From nobody Mon Dec 18 17:36:17 2023
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Sv6SL29xNz54nBY;
	Mon, 18 Dec 2023 17:36:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Sv6SL1PLlz4H72;
	Mon, 18 Dec 2023 17:36:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1702920978;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=GFfUzAtR1jinslkEQan8TdWmqOxnGu0hZ212Zvze2+c=;
	b=u7cXdZSVCT9qHS/HVO4CAEkSMQOnhrKaIuGIFuDKCenYDsThQrrzfoZSeYvxpcxFVFI/TK
	tv9fSC8iWMDKq1KRnNp7nU+rW1iHa//Fi99OW2vrrTGebg8lpzFx4iwJ3tEgz8k/7t5sRD
	5oM2LHJuV74bnJ1kkoozS8FXaYSYzbpZorPODb+7Z9zdUjFPwmoanP095U5VtKOIMjVE2N
	N+8kjaMtnykyYx5eoajreKqZ6RrZM3w2Cy0c6HuSeeZN3USHDYncBGkcpS/4NSozwGHsEr
	pDYtOyDgCQRirHnup4bPibioIrWKpOaMDMXcGjt2MQ827ws9/bSvED8kIS6pPA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702920978; a=rsa-sha256; cv=none;
	b=gcmjxI2AHYfvcbgScAzq+q30H1Qc6R1tZMLr+0Qj7cxef51ArFP1Vq9ANHNYYqaW1ZcKGm
	W1ECLbBm2txHTqycGNfVgz3REXEkYrAu/nUJz2rnl+xv0M3NyLA3A3sWPrkZF9zBroGIP6
	xaClAzHHU3hpHX7LALJ8fpryenf0Sul9u0vj2McgHdKJ537daPu0FCB6Z7AhB2FRq0G8zx
	HQiy2n2eK1JAot+I81YFmwdDqVtqr23/mu0x74/mCOqX0l+KVSABKuJ8GLjX4dLP5n9mHW
	PET0u01n4XOazqWIG0e2nzZAJx/tcC8wXR7DjCMCNRj4F7UYczl3hR+AAo7MZw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1702920978;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=GFfUzAtR1jinslkEQan8TdWmqOxnGu0hZ212Zvze2+c=;
	b=vyNqzQutSfd6RSTvZ/sGygXGkL4tpgyVt5apbhBk8vKaB5src5/9Q9yrujjiawwHsIBcsf
	jdgd7NGcCAP40pHcl8gkgnq/OoBgIj1BNGGJOpYkctQJwSBK8nWvK1Kgf3hPBOIUJeQZRA
	rm0j20d/H2tgsouETgLf0cwFKPMpkU8vS7gPYBsWhmJT28WWa+Qw+62EXiEs9Sr56CuA7R
	eILtw+aqvmhu0iGtA6vMVUZIPnC9rYA90a00FoRT0FFSD+Ya5+br4KnZa3N2xVn5bTPy9u
	w2BSL4hCPDXxEEb4K3ajxknLDOOmvjZhxSZezUc/cPP6lHdeVSt9510gP4pTkQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Sv6SL0VCmzWBQ;
	Mon, 18 Dec 2023 17:36:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3BIHaH5S021792;
	Mon, 18 Dec 2023 17:36:17 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3BIHaHF6021789;
	Mon, 18 Dec 2023 17:36:17 GMT
	(envelope-from git)
Date: Mon, 18 Dec 2023 17:36:17 GMT
Message-Id: <202312181736.3BIHaHF6021789@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 0fbec53dcfb8 - stable/13 - sshd: do not resolve refused
  client hostname
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 0fbec53dcfb8d31aa2e3734992e241422e152433
Auto-Submitted: auto-generated

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=0fbec53dcfb8d31aa2e3734992e241422e152433

commit 0fbec53dcfb8d31aa2e3734992e241422e152433
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2023-07-20 21:56:20 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-12-18 17:35:47 +0000

    sshd: do not resolve refused client hostname
    
    This is a compromise between POLA and practical reasoning.  We don't
    want to block the main server loop in an attempt to resolve.  But we
    need to keep the format of the logged message as is, for sake of
    sshguard and other scripts.  So let's print just the IP address twice,
    this is what libwrap's refuse() would do if it failed to resolve.
    
    Reviewed by:            philip
    PR:                     269456
    Differential revision:  https://reviews.freebsd.org/D40069
    
    (cherry picked from commit 9ff45b8ed847f9cb7e1cd401278c7f6b30fe8225)
---
 crypto/openssh/sshd.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index ce8db54a2b72..a82b82d08c14 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -1297,13 +1297,24 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 				    SO_LINGER, &l, sizeof(l));
 				(void )close(*newsock);
 				/*
-				 * Mimic message from libwrap's refuse()
-				 * exactly.  sshguard, and supposedly lots
-				 * of custom made scripts rely on it.
+				 * Mimic message from libwrap's refuse() as
+				 * precisely as we can afford.  The authentic
+				 * message prints the IP address and the
+				 * hostname it resolves to in parentheses.  If
+				 * the IP address cannot be resolved to a
+				 * hostname, the IP address will be repeated
+				 * in parentheses.  As name resolution in the
+				 * main server loop could stall, and logging
+				 * resolved names adds little or no value to
+				 * incident investigation, this implementation
+				 * only repeats the IP address in parentheses.
+				 * This should resemble librwap's refuse()
+				 * closely enough not to break auditing
+				 * software like sshguard or custom scripts.
 				 */
 				syslog(LOG_WARNING,
 				    "refused connect from %s (%s)",
-				    eval_client(&req),
+				    eval_hostaddr(req.client),
 				    eval_hostaddr(req.client));
 				debug("Connection refused by tcp wrapper");
 				continue;