git: 3d246db08333 - main - blocklist: Add back probes

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jose Luis Duran <jlduran_at_FreeBSD.org>
Date: Sat, 16 May 2026 22:03:05 UTC
The branch main has been updated by jlduran:

URL: https://cgit.FreeBSD.org/src/commit/?id=3d246db08333c06df343281d5aaebfd07ea08252

commit 3d246db08333c06df343281d5aaebfd07ea08252
Author:     Jose Luis Duran <jlduran@FreeBSD.org>
AuthorDate: 2026-05-16 22:00:02 +0000
Commit:     Jose Luis Duran <jlduran@FreeBSD.org>
CommitDate: 2026-05-16 22:00:02 +0000

    blocklist: Add back probes
    
    The banner exchange was moved to the sshd-auth process in upstream
    commit bb781f02d4efd178e329a62a838962bee16e3e9b.  Add it back.
    
    Add back fatal exit probe.
    
    NetBSD PR:      bin/60270 (GNATS)
    Reviewed by:    emaste
    Fixes:          2574974648c6 ("OpenSSH: Update to 10.3p1")
    Differential Revision:  https://reviews.freebsd.org/D57027
---
 crypto/openssh/sshd-auth.c    | 5 ++++-
 crypto/openssh/sshd-session.c | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/crypto/openssh/sshd-auth.c b/crypto/openssh/sshd-auth.c
index 76350a2a3501..e335bda8ee48 100644
--- a/crypto/openssh/sshd-auth.c
+++ b/crypto/openssh/sshd-auth.c
@@ -96,6 +96,7 @@
 #include "srclimit.h"
 #include "ssh-sandbox.h"
 #include "dh.h"
+#include "blocklist_client.h"
 
 /* Privsep fds */
 #define PRIVSEP_MONITOR_FD		(STDERR_FILENO + 1)
@@ -812,8 +813,10 @@ do_ssh2_kex(struct ssh *ssh)
 	free(hkalgs);
 
 	if ((r = kex_exchange_identification(ssh, -1,
-	    options.version_addendum)) != 0)
+	    options.version_addendum)) != 0) {
+		BLOCKLIST_NOTIFY(ssh, BLOCKLIST_AUTH_FAIL, "Banner exchange");
 		sshpkt_fatal(ssh, r, "banner exchange");
+	}
 	mm_sshkey_setcompat(ssh); /* tell monitor */
 
 	if ((ssh->compat & SSH_BUG_NOREKEY))
diff --git a/crypto/openssh/sshd-session.c b/crypto/openssh/sshd-session.c
index ae41b4d7595f..26a361fe621e 100644
--- a/crypto/openssh/sshd-session.c
+++ b/crypto/openssh/sshd-session.c
@@ -1369,8 +1369,11 @@ cleanup_exit(int i)
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
 	/* Override default fatal exit value when auth was attempted */
-	if (i == 255 && monitor_auth_attempted())
+	if (i == 255 && monitor_auth_attempted()) {
+		BLOCKLIST_NOTIFY(the_active_state, BLOCKLIST_AUTH_FAIL,
+		    "Fatal exit");
 		_exit(EXIT_AUTH_ATTEMPTED);
+	}
 	if (i == 255 && monitor_invalid_user())
 		_exit(EXIT_INVALID_USER);
 	_exit(i);