172 lines
5 KiB
Diff
172 lines
5 KiB
Diff
From 5f13fe22c2a9771dbcd12e2e9a1b2f905bcad22a Mon Sep 17 00:00:00 2001
|
|
From: Colin Watson <cjwatson@debian.org>
|
|
Date: Tue, 7 Oct 2014 13:22:41 +0100
|
|
Subject: Restore TCP wrappers support
|
|
|
|
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
|
|
and thread:
|
|
|
|
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
|
|
|
|
It is true that this reduces preauth attack surface in sshd. On the
|
|
other hand, this support seems to be quite widely used, and abruptly
|
|
dropping it (from the perspective of users who don't read
|
|
openssh-unix-dev) could easily cause more serious problems in practice.
|
|
|
|
It's not entirely clear what the right long-term answer for Debian is,
|
|
but it at least probably doesn't involve dropping this feature shortly
|
|
before a freeze.
|
|
|
|
Forwarded: not-needed
|
|
Last-Update: 2024-08-02
|
|
|
|
Patch-Name: restore-tcp-wrappers.patch
|
|
---
|
|
configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
sshd-session.c | 25 ++++++++++++++++++++++
|
|
sshd.8 | 7 +++++++
|
|
3 files changed, 89 insertions(+)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index e334ad2ec..06ad5c78a 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -1727,6 +1727,62 @@ else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
|
|
+# Check whether user wants TCP wrappers support
|
|
+TCPW_MSG="no"
|
|
+AC_ARG_WITH([tcp-wrappers],
|
|
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
|
+ [
|
|
+ if test "x$withval" != "xno" ; then
|
|
+ saved_LIBS="$LIBS"
|
|
+ saved_LDFLAGS="$LDFLAGS"
|
|
+ saved_CPPFLAGS="$CPPFLAGS"
|
|
+ if test -n "${withval}" && \
|
|
+ test "x${withval}" != "xyes"; then
|
|
+ if test -d "${withval}/lib"; then
|
|
+ if test -n "${need_dash_r}"; then
|
|
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
|
+ else
|
|
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
|
+ fi
|
|
+ else
|
|
+ if test -n "${need_dash_r}"; then
|
|
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
|
+ else
|
|
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
|
+ fi
|
|
+ fi
|
|
+ if test -d "${withval}/include"; then
|
|
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
|
+ else
|
|
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
|
+ fi
|
|
+ fi
|
|
+ LIBS="-lwrap $LIBS"
|
|
+ AC_MSG_CHECKING([for libwrap])
|
|
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
+#include <sys/types.h>
|
|
+#include <sys/socket.h>
|
|
+#include <netinet/in.h>
|
|
+#include <tcpd.h>
|
|
+int deny_severity = 0, allow_severity = 0;
|
|
+ ]], [[
|
|
+ hosts_access(0);
|
|
+ ]])], [
|
|
+ AC_MSG_RESULT([yes])
|
|
+ AC_DEFINE([LIBWRAP], [1],
|
|
+ [Define if you want
|
|
+ TCP Wrappers support])
|
|
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
|
+ TCPW_MSG="yes"
|
|
+ ], [
|
|
+ AC_MSG_ERROR([*** libwrap missing])
|
|
+
|
|
+ ])
|
|
+ LIBS="$saved_LIBS"
|
|
+ fi
|
|
+ ]
|
|
+)
|
|
+
|
|
# Check whether user wants to use ldns
|
|
LDNS_MSG="no"
|
|
AC_ARG_WITH(ldns,
|
|
@@ -5806,6 +5862,7 @@ echo " PAM support: $PAM_MSG"
|
|
echo " OSF SIA support: $SIA_MSG"
|
|
echo " KerberosV support: $KRB5_MSG"
|
|
echo " SELinux support: $SELINUX_MSG"
|
|
+echo " TCP Wrappers support: $TCPW_MSG"
|
|
echo " libedit support: $LIBEDIT_MSG"
|
|
echo " libldns support: $LDNS_MSG"
|
|
echo " Solaris process contract support: $SPC_MSG"
|
|
diff --git a/sshd-session.c b/sshd-session.c
|
|
index 7d8498a88..c171c8923 100644
|
|
--- a/sshd-session.c
|
|
+++ b/sshd-session.c
|
|
@@ -109,6 +109,13 @@
|
|
#include "srclimit.h"
|
|
#include "dh.h"
|
|
|
|
+#ifdef LIBWRAP
|
|
+#include <tcpd.h>
|
|
+#include <syslog.h>
|
|
+int allow_severity;
|
|
+int deny_severity;
|
|
+#endif /* LIBWRAP */
|
|
+
|
|
/* Re-exec fds */
|
|
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
|
#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2)
|
|
@@ -1237,6 +1244,24 @@ main(int ac, char **av)
|
|
#ifdef SSH_AUDIT_EVENTS
|
|
audit_connection_from(remote_ip, remote_port);
|
|
#endif
|
|
+#ifdef LIBWRAP
|
|
+ allow_severity = options.log_facility|LOG_INFO;
|
|
+ deny_severity = options.log_facility|LOG_WARNING;
|
|
+ /* Check whether logins are denied from this host. */
|
|
+ if (ssh_packet_connection_is_on_socket(ssh)) {
|
|
+ struct request_info req;
|
|
+
|
|
+ request_init(&req, RQ_DAEMON, "sshd", RQ_FILE, sock_in, 0);
|
|
+ fromhost(&req);
|
|
+
|
|
+ if (!hosts_access(&req)) {
|
|
+ debug("Connection refused by tcp wrapper");
|
|
+ refuse(&req);
|
|
+ /* NOTREACHED */
|
|
+ fatal("libwrap refuse returns");
|
|
+ }
|
|
+ }
|
|
+#endif /* LIBWRAP */
|
|
|
|
rdomain = ssh_packet_rdomain_in(ssh);
|
|
|
|
diff --git a/sshd.8 b/sshd.8
|
|
index 08ebf53a1..464d402f6 100644
|
|
--- a/sshd.8
|
|
+++ b/sshd.8
|
|
@@ -925,6 +925,12 @@ the user's home directory becomes accessible.
|
|
This file should be writable only by the user, and need not be
|
|
readable by anyone else.
|
|
.Pp
|
|
+.It Pa /etc/hosts.allow
|
|
+.It Pa /etc/hosts.deny
|
|
+Access controls that should be enforced by tcp-wrappers are defined here.
|
|
+Further details are described in
|
|
+.Xr hosts_access 5 .
|
|
+.Pp
|
|
.It Pa /etc/hosts.equiv
|
|
This file is for host-based authentication (see
|
|
.Xr ssh 1 ) .
|
|
@@ -1027,6 +1033,7 @@ The content of this file is not sensitive; it can be world-readable.
|
|
.Xr ssh-keygen 1 ,
|
|
.Xr ssh-keyscan 1 ,
|
|
.Xr chroot 2 ,
|
|
+.Xr hosts_access 5 ,
|
|
.Xr login.conf 5 ,
|
|
.Xr moduli 5 ,
|
|
.Xr sshd_config 5 ,
|