[openssh-commits] [openssh] 07/08: upstream: add a "Match invalid-user" predicate to sshd_config Match

git+noreply at mindrot.org git+noreply at mindrot.org
Sun Sep 15 11:23:23 AEST 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 0118a4da21147a88a56dc8b90bbc2849fefd5c1e
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Sun Sep 15 01:18:26 2024 +0000

    upstream: add a "Match invalid-user" predicate to sshd_config Match
    
    options.
    
    This allows writing Match conditions that trigger for invalid username.
    E.g.
    
    PerSourcePenalties refuseconnection:90s
    Match invalid-user
     RefuseConnection yes
    
    Will effectively penalise bots try to guess passwords for bogus accounts,
    at the cost of implicitly revealing which accounts are invalid.
    
    feedback markus@
    
    OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
---
 auth.c        |  3 ++-
 servconf.c    | 17 +++++++++++++++--
 servconf.h    |  3 ++-
 sshd_config.5 | 10 ++++++----
 4 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/auth.c b/auth.c
index c4a3d2f2..9a6e5a31 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -476,6 +476,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
 
 	ci = server_get_connection_info(ssh, 1, options.use_dns);
 	ci->user = user;
+	ci->user_invalid = getpwnam(user) == NULL;
 	parse_server_match_config(&options, &includes, ci);
 	log_change_level(options.log_level);
 	log_verbose_reset();
diff --git a/servconf.c b/servconf.c
index 9f8ffe8b..f343940d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.417 2024/09/15 01:18:26 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1038,9 +1038,10 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 	if (ci == NULL)
 		debug3("checking syntax for 'Match %s'", full_line);
 	else {
-		debug3("checking match for '%s' user %s host %s addr %s "
+		debug3("checking match for '%s' user %s%s host %s addr %s "
 		    "laddr %s lport %d", full_line,
 		    ci->user ? ci->user : "(null)",
+		    ci->user_invalid ? " (invalid)" : "",
 		    ci->host ? ci->host : "(null)",
 		    ci->address ? ci->address : "(null)",
 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
@@ -1067,6 +1068,16 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				argv_consume(acp); /* consume remaining args */
 			return 1;
 		}
+		/* Criterion "invalid-user" also has no argument */
+		if (strcasecmp(attrib, "invalid-user") == 0) {
+			if (ci == NULL)
+				continue;
+			if (ci->user_invalid == 0)
+				result = 0;
+			else
+				debug("matched invalid-user at line %d", line);
+			continue;
+		}
 		/* All other criteria require an argument */
 		if ((arg = argv_next(acp, avp)) == NULL ||
 		    *arg == '\0' || *arg == '#') {
@@ -2784,6 +2795,8 @@ int parse_server_match_testspec(struct connection_info *ci, char *spec)
 				    " specification %s\n", p+6, p);
 				return -1;
 			}
+		} else if (strcmp(p, "invalid-user") == 0) {
+			ci->user_invalid = 1;
 		} else {
 			fprintf(stderr, "Invalid test mode specification %s\n",
 			    p);
diff --git a/servconf.h b/servconf.h
index ab6bcc0e..5089bc9e 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.168 2024/09/15 01:18:26 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -256,6 +256,7 @@ typedef struct {
 /* Information about the incoming connection as used by Match */
 struct connection_info {
 	const char *user;
+	int user_invalid;
 	const char *host;	/* possibly resolved hostname */
 	const char *address;	/* remote address */
 	const char *laddress;	/* local address */
diff --git a/sshd_config.5 b/sshd_config.5
index ce59843e..41c64f43 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.373 2024/09/15 01:18:26 djm Exp $
 .Dd $Mdocdate: September 15 2024 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -1237,9 +1237,11 @@ applied.
 .Pp
 The arguments to
 .Cm Match
-are one or more criteria-pattern pairs or the single token
-.Cm All
-which matches all criteria.
+are one or more criteria-pattern pairs or one of the single token criteria:
+.Cm All ,
+which matches all criteria, or
+.Cm Invalid-User ,
+which matches when the requested user-name does not match any known account.
 The available criteria are
 .Cm User ,
 .Cm Group ,

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list