Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-06-07 10:25:35 +0100
commit: 7e3de67f8447064d6963e8299653d8e01baaef1e (patch)
tree: b2aa054e6456e1fcdab14ae304694f99061c85d8
parent: 79f9d21b406c172878896ef41cdc2502fc2f84a7 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index d98e6f74a..812b7218f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1558,6 +1558,62 @@ else
        AC_MSG_RESULT([no])
 fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5479,6 +5535,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index c5f8987d2..730520231 100644
--- a/sshd.8
+++ b/sshd.8
@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 02fca5c28..e96d90809 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
 #include "ssherr.h"
 #include "sk-api.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2132,6 +2139,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-06-07 10:25:35 +0100
commit	7e3de67f8447064d6963e8299653d8e01baaef1e (patch)
tree	b2aa054e6456e1fcdab14ae304694f99061c85d8
parent	79f9d21b406c172878896ef41cdc2502fc2f84a7 (diff)

diff --git a/configure.ac b/configure.ac index d98e6f74a..812b7218f 100644 --- a/configure.ac +++ b/configure.ac
@@ -1558,6 +1558,62 @@ else
1558	AC_MSG_RESULT([no])	1558	AC_MSG_RESULT([no])
1559	fi	1559	fi
1560		1560
		1561	# Check whether user wants TCP wrappers support
		1562	TCPW_MSG="no"
		1563	AC_ARG_WITH([tcp-wrappers],
		1564	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1565	[
		1566	if test "x$withval" != "xno" ; then
		1567	saved_LIBS="$LIBS"
		1568	saved_LDFLAGS="$LDFLAGS"
		1569	saved_CPPFLAGS="$CPPFLAGS"
		1570	if test -n "${withval}" && \
		1571	test "x${withval}" != "xyes"; then
		1572	if test -d "${withval}/lib"; then
		1573	if test -n "${need_dash_r}"; then
		1574	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1575	else
		1576	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1577	fi
		1578	else
		1579	if test -n "${need_dash_r}"; then
		1580	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1581	else
		1582	LDFLAGS="-L${withval} ${LDFLAGS}"
		1583	fi
		1584	fi
		1585	if test -d "${withval}/include"; then
		1586	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1587	else
		1588	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1589	fi
		1590	fi
		1591	LIBS="-lwrap $LIBS"
		1592	AC_MSG_CHECKING([for libwrap])
		1593	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1594	#include <sys/types.h>
		1595	#include <sys/socket.h>
		1596	#include <netinet/in.h>
		1597	#include <tcpd.h>
		1598	int deny_severity = 0, allow_severity = 0;
		1599	]], [[
		1600	hosts_access(0);
		1601	]])], [
		1602	AC_MSG_RESULT([yes])
		1603	AC_DEFINE([LIBWRAP], [1],
		1604	[Define if you want
		1605	TCP Wrappers support])
		1606	SSHDLIBS="$SSHDLIBS -lwrap"
		1607	TCPW_MSG="yes"
		1608	], [
		1609	AC_MSG_ERROR([*** libwrap missing])
		1610
		1611	])
		1612	LIBS="$saved_LIBS"
		1613	fi
		1614	]
		1615	)
		1616
1561	# Check whether user wants to use ldns	1617	# Check whether user wants to use ldns
1562	LDNS_MSG="no"	1618	LDNS_MSG="no"
1563	AC_ARG_WITH(ldns,	1619	AC_ARG_WITH(ldns,
@@ -5479,6 +5535,7 @@ echo " PAM support: $PAM_MSG"
5479	echo " OSF SIA support: $SIA_MSG"	5535	echo " OSF SIA support: $SIA_MSG"
5480	echo " KerberosV support: $KRB5_MSG"	5536	echo " KerberosV support: $KRB5_MSG"
5481	echo " SELinux support: $SELINUX_MSG"	5537	echo " SELinux support: $SELINUX_MSG"
		5538	echo " TCP Wrappers support: $TCPW_MSG"
5482	echo " MD5 password support: $MD5_MSG"	5539	echo " MD5 password support: $MD5_MSG"
5483	echo " libedit support: $LIBEDIT_MSG"	5540	echo " libedit support: $LIBEDIT_MSG"
5484	echo " libldns support: $LDNS_MSG"	5541	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index c5f8987d2..730520231 100644 --- a/sshd.8 +++ b/sshd.8
@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
893	This file should be writable only by the user, and need not be	893	This file should be writable only by the user, and need not be
894	readable by anyone else.	894	readable by anyone else.
895	.Pp	895	.Pp
		896	.It Pa /etc/hosts.allow
		897	.It Pa /etc/hosts.deny
		898	Access controls that should be enforced by tcp-wrappers are defined here.
		899	Further details are described in
		900	.Xr hosts_access 5 .
		901	.Pp
896	.It Pa /etc/hosts.equiv	902	.It Pa /etc/hosts.equiv
897	This file is for host-based authentication (see	903	This file is for host-based authentication (see
898	.Xr ssh 1 ) .	904	.Xr ssh 1 ) .
@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
995	.Xr ssh-keygen 1 ,	1001	.Xr ssh-keygen 1 ,
996	.Xr ssh-keyscan 1 ,	1002	.Xr ssh-keyscan 1 ,
997	.Xr chroot 2 ,	1003	.Xr chroot 2 ,
		1004	.Xr hosts_access 5 ,
998	.Xr login.conf 5 ,	1005	.Xr login.conf 5 ,
999	.Xr moduli 5 ,	1006	.Xr moduli 5 ,
1000	.Xr sshd_config 5 ,	1007	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 02fca5c28..e96d90809 100644 --- a/sshd.c +++ b/sshd.c
@@ -124,6 +124,13 @@
124	#include "ssherr.h"	124	#include "ssherr.h"
125	#include "sk-api.h"	125	#include "sk-api.h"
126		126
		127	#ifdef LIBWRAP
		128	#include <tcpd.h>
		129	#include <syslog.h>
		130	int allow_severity;
		131	int deny_severity;
		132	#endif /* LIBWRAP */
		133
127	/* Re-exec fds */	134	/* Re-exec fds */
128	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	135	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
129	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	136	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2132,6 +2139,24 @@ main(int ac, char **av)
2132	#ifdef SSH_AUDIT_EVENTS	2139	#ifdef SSH_AUDIT_EVENTS
2133	audit_connection_from(remote_ip, remote_port);	2140	audit_connection_from(remote_ip, remote_port);
2134	#endif	2141	#endif
		2142	#ifdef LIBWRAP
		2143	allow_severity = options.log_facility\|LOG_INFO;
		2144	deny_severity = options.log_facility\|LOG_WARNING;
		2145	/* Check whether logins are denied from this host. */
		2146	if (ssh_packet_connection_is_on_socket(ssh)) {
		2147	struct request_info req;
		2148
		2149	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2150	fromhost(&req);
		2151
		2152	if (!hosts_access(&req)) {
		2153	debug("Connection refused by tcp wrapper");
		2154	refuse(&req);
		2155	/* NOTREACHED */
		2156	fatal("libwrap refuse returns");
		2157	}
		2158	}
		2159	#endif /* LIBWRAP */
2135		2160
2136	rdomain = ssh_packet_rdomain_in(ssh);	2161	rdomain = ssh_packet_rdomain_in(ssh);
2137		2162