Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2015-09-17 13:52:39 +0100
commit: 1850a2c93f3dcfa3d682eaa85d1593c01d170429 (patch)
tree: 4f8672d1e453aeabf0babb63964636bd1a4e8fc9
parent: 70b18066d3921277861e98902c9cf41a10ac6898 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index df2169375..4d55c46fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -4928,6 +4984,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index dcf20f0ea..5afd10f27 100644
--- a/sshd.8
+++ b/sshd.8
@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -956,6 +962,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 6b85e6c45..186ad5579 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2141,6 +2148,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2015-09-17 13:52:39 +0100
commit	1850a2c93f3dcfa3d682eaa85d1593c01d170429 (patch)
tree	4f8672d1e453aeabf0babb63964636bd1a4e8fc9
parent	70b18066d3921277861e98902c9cf41a10ac6898 (diff)

diff --git a/configure.ac b/configure.ac index df2169375..4d55c46fc 100644 --- a/configure.ac +++ b/configure.ac
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
1448	]	1448	]
1449	)	1449	)
1450		1450
		1451	# Check whether user wants TCP wrappers support
		1452	TCPW_MSG="no"
		1453	AC_ARG_WITH([tcp-wrappers],
		1454	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1455	[
		1456	if test "x$withval" != "xno" ; then
		1457	saved_LIBS="$LIBS"
		1458	saved_LDFLAGS="$LDFLAGS"
		1459	saved_CPPFLAGS="$CPPFLAGS"
		1460	if test -n "${withval}" && \
		1461	test "x${withval}" != "xyes"; then
		1462	if test -d "${withval}/lib"; then
		1463	if test -n "${need_dash_r}"; then
		1464	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1465	else
		1466	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1467	fi
		1468	else
		1469	if test -n "${need_dash_r}"; then
		1470	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1471	else
		1472	LDFLAGS="-L${withval} ${LDFLAGS}"
		1473	fi
		1474	fi
		1475	if test -d "${withval}/include"; then
		1476	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1477	else
		1478	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1479	fi
		1480	fi
		1481	LIBS="-lwrap $LIBS"
		1482	AC_MSG_CHECKING([for libwrap])
		1483	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1484	#include <sys/types.h>
		1485	#include <sys/socket.h>
		1486	#include <netinet/in.h>
		1487	#include <tcpd.h>
		1488	int deny_severity = 0, allow_severity = 0;
		1489	]], [[
		1490	hosts_access(0);
		1491	]])], [
		1492	AC_MSG_RESULT([yes])
		1493	AC_DEFINE([LIBWRAP], [1],
		1494	[Define if you want
		1495	TCP Wrappers support])
		1496	SSHDLIBS="$SSHDLIBS -lwrap"
		1497	TCPW_MSG="yes"
		1498	], [
		1499	AC_MSG_ERROR([*** libwrap missing])
		1500
		1501	])
		1502	LIBS="$saved_LIBS"
		1503	fi
		1504	]
		1505	)
		1506
1451	# Check whether user wants to use ldns	1507	# Check whether user wants to use ldns
1452	LDNS_MSG="no"	1508	LDNS_MSG="no"
1453	AC_ARG_WITH(ldns,	1509	AC_ARG_WITH(ldns,
@@ -4928,6 +4984,7 @@ echo " KerberosV support: $KRB5_MSG"
4928	echo " SELinux support: $SELINUX_MSG"	4984	echo " SELinux support: $SELINUX_MSG"
4929	echo " Smartcard support: $SCARD_MSG"	4985	echo " Smartcard support: $SCARD_MSG"
4930	echo " S/KEY support: $SKEY_MSG"	4986	echo " S/KEY support: $SKEY_MSG"
		4987	echo " TCP Wrappers support: $TCPW_MSG"
4931	echo " MD5 password support: $MD5_MSG"	4988	echo " MD5 password support: $MD5_MSG"
4932	echo " libedit support: $LIBEDIT_MSG"	4989	echo " libedit support: $LIBEDIT_MSG"
4933	echo " Solaris process contract support: $SPC_MSG"	4990	echo " Solaris process contract support: $SPC_MSG"


diff --git a/sshd.8 b/sshd.8 index dcf20f0ea..5afd10f27 100644 --- a/sshd.8 +++ b/sshd.8
@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
853	This file should be writable only by the user, and need not be	853	This file should be writable only by the user, and need not be
854	readable by anyone else.	854	readable by anyone else.
855	.Pp	855	.Pp
		856	.It Pa /etc/hosts.allow
		857	.It Pa /etc/hosts.deny
		858	Access controls that should be enforced by tcp-wrappers are defined here.
		859	Further details are described in
		860	.Xr hosts_access 5 .
		861	.Pp
856	.It Pa /etc/hosts.equiv	862	.It Pa /etc/hosts.equiv
857	This file is for host-based authentication (see	863	This file is for host-based authentication (see
858	.Xr ssh 1 ) .	864	.Xr ssh 1 ) .
@@ -956,6 +962,7 @@ The content of this file is not sensitive; it can be world-readable.
956	.Xr ssh-keygen 1 ,	962	.Xr ssh-keygen 1 ,
957	.Xr ssh-keyscan 1 ,	963	.Xr ssh-keyscan 1 ,
958	.Xr chroot 2 ,	964	.Xr chroot 2 ,
		965	.Xr hosts_access 5 ,
959	.Xr login.conf 5 ,	966	.Xr login.conf 5 ,
960	.Xr moduli 5 ,	967	.Xr moduli 5 ,
961	.Xr sshd_config 5 ,	968	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 6b85e6c45..186ad5579 100644 --- a/sshd.c +++ b/sshd.c
@@ -129,6 +129,13 @@
129	#include <Security/AuthSession.h>	129	#include <Security/AuthSession.h>
130	#endif	130	#endif
131		131
		132	#ifdef LIBWRAP
		133	#include <tcpd.h>
		134	#include <syslog.h>
		135	int allow_severity;
		136	int deny_severity;
		137	#endif /* LIBWRAP */
		138
132	#ifndef O_NOCTTY	139	#ifndef O_NOCTTY
133	#define O_NOCTTY 0	140	#define O_NOCTTY 0
134	#endif	141	#endif
@@ -2141,6 +2148,24 @@ main(int ac, char **av)
2141	#ifdef SSH_AUDIT_EVENTS	2148	#ifdef SSH_AUDIT_EVENTS
2142	audit_connection_from(remote_ip, remote_port);	2149	audit_connection_from(remote_ip, remote_port);
2143	#endif	2150	#endif
		2151	#ifdef LIBWRAP
		2152	allow_severity = options.log_facility\|LOG_INFO;
		2153	deny_severity = options.log_facility\|LOG_WARNING;
		2154	/* Check whether logins are denied from this host. */
		2155	if (packet_connection_is_on_socket()) {
		2156	struct request_info req;
		2157
		2158	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2159	fromhost(&req);
		2160
		2161	if (!hosts_access(&req)) {
		2162	debug("Connection refused by tcp wrapper");
		2163	refuse(&req);
		2164	/* NOTREACHED */
		2165	fatal("libwrap refuse returns");
		2166	}
		2167	}
		2168	#endif /* LIBWRAP */
2144		2169
2145	/* Log the connection. */	2170	/* Log the connection. */
2146	laddr = get_local_ipaddr(sock_in);	2171	laddr = get_local_ipaddr(sock_in);