Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2019-10-09 23:06:25 +0100
commit: 57c1dd662f9259f58a47801e2d4b0f84e973441d (patch)
tree: e42f9c8869169b19425b46621e0cbe2b2bda9780
parent: 9da806e67101afdc0d3a1d304659927acf18f5c5 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 1c2512314..e894db9fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1521,6 +1521,62 @@ else
        AC_MSG_RESULT([no])
 fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5242,6 +5298,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index fb133c14b..57a7fd66b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 3a5c1ea78..4e32fd10d 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2062,6 +2069,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2019-10-09 23:06:25 +0100
commit	57c1dd662f9259f58a47801e2d4b0f84e973441d (patch)
tree	e42f9c8869169b19425b46621e0cbe2b2bda9780
parent	9da806e67101afdc0d3a1d304659927acf18f5c5 (diff)

diff --git a/configure.ac b/configure.ac index 1c2512314..e894db9fc 100644 --- a/configure.ac +++ b/configure.ac
@@ -1521,6 +1521,62 @@ else
1521	AC_MSG_RESULT([no])	1521	AC_MSG_RESULT([no])
1522	fi	1522	fi
1523		1523
		1524	# Check whether user wants TCP wrappers support
		1525	TCPW_MSG="no"
		1526	AC_ARG_WITH([tcp-wrappers],
		1527	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1528	[
		1529	if test "x$withval" != "xno" ; then
		1530	saved_LIBS="$LIBS"
		1531	saved_LDFLAGS="$LDFLAGS"
		1532	saved_CPPFLAGS="$CPPFLAGS"
		1533	if test -n "${withval}" && \
		1534	test "x${withval}" != "xyes"; then
		1535	if test -d "${withval}/lib"; then
		1536	if test -n "${need_dash_r}"; then
		1537	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1538	else
		1539	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1540	fi
		1541	else
		1542	if test -n "${need_dash_r}"; then
		1543	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1544	else
		1545	LDFLAGS="-L${withval} ${LDFLAGS}"
		1546	fi
		1547	fi
		1548	if test -d "${withval}/include"; then
		1549	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1550	else
		1551	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1552	fi
		1553	fi
		1554	LIBS="-lwrap $LIBS"
		1555	AC_MSG_CHECKING([for libwrap])
		1556	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1557	#include <sys/types.h>
		1558	#include <sys/socket.h>
		1559	#include <netinet/in.h>
		1560	#include <tcpd.h>
		1561	int deny_severity = 0, allow_severity = 0;
		1562	]], [[
		1563	hosts_access(0);
		1564	]])], [
		1565	AC_MSG_RESULT([yes])
		1566	AC_DEFINE([LIBWRAP], [1],
		1567	[Define if you want
		1568	TCP Wrappers support])
		1569	SSHDLIBS="$SSHDLIBS -lwrap"
		1570	TCPW_MSG="yes"
		1571	], [
		1572	AC_MSG_ERROR([*** libwrap missing])
		1573
		1574	])
		1575	LIBS="$saved_LIBS"
		1576	fi
		1577	]
		1578	)
		1579
1524	# Check whether user wants to use ldns	1580	# Check whether user wants to use ldns
1525	LDNS_MSG="no"	1581	LDNS_MSG="no"
1526	AC_ARG_WITH(ldns,	1582	AC_ARG_WITH(ldns,
@@ -5242,6 +5298,7 @@ echo " PAM support: $PAM_MSG"
5242	echo " OSF SIA support: $SIA_MSG"	5298	echo " OSF SIA support: $SIA_MSG"
5243	echo " KerberosV support: $KRB5_MSG"	5299	echo " KerberosV support: $KRB5_MSG"
5244	echo " SELinux support: $SELINUX_MSG"	5300	echo " SELinux support: $SELINUX_MSG"
		5301	echo " TCP Wrappers support: $TCPW_MSG"
5245	echo " MD5 password support: $MD5_MSG"	5302	echo " MD5 password support: $MD5_MSG"
5246	echo " libedit support: $LIBEDIT_MSG"	5303	echo " libedit support: $LIBEDIT_MSG"
5247	echo " libldns support: $LDNS_MSG"	5304	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index fb133c14b..57a7fd66b 100644 --- a/sshd.8 +++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
873	This file should be writable only by the user, and need not be	873	This file should be writable only by the user, and need not be
874	readable by anyone else.	874	readable by anyone else.
875	.Pp	875	.Pp
		876	.It Pa /etc/hosts.allow
		877	.It Pa /etc/hosts.deny
		878	Access controls that should be enforced by tcp-wrappers are defined here.
		879	Further details are described in
		880	.Xr hosts_access 5 .
		881	.Pp
876	.It Pa /etc/hosts.equiv	882	.It Pa /etc/hosts.equiv
877	This file is for host-based authentication (see	883	This file is for host-based authentication (see
878	.Xr ssh 1 ) .	884	.Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
975	.Xr ssh-keygen 1 ,	981	.Xr ssh-keygen 1 ,
976	.Xr ssh-keyscan 1 ,	982	.Xr ssh-keyscan 1 ,
977	.Xr chroot 2 ,	983	.Xr chroot 2 ,
		984	.Xr hosts_access 5 ,
978	.Xr login.conf 5 ,	985	.Xr login.conf 5 ,
979	.Xr moduli 5 ,	986	.Xr moduli 5 ,
980	.Xr sshd_config 5 ,	987	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 3a5c1ea78..4e32fd10d 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2062,6 +2069,24 @@ main(int ac, char **av)
2062	#ifdef SSH_AUDIT_EVENTS	2069	#ifdef SSH_AUDIT_EVENTS
2063	audit_connection_from(remote_ip, remote_port);	2070	audit_connection_from(remote_ip, remote_port);
2064	#endif	2071	#endif
		2072	#ifdef LIBWRAP
		2073	allow_severity = options.log_facility\|LOG_INFO;
		2074	deny_severity = options.log_facility\|LOG_WARNING;
		2075	/* Check whether logins are denied from this host. */
		2076	if (ssh_packet_connection_is_on_socket(ssh)) {
		2077	struct request_info req;
		2078
		2079	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2080	fromhost(&req);
		2081
		2082	if (!hosts_access(&req)) {
		2083	debug("Connection refused by tcp wrapper");
		2084	refuse(&req);
		2085	/* NOTREACHED */
		2086	fatal("libwrap refuse returns");
		2087	}
		2088	}
		2089	#endif /* LIBWRAP */
2065		2090
2066	rdomain = ssh_packet_rdomain_in(ssh);	2091	rdomain = ssh_packet_rdomain_in(ssh);
2067		2092