At Mon, 14 Apr 2025 09:27:55 -0400, Greg Troxel <gdt%lexort.com@localhost> wrote: Subject: Re: "add blocklistd support to service XYZ for dummies" or equivalent? > > See src/crypto/external/bsd/openssh/dist Probably a bad example because it has evolved poorly over the history of blocklistd, though it is one of the more complex ones so has some lessons! > Wonder why 1 is used with pfilter_notify instead of > BLOCKLIST_AUTH_FAIL. Realize it's probably because <blocklist.h> is > not included in pfilter.h, but that blocklist.h should be include, or > perhaps pfilter_notify_auth_fail should be defined and called instead, > or That's a bug -- probably due to the history of its integration. > Wonder why pfilter_notify is never called with 0==BLOCKLIST_AUTH_OK. Again, another bug for sure, and this one often has very serious consequences for authorized ssh users! I've been cut off from hosts many times before I found this bug and fixed it in my local copy. I still need to bring those patches up to date with the latest sshd and offer them up. I think the worst bug has been fixed, but there's still opportunity for a DoS from another local user. Getting away from CVS and moving to Git would certainly help me with managing such patches. > read the comment in sshd-session.c: > n.b. hosts_access(3) has logged and notified blocklistd > and feel befuddled, because hosts_access(3) does not document doing > anything with blocklist. > See src/lib/libwrap, and figure out that if tcpwrappers refuses the > connection, then a failure report is made, but that no success > report is ever made. Realize this makes sense, but that the libwrap > documentation and the comment in ssh mkes this very conusing The integration of libwrap in ssh also has a long history of evolution and now NetBSD is alone in maintaining it (I think). I still believe it's a good idea to have this integration as it maintains consistency and backwards support for many existing installations, but it has some different consequences now with blocklistd that must be taken into account. At minimum hosts_access(3) must have its use of blocklist documented! I think it may be my fault there's no mention there yet. I will work on writing something up. You'll see comments in lib/libwrap/hosts_access.c questioning various places pfilter_notify(BLOCKLIST_AUTH_OK) maybe should be added. Those were added in the patch I sent Christos to add blocklistd support to libwrap, but he didn't choose to uncomment any of them at the time. For my patched version of sshd that doesn't matter as it will do that call, but perhaps for other users of libwrap it might? Maybe sshd is a special case where it should have full control over all connection states and handling as well as blocklistd integration and as such libwrap support should be removed -- but that would remove a level of access control that many, myself included, would have to migrate elsewhere. -- Greg A. Woods <gwoods%acm.org@localhost> Kelowna, BC +1 250 762-7675 RoboHack <woods%robohack.ca@localhost> Planix, Inc. <woods%planix.com@localhost> Avoncote Farms <woods%avoncote.ca@localhost>
Attachment:
pgpgYIkbILRuZ.pgp
Description: OpenPGP Digital Signature