summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2016-03-10 13:00:39 +0000
commit1b820bd5376b5b04403f0489b2e135566cedd4e6 (patch)
treee325b0ba42511128e8ba42ebefd391782be226b1
parent6dfd41bb6858c6446c1da47449e2108fbabf220e (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 5f1ff740f..5d720f77a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1481,6 +1481,62 @@ AC_ARG_WITH([skey],
1481 ] 1481 ]
1482) 1482)
1483 1483
1484# Check whether user wants TCP wrappers support
1485TCPW_MSG="no"
1486AC_ARG_WITH([tcp-wrappers],
1487 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1488 [
1489 if test "x$withval" != "xno" ; then
1490 saved_LIBS="$LIBS"
1491 saved_LDFLAGS="$LDFLAGS"
1492 saved_CPPFLAGS="$CPPFLAGS"
1493 if test -n "${withval}" && \
1494 test "x${withval}" != "xyes"; then
1495 if test -d "${withval}/lib"; then
1496 if test -n "${need_dash_r}"; then
1497 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1498 else
1499 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1500 fi
1501 else
1502 if test -n "${need_dash_r}"; then
1503 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1504 else
1505 LDFLAGS="-L${withval} ${LDFLAGS}"
1506 fi
1507 fi
1508 if test -d "${withval}/include"; then
1509 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1510 else
1511 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1512 fi
1513 fi
1514 LIBS="-lwrap $LIBS"
1515 AC_MSG_CHECKING([for libwrap])
1516 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1517#include <sys/types.h>
1518#include <sys/socket.h>
1519#include <netinet/in.h>
1520#include <tcpd.h>
1521int deny_severity = 0, allow_severity = 0;
1522 ]], [[
1523 hosts_access(0);
1524 ]])], [
1525 AC_MSG_RESULT([yes])
1526 AC_DEFINE([LIBWRAP], [1],
1527 [Define if you want
1528 TCP Wrappers support])
1529 SSHDLIBS="$SSHDLIBS -lwrap"
1530 TCPW_MSG="yes"
1531 ], [
1532 AC_MSG_ERROR([*** libwrap missing])
1533
1534 ])
1535 LIBS="$saved_LIBS"
1536 fi
1537 ]
1538)
1539
1484# Check whether user wants to use ldns 1540# Check whether user wants to use ldns
1485LDNS_MSG="no" 1541LDNS_MSG="no"
1486AC_ARG_WITH(ldns, 1542AC_ARG_WITH(ldns,
@@ -5003,6 +5059,7 @@ echo " KerberosV support: $KRB5_MSG"
5003echo " SELinux support: $SELINUX_MSG" 5059echo " SELinux support: $SELINUX_MSG"
5004echo " Smartcard support: $SCARD_MSG" 5060echo " Smartcard support: $SCARD_MSG"
5005echo " S/KEY support: $SKEY_MSG" 5061echo " S/KEY support: $SKEY_MSG"
5062echo " TCP Wrappers support: $TCPW_MSG"
5006echo " MD5 password support: $MD5_MSG" 5063echo " MD5 password support: $MD5_MSG"
5007echo " libedit support: $LIBEDIT_MSG" 5064echo " libedit support: $LIBEDIT_MSG"
5008echo " Solaris process contract support: $SPC_MSG" 5065echo " Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 6c521f23e..589841fcc 100644
--- a/sshd.8
+++ b/sshd.8
@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
880This file should be writable only by the user, and need not be 880This file should be writable only by the user, and need not be
881readable by anyone else. 881readable by anyone else.
882.Pp 882.Pp
883.It Pa /etc/hosts.allow
884.It Pa /etc/hosts.deny
885Access controls that should be enforced by tcp-wrappers are defined here.
886Further details are described in
887.Xr hosts_access 5 .
888.Pp
883.It Pa /etc/hosts.equiv 889.It Pa /etc/hosts.equiv
884This file is for host-based authentication (see 890This file is for host-based authentication (see
885.Xr ssh 1 ) . 891.Xr ssh 1 ) .
@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable.
986.Xr ssh-keygen 1 , 992.Xr ssh-keygen 1 ,
987.Xr ssh-keyscan 1 , 993.Xr ssh-keyscan 1 ,
988.Xr chroot 2 , 994.Xr chroot 2 ,
995.Xr hosts_access 5 ,
989.Xr login.conf 5 , 996.Xr login.conf 5 ,
990.Xr moduli 5 , 997.Xr moduli 5 ,
991.Xr sshd_config 5 , 998.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 5cd9129d0..d1dd711fc 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
129#include <Security/AuthSession.h> 129#include <Security/AuthSession.h>
130#endif 130#endif
131 131
132#ifdef LIBWRAP
133#include <tcpd.h>
134#include <syslog.h>
135int allow_severity;
136int deny_severity;
137#endif /* LIBWRAP */
138
132#ifndef O_NOCTTY 139#ifndef O_NOCTTY
133#define O_NOCTTY 0 140#define O_NOCTTY 0
134#endif 141#endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
2151#ifdef SSH_AUDIT_EVENTS 2158#ifdef SSH_AUDIT_EVENTS
2152 audit_connection_from(remote_ip, remote_port); 2159 audit_connection_from(remote_ip, remote_port);
2153#endif 2160#endif
2161#ifdef LIBWRAP
2162 allow_severity = options.log_facility|LOG_INFO;
2163 deny_severity = options.log_facility|LOG_WARNING;
2164 /* Check whether logins are denied from this host. */
2165 if (packet_connection_is_on_socket()) {
2166 struct request_info req;
2167
2168 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2169 fromhost(&req);
2170
2171 if (!hosts_access(&req)) {
2172 debug("Connection refused by tcp wrapper");
2173 refuse(&req);
2174 /* NOTREACHED */
2175 fatal("libwrap refuse returns");
2176 }
2177 }
2178#endif /* LIBWRAP */
2154 2179
2155 /* Log the connection. */ 2180 /* Log the connection. */
2156 laddr = get_local_ipaddr(sock_in); 2181 laddr = get_local_ipaddr(sock_in);