Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-04-03 08:20:56 +0100
commit: 398af3d66bfe8dc7d436570026571e522a0a13a0 (patch)
tree: 07f383e8b6b6fcf04a2c8fd6e243825a15e0004f
parent: cb427e23bf78d65407c78d868c4ef525dbfaa68f (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 1cd5eab6c..3e23e60d6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1566,6 +1566,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5240,6 +5296,7 @@ echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index 968ba66bb..c8299d5e5 100644
--- a/sshd.8
+++ b/sshd.8
@@ -845,6 +845,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -947,6 +953,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index e88185efa..4ed0364f2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2042,6 +2049,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-04-03 08:20:56 +0100
commit	398af3d66bfe8dc7d436570026571e522a0a13a0 (patch)
tree	07f383e8b6b6fcf04a2c8fd6e243825a15e0004f
parent	cb427e23bf78d65407c78d868c4ef525dbfaa68f (diff)

diff --git a/configure.ac b/configure.ac index 1cd5eab6c..3e23e60d6 100644 --- a/configure.ac +++ b/configure.ac
@@ -1566,6 +1566,62 @@ AC_ARG_WITH([skey],
1566	]	1566	]
1567	)	1567	)
1568		1568
		1569	# Check whether user wants TCP wrappers support
		1570	TCPW_MSG="no"
		1571	AC_ARG_WITH([tcp-wrappers],
		1572	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1573	[
		1574	if test "x$withval" != "xno" ; then
		1575	saved_LIBS="$LIBS"
		1576	saved_LDFLAGS="$LDFLAGS"
		1577	saved_CPPFLAGS="$CPPFLAGS"
		1578	if test -n "${withval}" && \
		1579	test "x${withval}" != "xyes"; then
		1580	if test -d "${withval}/lib"; then
		1581	if test -n "${need_dash_r}"; then
		1582	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1583	else
		1584	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1585	fi
		1586	else
		1587	if test -n "${need_dash_r}"; then
		1588	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1589	else
		1590	LDFLAGS="-L${withval} ${LDFLAGS}"
		1591	fi
		1592	fi
		1593	if test -d "${withval}/include"; then
		1594	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1595	else
		1596	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1597	fi
		1598	fi
		1599	LIBS="-lwrap $LIBS"
		1600	AC_MSG_CHECKING([for libwrap])
		1601	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1602	#include <sys/types.h>
		1603	#include <sys/socket.h>
		1604	#include <netinet/in.h>
		1605	#include <tcpd.h>
		1606	int deny_severity = 0, allow_severity = 0;
		1607	]], [[
		1608	hosts_access(0);
		1609	]])], [
		1610	AC_MSG_RESULT([yes])
		1611	AC_DEFINE([LIBWRAP], [1],
		1612	[Define if you want
		1613	TCP Wrappers support])
		1614	SSHDLIBS="$SSHDLIBS -lwrap"
		1615	TCPW_MSG="yes"
		1616	], [
		1617	AC_MSG_ERROR([*** libwrap missing])
		1618
		1619	])
		1620	LIBS="$saved_LIBS"
		1621	fi
		1622	]
		1623	)
		1624
1569	# Check whether user wants to use ldns	1625	# Check whether user wants to use ldns
1570	LDNS_MSG="no"	1626	LDNS_MSG="no"
1571	AC_ARG_WITH(ldns,	1627	AC_ARG_WITH(ldns,
@@ -5240,6 +5296,7 @@ echo " OSF SIA support: $SIA_MSG"
5240	echo " KerberosV support: $KRB5_MSG"	5296	echo " KerberosV support: $KRB5_MSG"
5241	echo " SELinux support: $SELINUX_MSG"	5297	echo " SELinux support: $SELINUX_MSG"
5242	echo " S/KEY support: $SKEY_MSG"	5298	echo " S/KEY support: $SKEY_MSG"
		5299	echo " TCP Wrappers support: $TCPW_MSG"
5243	echo " MD5 password support: $MD5_MSG"	5300	echo " MD5 password support: $MD5_MSG"
5244	echo " libedit support: $LIBEDIT_MSG"	5301	echo " libedit support: $LIBEDIT_MSG"
5245	echo " libldns support: $LDNS_MSG"	5302	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index 968ba66bb..c8299d5e5 100644 --- a/sshd.8 +++ b/sshd.8
@@ -845,6 +845,12 @@ the user's home directory becomes accessible.
845	This file should be writable only by the user, and need not be	845	This file should be writable only by the user, and need not be
846	readable by anyone else.	846	readable by anyone else.
847	.Pp	847	.Pp
		848	.It Pa /etc/hosts.allow
		849	.It Pa /etc/hosts.deny
		850	Access controls that should be enforced by tcp-wrappers are defined here.
		851	Further details are described in
		852	.Xr hosts_access 5 .
		853	.Pp
848	.It Pa /etc/hosts.equiv	854	.It Pa /etc/hosts.equiv
849	This file is for host-based authentication (see	855	This file is for host-based authentication (see
850	.Xr ssh 1 ) .	856	.Xr ssh 1 ) .
@@ -947,6 +953,7 @@ The content of this file is not sensitive; it can be world-readable.
947	.Xr ssh-keygen 1 ,	953	.Xr ssh-keygen 1 ,
948	.Xr ssh-keyscan 1 ,	954	.Xr ssh-keyscan 1 ,
949	.Xr chroot 2 ,	955	.Xr chroot 2 ,
		956	.Xr hosts_access 5 ,
950	.Xr login.conf 5 ,	957	.Xr login.conf 5 ,
951	.Xr moduli 5 ,	958	.Xr moduli 5 ,
952	.Xr sshd_config 5 ,	959	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index e88185efa..4ed0364f2 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2042,6 +2049,24 @@ main(int ac, char **av)
2042	#ifdef SSH_AUDIT_EVENTS	2049	#ifdef SSH_AUDIT_EVENTS
2043	audit_connection_from(remote_ip, remote_port);	2050	audit_connection_from(remote_ip, remote_port);
2044	#endif	2051	#endif
		2052	#ifdef LIBWRAP
		2053	allow_severity = options.log_facility\|LOG_INFO;
		2054	deny_severity = options.log_facility\|LOG_WARNING;
		2055	/* Check whether logins are denied from this host. */
		2056	if (packet_connection_is_on_socket()) {
		2057	struct request_info req;
		2058
		2059	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2060	fromhost(&req);
		2061
		2062	if (!hosts_access(&req)) {
		2063	debug("Connection refused by tcp wrapper");
		2064	refuse(&req);
		2065	/* NOTREACHED */
		2066	fatal("libwrap refuse returns");
		2067	}
		2068	}
		2069	#endif /* LIBWRAP */
2045		2070
2046	rdomain = ssh_packet_rdomain_in(ssh);	2071	rdomain = ssh_packet_rdomain_in(ssh);
2047		2072