Date: Sun, 19 Feb 2017 16:18:19 -0700 From: Ian Lepore <ian@freebsd.org> To: lidl@FreeBSD.org, Oliver Pinter <oliver.pinter@hardenedbsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r313965 - head/crypto/openssh Message-ID: <1487546299.73144.110.camel@freebsd.org> In-Reply-To: <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org> References: <201702192035.v1JKZdie080791@repo.freebsd.org> <CAPQ4fftcvpWJ=5DG2YNUB4WQUzJPKa_Tzm28MvKrEFzC3dYqUg@mail.gmail.com> <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2017-02-19 at 18:06 -0500, Kurt Lidl wrote: > On 2/19/17 4:42 PM, Oliver Pinter wrote: > > > > Hello! > > > > On 2/19/17, Kurt Lidl <lidl@freebsd.org> wrote: > > > > > > Author: lidl > > > Date: Sun Feb 19 20:35:39 2017 > > > New Revision: 313965 > > > URL: https://svnweb.freebsd.org/changeset/base/313965 > > > > > > Log: > > > Only notify blacklistd for successful logins in auth.c > > What's the rationale behind this change? > Without this change, every pass through auth.c results in a > call to blacklist_notify(). > > So, in a normal remote login, you'd get a failed > login flagged for the printing of the "xxx login:" prompt, > before the remote user could enter a password. > > If the user successfully entered a good password, > you'd get a good login flagged, and everything would be OK. > > If the user entered an incorrect password, you'd get > another failed login in auth1.c (or auth2.c), and finally, > when sshd got around to issuing the second "xxx login:" > prompt, you'd have yet another failed login notice sent > to blacklistd. > > So, if you had 3 bad logins set to the limit, you'd actually > be blocking the address after the first bad login attempt. > > -Kurt > I would contend that this explanation, exactly as written, should have been part of the commit message. It's a perfect example of explaining *why* a change was made, instead of just saying what was changed. -- Ian > > > > > > > > > > > > > Reported by: Rick Adams > > > Reviewed by: des > > > MFC after: 3 days > > > Sponsored by: The FreeBSD Foundation > > > > > > Modified: > > > head/crypto/openssh/auth.c > > > > > > Modified: head/crypto/openssh/auth.c > > > ================================================================= > > > ============= > > > --- head/crypto/openssh/auth.c Sun Feb 19 19:56:12 2017 > > > (r313964) > > > +++ head/crypto/openssh/auth.c Sun Feb 19 20:35:39 2017 > > > (r313965) > > > @@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent > > > authmsg = "Partial"; > > > else { > > > authmsg = authenticated ? "Accepted" : "Failed"; > > > - BLACKLIST_NOTIFY(authenticated ? > > > - BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL); > > > + if (authenticated) > > > + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK); > > > } > > > > > > authlog("%s %s%s%s for %s%.100s from %.200s port %d > > > %s%s%s", > > > _______________________________________________ > > > svn-src-head@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/svn-src-head > > > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebs > > > d.org" > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1487546299.73144.110.camel>