diff options
author | Colin Watson <cjwatson@debian.org> | 2014-10-07 13:22:41 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-11-29 17:36:18 +0000 |
commit | 2cd06c4a70dfb22fd1d54779173b5e086c52e08f (patch) | |
tree | 22a5f51428ed64fe7bddbb74eeef55e59906e6a9 | |
parent | 09c4d9b7d41ab3c9973f07e0109e931f57c59c43 (diff) |
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: restore-tcp-wrappers.patch
-rw-r--r-- | configure.ac | 57 | ||||
-rw-r--r-- | sshd.8 | 7 | ||||
-rw-r--r-- | sshd.c | 25 |
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 7a256034d..128889a28 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey], | |||
1448 | ] | 1448 | ] |
1449 | ) | 1449 | ) |
1450 | 1450 | ||
1451 | # Check whether user wants TCP wrappers support | ||
1452 | TCPW_MSG="no" | ||
1453 | AC_ARG_WITH([tcp-wrappers], | ||
1454 | [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
1455 | [ | ||
1456 | if test "x$withval" != "xno" ; then | ||
1457 | saved_LIBS="$LIBS" | ||
1458 | saved_LDFLAGS="$LDFLAGS" | ||
1459 | saved_CPPFLAGS="$CPPFLAGS" | ||
1460 | if test -n "${withval}" && \ | ||
1461 | test "x${withval}" != "xyes"; then | ||
1462 | if test -d "${withval}/lib"; then | ||
1463 | if test -n "${need_dash_r}"; then | ||
1464 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
1465 | else | ||
1466 | LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
1467 | fi | ||
1468 | else | ||
1469 | if test -n "${need_dash_r}"; then | ||
1470 | LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
1471 | else | ||
1472 | LDFLAGS="-L${withval} ${LDFLAGS}" | ||
1473 | fi | ||
1474 | fi | ||
1475 | if test -d "${withval}/include"; then | ||
1476 | CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
1477 | else | ||
1478 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
1479 | fi | ||
1480 | fi | ||
1481 | LIBS="-lwrap $LIBS" | ||
1482 | AC_MSG_CHECKING([for libwrap]) | ||
1483 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
1484 | #include <sys/types.h> | ||
1485 | #include <sys/socket.h> | ||
1486 | #include <netinet/in.h> | ||
1487 | #include <tcpd.h> | ||
1488 | int deny_severity = 0, allow_severity = 0; | ||
1489 | ]], [[ | ||
1490 | hosts_access(0); | ||
1491 | ]])], [ | ||
1492 | AC_MSG_RESULT([yes]) | ||
1493 | AC_DEFINE([LIBWRAP], [1], | ||
1494 | [Define if you want | ||
1495 | TCP Wrappers support]) | ||
1496 | SSHDLIBS="$SSHDLIBS -lwrap" | ||
1497 | TCPW_MSG="yes" | ||
1498 | ], [ | ||
1499 | AC_MSG_ERROR([*** libwrap missing]) | ||
1500 | |||
1501 | ]) | ||
1502 | LIBS="$saved_LIBS" | ||
1503 | fi | ||
1504 | ] | ||
1505 | ) | ||
1506 | |||
1451 | # Check whether user wants to use ldns | 1507 | # Check whether user wants to use ldns |
1452 | LDNS_MSG="no" | 1508 | LDNS_MSG="no" |
1453 | AC_ARG_WITH(ldns, | 1509 | AC_ARG_WITH(ldns, |
@@ -4953,6 +5009,7 @@ echo " KerberosV support: $KRB5_MSG" | |||
4953 | echo " SELinux support: $SELINUX_MSG" | 5009 | echo " SELinux support: $SELINUX_MSG" |
4954 | echo " Smartcard support: $SCARD_MSG" | 5010 | echo " Smartcard support: $SCARD_MSG" |
4955 | echo " S/KEY support: $SKEY_MSG" | 5011 | echo " S/KEY support: $SKEY_MSG" |
