tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

preliminary patch for making blacklistd in sshd configurable



Right now if you have sshd on but don't have blacklistd on, every time
anything happens sshd logs an error about being unable to connect to
the blacklist socket.

This patch makes it possible to turn off blacklistd support in
sshd_config. It is preliminary (e.g. missing documentation) but does
anyone object to the basic concept or approach?

(Reasons one might have sshd on and not blacklistd: haven't got around
to configuring the latter; private network; already have a different
scheme in place)

Index: servconf.h
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/servconf.h,v
retrieving revision 1.11
diff -u -p -r1.11 servconf.h
--- servconf.h	3 Apr 2015 23:58:19 -0000	1.11
+++ servconf.h	23 May 2015 04:52:32 -0000
@@ -209,6 +209,7 @@ typedef struct {
 	char   *auth_methods[MAX_AUTH_METHODS];
 
 	int	fingerprint_hash;
+	int	use_blacklist;
 }       ServerOptions;
 
 /* Information about the incoming connection as used by Match */
Index: servconf.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/servconf.c,v
retrieving revision 1.17
diff -u -p -r1.17 servconf.c
--- servconf.c	3 Apr 2015 23:58:19 -0000	1.17
+++ servconf.c	23 May 2015 04:52:33 -0000
@@ -205,6 +205,7 @@ initialize_server_options(ServerOptions 
 	options->tcp_rcv_buf_poll = -1;
 	options->hpn_disabled = -1;
 	options->hpn_buffer_size = -1;
+	options->use_blacklist = -1;
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -475,6 +476,11 @@ fill_default_server_options(ServerOption
 	for (i = 0; i < options->num_host_cert_files; i++)
 		CLEAR_ON_NONE(options->host_cert_files[i]);
 #undef CLEAR_ON_NONE
+
+	/* blacklist on by default */
+	if (options->use_blacklist == -1) {
+		options->use_blacklist = 1;
+	}
 }
 
 /* Keyword tokens. */
@@ -499,6 +505,7 @@ typedef enum {
 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
 	sBanner, sUseDNS, sHostbasedAuthentication,
+	sUseBlacklist,
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -621,6 +628,7 @@ static struct {
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
+	{ "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
@@ -1444,6 +1452,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->use_dns;
 		goto parse_flag;
 
+	case sUseBlacklist:
+		intptr = &options->use_blacklist;
+		goto parse_flag;
+
 	case sLogFacility:
 		log_facility_ptr = &options->log_facility;
 		arg = strdelim(&cp);
@@ -2426,6 +2438,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
+	dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
Index: pfilter.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/pfilter.c,v
retrieving revision 1.2
diff -u -p -r1.2 pfilter.c
--- pfilter.c	26 Jan 2015 03:57:17 -0000	1.2
+++ pfilter.c	23 May 2015 04:52:33 -0000
@@ -1,11 +1,19 @@
+#include "includes.h"
 #include "namespace.h"
 #include "ssh.h"
 #include "packet.h"
 #include "log.h"
+#include "buffer.h" // XXX required by servconf.h
+#include "misc.h" // XXX required by servconf.h
+#include "servconf.h"
 #include "pfilter.h"
 #include <blacklist.h>
 
 #ifndef SMALL
+extern ServerOptions options;
+#endif
+
+#ifndef SMALL
 static struct blacklist *blstate;
 #endif
 
@@ -13,6 +21,8 @@ void
 pfilter_init()
 {
 #ifndef SMALL
+	if (options.use_blacklist == 0)
+		return;
 	blstate = blacklist_open();
 #endif
 }
@@ -22,6 +32,8 @@ pfilter_notify(int a)
 {
 #ifndef SMALL
 	int fd;
+	if (options.use_blacklist == 0)
+		return;
 	if (blstate == NULL)
 		pfilter_init();
 	if (blstate == NULL)


-- 
David A. Holland
dholland%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index