Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-10-18 12:04:32 +0100
commit: 6806b85f30244d186206004386a9faddc16b8738 (patch)
tree: 3ca4cb5a4f652a7d88c555decb81865f4d1fb91b
parent: d1b7918f9bce6e997c7952ac795e18d09192b2a6 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index c8a96deb4..bb435ec1f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1571,6 +1571,62 @@ else
        AC_MSG_RESULT([no])
 fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5536,6 +5592,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index b2fad56d3..97d547ffa 100644
--- a/sshd.8
+++ b/sshd.8
@@ -900,6 +900,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -1002,6 +1008,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 8c5d5822e..a50ec3584 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
 #include "ssherr.h"
 #include "sk-api.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2183,6 +2190,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-10-18 12:04:32 +0100
commit	6806b85f30244d186206004386a9faddc16b8738 (patch)
tree	3ca4cb5a4f652a7d88c555decb81865f4d1fb91b
parent	d1b7918f9bce6e997c7952ac795e18d09192b2a6 (diff)

diff --git a/configure.ac b/configure.ac index c8a96deb4..bb435ec1f 100644 --- a/configure.ac +++ b/configure.ac
@@ -1571,6 +1571,62 @@ else
1571	AC_MSG_RESULT([no])	1571	AC_MSG_RESULT([no])
1572	fi	1572	fi
1573		1573
		1574	# Check whether user wants TCP wrappers support
		1575	TCPW_MSG="no"
		1576	AC_ARG_WITH([tcp-wrappers],
		1577	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1578	[
		1579	if test "x$withval" != "xno" ; then
		1580	saved_LIBS="$LIBS"
		1581	saved_LDFLAGS="$LDFLAGS"
		1582	saved_CPPFLAGS="$CPPFLAGS"
		1583	if test -n "${withval}" && \
		1584	test "x${withval}" != "xyes"; then
		1585	if test -d "${withval}/lib"; then
		1586	if test -n "${need_dash_r}"; then
		1587	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1588	else
		1589	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1590	fi
		1591	else
		1592	if test -n "${need_dash_r}"; then
		1593	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1594	else
		1595	LDFLAGS="-L${withval} ${LDFLAGS}"
		1596	fi
		1597	fi
		1598	if test -d "${withval}/include"; then
		1599	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1600	else
		1601	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1602	fi
		1603	fi
		1604	LIBS="-lwrap $LIBS"
		1605	AC_MSG_CHECKING([for libwrap])
		1606	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1607	#include <sys/types.h>
		1608	#include <sys/socket.h>
		1609	#include <netinet/in.h>
		1610	#include <tcpd.h>
		1611	int deny_severity = 0, allow_severity = 0;
		1612	]], [[
		1613	hosts_access(0);
		1614	]])], [
		1615	AC_MSG_RESULT([yes])
		1616	AC_DEFINE([LIBWRAP], [1],
		1617	[Define if you want
		1618	TCP Wrappers support])
		1619	SSHDLIBS="$SSHDLIBS -lwrap"
		1620	TCPW_MSG="yes"
		1621	], [
		1622	AC_MSG_ERROR([*** libwrap missing])
		1623
		1624	])
		1625	LIBS="$saved_LIBS"
		1626	fi
		1627	]
		1628	)
		1629
1574	# Check whether user wants to use ldns	1630	# Check whether user wants to use ldns
1575	LDNS_MSG="no"	1631	LDNS_MSG="no"
1576	AC_ARG_WITH(ldns,	1632	AC_ARG_WITH(ldns,
@@ -5536,6 +5592,7 @@ echo " PAM support: $PAM_MSG"
5536	echo " OSF SIA support: $SIA_MSG"	5592	echo " OSF SIA support: $SIA_MSG"
5537	echo " KerberosV support: $KRB5_MSG"	5593	echo " KerberosV support: $KRB5_MSG"
5538	echo " SELinux support: $SELINUX_MSG"	5594	echo " SELinux support: $SELINUX_MSG"
		5595	echo " TCP Wrappers support: $TCPW_MSG"
5539	echo " MD5 password support: $MD5_MSG"	5596	echo " MD5 password support: $MD5_MSG"
5540	echo " libedit support: $LIBEDIT_MSG"	5597	echo " libedit support: $LIBEDIT_MSG"
5541	echo " libldns support: $LDNS_MSG"	5598	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index b2fad56d3..97d547ffa 100644 --- a/sshd.8 +++ b/sshd.8
@@ -900,6 +900,12 @@ the user's home directory becomes accessible.
900	This file should be writable only by the user, and need not be	900	This file should be writable only by the user, and need not be
901	readable by anyone else.	901	readable by anyone else.
902	.Pp	902	.Pp
		903	.It Pa /etc/hosts.allow
		904	.It Pa /etc/hosts.deny
		905	Access controls that should be enforced by tcp-wrappers are defined here.
		906	Further details are described in
		907	.Xr hosts_access 5 .
		908	.Pp
903	.It Pa /etc/hosts.equiv	909	.It Pa /etc/hosts.equiv
904	This file is for host-based authentication (see	910	This file is for host-based authentication (see
905	.Xr ssh 1 ) .	911	.Xr ssh 1 ) .
@@ -1002,6 +1008,7 @@ The content of this file is not sensitive; it can be world-readable.
1002	.Xr ssh-keygen 1 ,	1008	.Xr ssh-keygen 1 ,
1003	.Xr ssh-keyscan 1 ,	1009	.Xr ssh-keyscan 1 ,
1004	.Xr chroot 2 ,	1010	.Xr chroot 2 ,
		1011	.Xr hosts_access 5 ,
1005	.Xr login.conf 5 ,	1012	.Xr login.conf 5 ,
1006	.Xr moduli 5 ,	1013	.Xr moduli 5 ,
1007	.Xr sshd_config 5 ,	1014	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 8c5d5822e..a50ec3584 100644 --- a/sshd.c +++ b/sshd.c
@@ -124,6 +124,13 @@
124	#include "ssherr.h"	124	#include "ssherr.h"
125	#include "sk-api.h"	125	#include "sk-api.h"
126		126
		127	#ifdef LIBWRAP
		128	#include <tcpd.h>
		129	#include <syslog.h>
		130	int allow_severity;
		131	int deny_severity;
		132	#endif /* LIBWRAP */
		133
127	/* Re-exec fds */	134	/* Re-exec fds */
128	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	135	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
129	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	136	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2183,6 +2190,24 @@ main(int ac, char **av)
2183	#ifdef SSH_AUDIT_EVENTS	2190	#ifdef SSH_AUDIT_EVENTS
2184	audit_connection_from(remote_ip, remote_port);	2191	audit_connection_from(remote_ip, remote_port);
2185	#endif	2192	#endif
		2193	#ifdef LIBWRAP
		2194	allow_severity = options.log_facility\|LOG_INFO;
		2195	deny_severity = options.log_facility\|LOG_WARNING;
		2196	/* Check whether logins are denied from this host. */
		2197	if (ssh_packet_connection_is_on_socket(ssh)) {
		2198	struct request_info req;
		2199
		2200	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2201	fromhost(&req);
		2202
		2203	if (!hosts_access(&req)) {
		2204	debug("Connection refused by tcp wrapper");
		2205	refuse(&req);
		2206	/* NOTREACHED */
		2207	fatal("libwrap refuse returns");
		2208	}
		2209	}
		2210	#endif /* LIBWRAP */
2186		2211
2187	rdomain = ssh_packet_rdomain_in(ssh);	2212	rdomain = ssh_packet_rdomain_in(ssh);
2188		2213