diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2024-09-15 01:18:27 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2024-09-15 01:18:27 +0000 |
| commit | e25559b0ccc55b9bb210bd527af0ba97c6e806d4 (patch) | |
| tree | 4a0d24c45a411725f5217a112817b2bf52caa94f /usr.bin/ssh | |
| parent | dc82febabdae335a2c2e0c890a3dbd4f3e6d4298 (diff) | |
add a "Match invalid-user" predicate to sshd_config Match options.
This allows writing Match conditions that trigger for invalid username.
E.g.
PerSourcePenalties refuseconnection:90s
Match invalid-user
RefuseConnection yes
Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.
feedback markus@
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/auth.c | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.c | 17 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.h | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 10 |
4 files changed, 25 insertions, 8 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index 3fec9d71be4..399d75dd43d 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -421,6 +421,7 @@ getpwnamallow(struct ssh *ssh, const char *user) ci = server_get_connection_info(ssh, 1, options.use_dns); ci->user = user; + ci->user_invalid = getpwnam(user) == NULL; parse_server_match_config(&options, &includes, ci); log_change_level(options.log_level); log_verbose_reset(); diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index a8bd2ddc2a3..c056f6391cf 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.417 2024/09/15 01:18:26 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -978,9 +978,10 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, if (ci == NULL) debug3("checking syntax for 'Match %s'", full_line); else { - debug3("checking match for '%s' user %s host %s addr %s " + debug3("checking match for '%s' user %s%s host %s addr %s " "laddr %s lport %d", full_line, ci->user ? ci->user : "(null)", + ci->user_invalid ? " (invalid)" : "", ci->host ? ci->host : "(null)", ci->address ? ci->address : "(null)", ci->laddress ? ci->laddress : "(null)", ci->lport); @@ -1007,6 +1008,16 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, argv_consume(acp); /* consume remaining args */ return 1; } + /* Criterion "invalid-user" also has no argument */ + if (strcasecmp(attrib, "invalid-user") == 0) { + if (ci == NULL) + continue; + if (ci->user_invalid == 0) + result = 0; + else + debug("matched invalid-user at line %d", line); + continue; + } /* All other criteria require an argument */ if ((arg = argv_next(acp, avp)) == NULL || *arg == '\0' || *arg == '#') { @@ -2704,6 +2715,8 @@ int parse_server_match_testspec(struct connection_info *ci, char *spec) " specification %s\n", p+6, p); return -1; } + } else if (strcmp(p, "invalid-user") == 0) { + ci->user_invalid = 1; } else { fprintf(stderr, "Invalid test mode specification %s\n", p); diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index d7066ec53de..33ada42e048 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.168 2024/09/15 01:18:26 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -253,6 +253,7 @@ typedef struct { /* Information about the incoming connection as used by Match */ struct connection_info { const char *user; + int user_invalid; const char *host; /* possibly resolved hostname */ const char *address; /* remote address */ const char *laddress; /* local address */ diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 7d290853da0..3078dfe3e0f 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.373 2024/09/15 01:18:26 djm Exp $ .Dd $Mdocdate: September 15 2024 $ .Dt SSHD_CONFIG 5 .Os @@ -1238,9 +1238,11 @@ applied. .Pp The arguments to .Cm Match -are one or more criteria-pattern pairs or the single token -.Cm All -which matches all criteria. +are one or more criteria-pattern pairs or one of the single token criteria: +.Cm All , +which matches all criteria, or +.Cm Invalid-User , +which matches when the requested user-name does not match any known account. The available criteria are .Cm User , .Cm Group , |