summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2015-08-19 16:33:31 +0100
commit7df209aed8ded9a6cab34e704576998786bdc890 (patch)
tree766f31dee04424ad537c07e6ce8f927fc30d2b04
parent06879e71614170580ffa7568ec5c009f60a9d084 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 216a9fdab..5f606ea12 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
1440 ] 1440 ]
1441) 1441)
1442 1442
1443# Check whether user wants TCP wrappers support
1444TCPW_MSG="no"
1445AC_ARG_WITH([tcp-wrappers],
1446 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1447 [
1448 if test "x$withval" != "xno" ; then
1449 saved_LIBS="$LIBS"
1450 saved_LDFLAGS="$LDFLAGS"
1451 saved_CPPFLAGS="$CPPFLAGS"
1452 if test -n "${withval}" && \
1453 test "x${withval}" != "xyes"; then
1454 if test -d "${withval}/lib"; then
1455 if test -n "${need_dash_r}"; then
1456 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1457 else
1458 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1459 fi
1460 else
1461 if test -n "${need_dash_r}"; then
1462 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1463 else
1464 LDFLAGS="-L${withval} ${LDFLAGS}"
1465 fi
1466 fi
1467 if test -d "${withval}/include"; then
1468 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1469 else
1470 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1471 fi
1472 fi
1473 LIBS="-lwrap $LIBS"
1474 AC_MSG_CHECKING([for libwrap])
1475 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1476#include <sys/types.h>
1477#include <sys/socket.h>
1478#include <netinet/in.h>
1479#include <tcpd.h>
1480int deny_severity = 0, allow_severity = 0;
1481 ]], [[
1482 hosts_access(0);
1483 ]])], [
1484 AC_MSG_RESULT([yes])
1485 AC_DEFINE([LIBWRAP], [1],
1486 [Define if you want
1487 TCP Wrappers support])
1488 SSHDLIBS="$SSHDLIBS -lwrap"
1489 TCPW_MSG="yes"
1490 ], [
1491 AC_MSG_ERROR([*** libwrap missing])
1492
1493 ])
1494 LIBS="$saved_LIBS"
1495 fi
1496 ]
1497)
1498
1443# Check whether user wants to use ldns 1499# Check whether user wants to use ldns
1444LDNS_MSG="no" 1500LDNS_MSG="no"
1445AC_ARG_WITH(ldns, 1501AC_ARG_WITH(ldns,
@@ -4920,6 +4976,7 @@ echo " KerberosV support: $KRB5_MSG"
4920echo " SELinux support: $SELINUX_MSG" 4976echo " SELinux support: $SELINUX_MSG"
4921echo " Smartcard support: $SCARD_MSG" 4977echo " Smartcard support: $SCARD_MSG"
4922echo " S/KEY support: $SKEY_MSG" 4978echo " S/KEY support: $SKEY_MSG"
4979echo " TCP Wrappers support: $TCPW_MSG"
4923echo " MD5 password support: $MD5_MSG" 4980echo " MD5 password support: $MD5_MSG"
4924echo " libedit support: $LIBEDIT_MSG" 4981echo " libedit support: $LIBEDIT_MSG"
4925echo " Solaris process contract support: $SPC_MSG" 4982echo " Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 3c53f7cd6..fc2154c45 100644
--- a/sshd.8
+++ b/sshd.8
@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
851This file should be writable only by the user, and need not be 851This file should be writable only by the user, and need not be
852readable by anyone else. 852readable by anyone else.
853.Pp 853.Pp
854.It Pa /etc/hosts.allow
855.It Pa /etc/hosts.deny
856Access controls that should be enforced by tcp-wrappers are defined here.
857Further details are described in
858.Xr hosts_access 5 .
859.Pp
854.It Pa /etc/hosts.equiv 860.It Pa /etc/hosts.equiv
855This file is for host-based authentication (see 861This file is for host-based authentication (see
856.Xr ssh 1 ) . 862.Xr ssh 1 ) .
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
954.Xr ssh-keygen 1 , 960.Xr ssh-keygen 1 ,
955.Xr ssh-keyscan 1 , 961.Xr ssh-keyscan 1 ,
956.Xr chroot 2 , 962.Xr chroot 2 ,
963.Xr hosts_access 5 ,
957.Xr login.conf 5 , 964.Xr login.conf 5 ,
958.Xr moduli 5 , 965.Xr moduli 5 ,
959.Xr sshd_config 5 , 966.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index cf38baebf..9cbe8c4ae 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
129#include <Security/AuthSession.h> 129#include <Security/AuthSession.h>
130#endif 130#endif
131 131
132#ifdef LIBWRAP
133#include <tcpd.h>
134#include <syslog.h>
135int allow_severity;
136int deny_severity;
137#endif /* LIBWRAP */
138
132#ifndef O_NOCTTY 139#ifndef O_NOCTTY
133#define O_NOCTTY 0 140#define O_NOCTTY 0
134#endif 141#endif
@@ -2133,6 +2140,24 @@ main(int ac, char **av)
2133#ifdef SSH_AUDIT_EVENTS 2140#ifdef SSH_AUDIT_EVENTS
2134 audit_connection_from(remote_ip, remote_port); 2141 audit_connection_from(remote_ip, remote_port);
2135#endif 2142#endif
2143#ifdef LIBWRAP
2144 allow_severity = options.log_facility|LOG_INFO;
2145 deny_severity = options.log_facility|LOG_WARNING;
2146 /* Check whether logins are denied from this host. */
2147 if (packet_connection_is_on_socket()) {
2148 struct request_info req;
2149
2150 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2151 fromhost(&req);
2152
2153 if (!hosts_access(&req)) {
2154 debug("Connection refused by tcp wrapper");
2155 refuse(&req);
2156 /* NOTREACHED */
2157 fatal("libwrap refuse returns");
2158 }
2159 }
2160#endif /* LIBWRAP */
2136 2161
2137 /* Log the connection. */ 2162 /* Log the connection. */
2138 verbose("Connection from %s port %d on %s port %d", 2163 verbose("Connection from %s port %d on %s port %d",