SilentDeny, don't log/answer refused connections, deraadt@

4 files changed, 34 insertions, 10 deletions

diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 7bcf12cf870..2c35c789acd 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -12,7 +12,7 @@ Created: Mon Aug 21 15:48:58 1995 ylo
 */
 
 #include "includes.h"
-RCSID("$Id: servconf.c,v 1.13 1999/10/11 21:48:29 markus Exp $");
+RCSID("$Id: servconf.c,v 1.14 1999/10/12 18:11:54 markus Exp $");
 
 #include "ssh.h"
 #include "servconf.h"
@@ -58,6 +58,7 @@ void initialize_server_options(ServerOptions *options)
 #endif
   options->permit_empty_passwd = -1;
   options->use_login = -1;
+  options->silent_deny = -1;
   options->num_allow_hosts = 0;
   options->num_deny_hosts = 0;
   options->num_allow_users = 0;
@@ -139,6 +140,8 @@ void fill_default_server_options(ServerOptions *options)
     options->permit_empty_passwd = 1;
   if (options->use_login == -1)
     options->use_login = 0;
+  if (options->silent_deny == -1)
+    options->silent_deny = 0;
 }
 
 #define WHITESPACE " \t\r\n"
@@ -161,7 +164,7 @@ typedef enum
   sPasswordAuthentication, sAllowHosts, sDenyHosts, sListenAddress,
   sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
   sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
-  sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups
+  sUseLogin, sSilentDeny, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups
 
 } ServerOpCodes;
 
@@ -208,6 +211,7 @@ static struct
   { "strictmodes", sStrictModes },
   { "permitemptypasswords", sEmptyPasswd },
   { "uselogin", sUseLogin },
+  { "silentdeny", sSilentDeny },
   { "randomseed", sRandomSeedFile },
   { "keepalive", sKeepAlives },
   { "allowusers", sAllowUsers },
@@ -461,6 +465,10 @@ void read_server_config(ServerOptions *options, const char *filename)
           intptr = &options->use_login;
           goto parse_flag;
 
+        case sSilentDeny:
+          intptr = &options->silent_deny;
+          goto parse_flag;
+
 	case sLogFacility:
 	  cp = strtok(NULL, WHITESPACE);
 	  if (!cp)
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 7a30201a68f..bed11326ec7 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -13,7 +13,7 @@ Definitions for server configuration data and for the functions reading it.
 
 */
 
-/* RCSID("$Id: servconf.h,v 1.8 1999/10/11 21:48:29 markus Exp $"); */
+/* RCSID("$Id: servconf.h,v 1.9 1999/10/12 18:11:54 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -64,6 +64,7 @@ typedef struct
 #endif
   int permit_empty_passwd;      /* If false, do not permit empty passwords. */
   int use_login;                /* If true, login(1) is used */
+  int silent_deny;              /* If true, do not complain to denied hosts */
   unsigned int num_allow_hosts;
   char *allow_hosts[MAX_ALLOW_HOSTS];
   unsigned int num_deny_hosts;
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 58ca9977339..5b9c0469816 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: sshd.8,v 1.12 1999/10/11 22:24:33 markus Exp $
+.\" $Id: sshd.8,v 1.13 1999/10/12 18:11:54 markus Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -391,6 +391,13 @@ Specifies whether pure RSA authentication is allowed.  The default is
 .It Cm ServerKeyBits
 Defines the number of bits in the server key.  The minimum value is
 512, and the default is 768.
+.It Cm SilentDeny
+Specifies whether
+.Nm
+should log and complain to denied hosts or close the
+connection silently.
+The default is
+.Dq no .
 .It Cm SkeyAuthentication
 Specifies whether
 .Xr skey 1 
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index cf2e6116fdc..74744bce259 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -18,7 +18,7 @@ agent connections.
 */
 
 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.29 1999/10/12 05:45:43 deraadt Exp $");
+RCSID("$Id: sshd.c,v 1.30 1999/10/12 18:11:55 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -640,9 +640,11 @@ main(int ac, char **av)
 	if (match_pattern(hostname, options.deny_hosts[i]) ||
 	    match_pattern(ipaddr, options.deny_hosts[i]))
 	  {
-	    log("Connection from %.200s denied.\n", hostname);
-	    hostname = "You are not allowed to connect.  Go away!\r\n";
-	    write(sock_out, hostname, strlen(hostname));
+	    if(!options.silent_deny){
+	      log("Connection from %.200s denied.\n", hostname);
+	      hostname = "You are not allowed to connect.  Go away!\r\n";
+	      write(sock_out, hostname, strlen(hostname));
+	    }
 	    close(sock_in);
 	    close(sock_out);
 	    exit(0);
@@ -723,8 +725,14 @@ main(int ac, char **av)
 	  break;
       if (i >= options.num_allow_hosts)
 	{
-	  log("Connection from %.200s not allowed.\n", hostname);
-	  packet_disconnect("Sorry, you are not allowed to connect.");
+	  if(!options.silent_deny){
+	    log("Connection from %.200s not allowed.\n", hostname);
+	    packet_disconnect("Sorry, you are not allowed to connect.");
+	  }else{
+            close(sock_in);
+            close(sock_out);
+	    exit(0);
+	  }
 	  /*NOTREACHED*/
 	}
     }