/external/bsd/openssh/dist/session.c
@@ -722,7 +722,7 @@ do_login(struct ssh *ssh, Session *s, const char *command)
if (getpeername(ssh_packet_get_connection_in(ssh),
(struct sockaddr *)&from, &fromlen) == -1) {
debug("getpeername: %.100s", strerror(errno));
- cleanup_exit(254);
+ cleanup_exit(255);
}
}
diff --git a/crypto/external/bsd/openssh/dist/sshd-session.c b/crypto/external/bsd/openssh/dist/sshd-session.c
index a9df3d1de4bb..6d94b1ca350f 100644
--- a/crypto/external/bsd/openssh/dist/sshd-session.c
+++ b/crypto/external/bsd/openssh/dist/sshd-session.c
@@ -1452,9 +1452,6 @@ cleanup_exit(int i)
{
extern int auth_attempted; /* monitor.c */
- if (i == 255)
- pfilter_notify(1);
-
if (the_active_state != NULL && the_authctxt != NULL) {
do_cleanup(the_active_state, the_authctxt);
if (privsep_is_preauth &&
@@ -1468,7 +1465,9 @@ cleanup_exit(int i)
}
}
/* Override default fatal exit value when auth was attempted */
- if (i == 255 && auth_attempted)
+ if (i == 255 && auth_attempted) {
+ pfilter_notify(1);
_exit(EXIT_AUTH_ATTEMPTED);
+ }
_exit(i);
}
--
Jose Luis Duran
Home |
Main Index |
Thread Index |
Old Index