summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2015-11-29 17:36:18 +0000
commit2cd06c4a70dfb22fd1d54779173b5e086c52e08f (patch)
tree22a5f51428ed64fe7bddbb74eeef55e59906e6a9
parent09c4d9b7d41ab3c9973f07e0109e931f57c59c43 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 7a256034d..128889a28 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
1448 ] 1448 ]
1449) 1449)
1450 1450
1451# Check whether user wants TCP wrappers support
1452TCPW_MSG="no"
1453AC_ARG_WITH([tcp-wrappers],
1454 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1455 [
1456 if test "x$withval" != "xno" ; then
1457 saved_LIBS="$LIBS"
1458 saved_LDFLAGS="$LDFLAGS"
1459 saved_CPPFLAGS="$CPPFLAGS"
1460 if test -n "${withval}" && \
1461 test "x${withval}" != "xyes"; then
1462 if test -d "${withval}/lib"; then
1463 if test -n "${need_dash_r}"; then
1464 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1465 else
1466 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1467 fi
1468 else
1469 if test -n "${need_dash_r}"; then
1470 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1471 else
1472 LDFLAGS="-L${withval} ${LDFLAGS}"
1473 fi
1474 fi
1475 if test -d "${withval}/include"; then
1476 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1477 else
1478 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1479 fi
1480 fi
1481 LIBS="-lwrap $LIBS"
1482 AC_MSG_CHECKING([for libwrap])
1483 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1484#include <sys/types.h>
1485#include <sys/socket.h>
1486#include <netinet/in.h>
1487#include <tcpd.h>
1488int deny_severity = 0, allow_severity = 0;
1489 ]], [[
1490 hosts_access(0);
1491 ]])], [
1492 AC_MSG_RESULT([yes])
1493 AC_DEFINE([LIBWRAP], [1],
1494 [Define if you want
1495 TCP Wrappers support])
1496 SSHDLIBS="$SSHDLIBS -lwrap"
1497 TCPW_MSG="yes"
1498 ], [
1499 AC_MSG_ERROR([*** libwrap missing])
1500
1501 ])
1502 LIBS="$saved_LIBS"
1503 fi
1504 ]
1505)
1506
1451# Check whether user wants to use ldns 1507# Check whether user wants to use ldns
1452LDNS_MSG="no" 1508LDNS_MSG="no"
1453AC_ARG_WITH(ldns, 1509AC_ARG_WITH(ldns,
@@ -4953,6 +5009,7 @@ echo " KerberosV support: $KRB5_MSG"
4953echo " SELinux support: $SELINUX_MSG" 5009echo " SELinux support: $SELINUX_MSG"
4954echo " Smartcard support: $SCARD_MSG" 5010echo " Smartcard support: $SCARD_MSG"
4955echo " S/KEY support: $SKEY_MSG" 5011echo " S/KEY support: $SKEY_MSG"
5012echo " TCP Wrappers support: $TCPW_MSG"
4956echo " MD5 password support: $MD5_MSG" 5013echo " MD5 password support: $MD5_MSG"
4957echo " libedit support: $LIBEDIT_MSG" 5014echo " libedit support: $LIBEDIT_MSG"
4958echo " Solaris process contract support: $SPC_MSG" 5015echo " Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 213b5fc43..2105979a9 100644
--- a/sshd.8
+++ b/sshd.8
@@ -850,6 +850,12 @@ the user's home directory becomes accessible.
850This file should be writable only by the user, and need not be 850This file should be writable only by the user, and need not be
851readable by anyone else. 851readable by anyone else.
852.Pp 852.Pp
853.It Pa /etc/hosts.allow
854.It Pa /etc/hosts.deny
855Access controls that should be enforced by tcp-wrappers are defined here.
856Further details are described in
857.Xr hosts_access 5 .
858.Pp
853.It Pa /etc/hosts.equiv 859.It Pa /etc/hosts.equiv
854This file is for host-based authentication (see 860This file is for host-based authentication (see
855.Xr ssh 1 ) . 861.Xr ssh 1 ) .
@@ -953,6 +959,7 @@ The content of this file is not sensitive; it can be world-readable.
953.Xr ssh-keygen 1 , 959.Xr ssh-keygen 1 ,
954.Xr ssh-keyscan 1 , 960.Xr ssh-keyscan 1 ,
955.Xr chroot 2 , 961.Xr chroot 2 ,
962.Xr hosts_access 5 ,
956.Xr login.conf 5 , 963.Xr login.conf 5 ,
957.Xr moduli 5 , 964.Xr moduli 5 ,
958.Xr sshd_config 5 , 965.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 839c2e02d..0e30e6e32 100644
--- a/sshd.c
+++ b/sshd.c
@@ -130,6 +130,13 @@
130#include <Security/AuthSession.h> 130#include <Security/AuthSession.h>
131#endif 131#endif
132 132
133#ifdef LIBWRAP
134#include <tcpd.h>
135#include <syslog.h>
136int allow_severity;
137int deny_severity;
138#endif /* LIBWRAP */
139
133#ifndef O_NOCTTY 140#ifndef O_NOCTTY
134#define O_NOCTTY 0 141#define O_NOCTTY 0
135#endif 142#endif
@@ -2145,6 +2152,24 @@ main(int ac, char **av)
2145#ifdef SSH_AUDIT_EVENTS 2152#ifdef SSH_AUDIT_EVENTS
2146 audit_connection_from(remote_ip, remote_port); 2153 audit_connection_from(remote_ip, remote_port);
2147#endif 2154#endif
2155#ifdef LIBWRAP
2156 allow_severity = options.log_facility|LOG_INFO;
2157 deny_severity = options.log_facility|LOG_WARNING;
2158 /* Check whether logins are denied from this host. */
2159 if (packet_connection_is_on_socket()) {
2160 struct request_info req;
2161
2162 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2163 fromhost(&req);
2164
2165 if (!hosts_access(&req)) {
2166 debug("Connection refused by tcp wrapper");
2167 refuse(&req);
2168 /* NOTREACHED */
2169 fatal("libwrap refuse returns");
2170 }
2171 }
2172#endif /* LIBWRAP */
2148 2173
2149 /* Log the connection. */ 2174 /* Log the connection. */
2150 laddr = get_local_ipaddr(sock_in); 2175 laddr = get_local_ipaddr(sock_in);