5012 | echo " TCP Wrappers support: $TCPW_MSG" | ||
4956 | echo " MD5 password support: $MD5_MSG" | 5013 | echo " MD5 password support: $MD5_MSG" |
4957 | echo " libedit support: $LIBEDIT_MSG" | 5014 | echo " libedit support: $LIBEDIT_MSG" |
4958 | echo " Solaris process contract support: $SPC_MSG" | 5015 | echo " Solaris process contract support: $SPC_MSG" |
@@ -850,6 +850,12 @@ the user's home directory becomes accessible. | |||
850 | This file should be writable only by the user, and need not be | 850 | This file should be writable only by the user, and need not be |
851 | readable by anyone else. | 851 | readable by anyone else. |
852 | .Pp | 852 | .Pp |
853 | .It Pa /etc/hosts.allow | ||
854 | .It Pa /etc/hosts.deny | ||
855 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
856 | Further details are described in | ||
857 | .Xr hosts_access 5 . | ||
858 | .Pp | ||
853 | .It Pa /etc/hosts.equiv | 859 | .It Pa /etc/hosts.equiv |
854 | This file is for host-based authentication (see | 860 | This file is for host-based authentication (see |
855 | .Xr ssh 1 ) . | 861 | .Xr ssh 1 ) . |
@@ -953,6 +959,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
953 | .Xr ssh-keygen 1 , | 959 | .Xr ssh-keygen 1 , |
954 | .Xr ssh-keyscan 1 , | 960 | .Xr ssh-keyscan 1 , |
955 | .Xr chroot 2 , | 961 | .Xr chroot 2 , |
962 | .Xr hosts_access 5 , | ||
956 | .Xr login.conf 5 , | 963 | .Xr login.conf 5 , |
957 | .Xr moduli 5 , | 964 | .Xr moduli 5 , |
958 | .Xr sshd_config 5 , | 965 | .Xr sshd_config 5 , |
@@ -130,6 +130,13 @@ | |||
130 | #include <Security/AuthSession.h> | 130 | #include <Security/AuthSession.h> |
131 | #endif | 131 | #endif |
132 | 132 | ||
133 | #ifdef LIBWRAP | ||
134 | #include <tcpd.h> | ||
135 | #include <syslog.h> | ||
136 | int allow_severity; | ||
137 | int deny_severity; | ||
138 | #endif /* LIBWRAP */ | ||
139 | |||
133 | #ifndef O_NOCTTY | 140 | #ifndef O_NOCTTY |
134 | #define O_NOCTTY 0 | 141 | #define O_NOCTTY 0 |
135 | #endif | 142 | #endif |
@@ -2145,6 +2152,24 @@ main(int ac, char **av) | |||
2145 | #ifdef SSH_AUDIT_EVENTS | 2152 | #ifdef SSH_AUDIT_EVENTS |
2146 | audit_connection_from(remote_ip, remote_port); | 2153 | audit_connection_from(remote_ip, remote_port); |
2147 | #endif | 2154 | #endif |
2155 | #ifdef LIBWRAP | ||
2156 | allow_severity = options.log_facility|LOG_INFO; | ||
2157 | deny_severity = options.log_facility|LOG_WARNING; | ||
2158 | /* Check whether logins are denied from this host. */ | ||
2159 | if (packet_connection_is_on_socket()) { | ||
2160 | struct request_info req; | ||
2161 | |||
2162 | request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
2163 | fromhost(&req); | ||
2164 | |||
2165 | if (!hosts_access(&req)) { | ||
2166 | debug("Connection refused by tcp wrapper"); | ||
2167 | refuse(&req); | ||
2168 | /* NOTREACHED */ | ||
2169 | fatal("libwrap refuse returns"); | ||
2170 | } | ||
2171 | } | ||
2172 | #endif /* LIBWRAP */ | ||
2148 | 2173 | ||
2149 | /* Log the connection. */ | 2174 | /* Log the connection. */ |
2150 | laddr = get_local_ipaddr(sock_in); | 2175 | laddr = get_local_ipaddr(sock_in); |