Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2018-08-24 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-10-20 22:54:09 +0100
commit: 389e16d0109d8c49a761cd7c267438b05c9ab984 (patch)
tree: a7dfff07f60a4896c9c2ab4adcbd9f5e72143da7
parent: 72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 023e7cc55..917300b43 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1517,6 +1517,62 @@ else
        AC_MSG_RESULT([no])
 fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5329,6 +5385,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index fb133c14b..57a7fd66b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 539a000fd..673db87f6 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2099,6 +2106,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-10-20 22:54:09 +0100
commit	389e16d0109d8c49a761cd7c267438b05c9ab984 (patch)
tree	a7dfff07f60a4896c9c2ab4adcbd9f5e72143da7
parent	72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 (diff)

diff --git a/configure.ac b/configure.ac index 023e7cc55..917300b43 100644 --- a/configure.ac +++ b/configure.ac
@@ -1517,6 +1517,62 @@ else
1517	AC_MSG_RESULT([no])	1517	AC_MSG_RESULT([no])
1518	fi	1518	fi
1519		1519
		1520	# Check whether user wants TCP wrappers support
		1521	TCPW_MSG="no"
		1522	AC_ARG_WITH([tcp-wrappers],
		1523	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1524	[
		1525	if test "x$withval" != "xno" ; then
		1526	saved_LIBS="$LIBS"
		1527	saved_LDFLAGS="$LDFLAGS"
		1528	saved_CPPFLAGS="$CPPFLAGS"
		1529	if test -n "${withval}" && \
		1530	test "x${withval}" != "xyes"; then
		1531	if test -d "${withval}/lib"; then
		1532	if test -n "${need_dash_r}"; then
		1533	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1534	else
		1535	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1536	fi
		1537	else
		1538	if test -n "${need_dash_r}"; then
		1539	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1540	else
		1541	LDFLAGS="-L${withval} ${LDFLAGS}"
		1542	fi
		1543	fi
		1544	if test -d "${withval}/include"; then
		1545	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1546	else
		1547	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1548	fi
		1549	fi
		1550	LIBS="-lwrap $LIBS"
		1551	AC_MSG_CHECKING([for libwrap])
		1552	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1553	#include <sys/types.h>
		1554	#include <sys/socket.h>
		1555	#include <netinet/in.h>
		1556	#include <tcpd.h>
		1557	int deny_severity = 0, allow_severity = 0;
		1558	]], [[
		1559	hosts_access(0);
		1560	]])], [
		1561	AC_MSG_RESULT([yes])
		1562	AC_DEFINE([LIBWRAP], [1],
		1563	[Define if you want
		1564	TCP Wrappers support])
		1565	SSHDLIBS="$SSHDLIBS -lwrap"
		1566	TCPW_MSG="yes"
		1567	], [
		1568	AC_MSG_ERROR([*** libwrap missing])
		1569
		1570	])
		1571	LIBS="$saved_LIBS"
		1572	fi
		1573	]
		1574	)
		1575
1520	# Check whether user wants to use ldns	1576	# Check whether user wants to use ldns
1521	LDNS_MSG="no"	1577	LDNS_MSG="no"
1522	AC_ARG_WITH(ldns,	1578	AC_ARG_WITH(ldns,
@@ -5329,6 +5385,7 @@ echo " PAM support: $PAM_MSG"
5329	echo " OSF SIA support: $SIA_MSG"	5385	echo " OSF SIA support: $SIA_MSG"
5330	echo " KerberosV support: $KRB5_MSG"	5386	echo " KerberosV support: $KRB5_MSG"
5331	echo " SELinux support: $SELINUX_MSG"	5387	echo " SELinux support: $SELINUX_MSG"
		5388	echo " TCP Wrappers support: $TCPW_MSG"
5332	echo " MD5 password support: $MD5_MSG"	5389	echo " MD5 password support: $MD5_MSG"
5333	echo " libedit support: $LIBEDIT_MSG"	5390	echo " libedit support: $LIBEDIT_MSG"
5334	echo " libldns support: $LDNS_MSG"	5391	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index fb133c14b..57a7fd66b 100644 --- a/sshd.8 +++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
873	This file should be writable only by the user, and need not be	873	This file should be writable only by the user, and need not be
874	readable by anyone else.	874	readable by anyone else.
875	.Pp	875	.Pp
		876	.It Pa /etc/hosts.allow
		877	.It Pa /etc/hosts.deny
		878	Access controls that should be enforced by tcp-wrappers are defined here.
		879	Further details are described in
		880	.Xr hosts_access 5 .
		881	.Pp
876	.It Pa /etc/hosts.equiv	882	.It Pa /etc/hosts.equiv
877	This file is for host-based authentication (see	883	This file is for host-based authentication (see
878	.Xr ssh 1 ) .	884	.Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
975	.Xr ssh-keygen 1 ,	981	.Xr ssh-keygen 1 ,
976	.Xr ssh-keyscan 1 ,	982	.Xr ssh-keyscan 1 ,
977	.Xr chroot 2 ,	983	.Xr chroot 2 ,
		984	.Xr hosts_access 5 ,
978	.Xr login.conf 5 ,	985	.Xr login.conf 5 ,
979	.Xr moduli 5 ,	986	.Xr moduli 5 ,
980	.Xr sshd_config 5 ,	987	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 539a000fd..673db87f6 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2099,6 +2106,24 @@ main(int ac, char **av)
2099	#ifdef SSH_AUDIT_EVENTS	2106	#ifdef SSH_AUDIT_EVENTS
2100	audit_connection_from(remote_ip, remote_port);	2107	audit_connection_from(remote_ip, remote_port);
2101	#endif	2108	#endif
		2109	#ifdef LIBWRAP
		2110	allow_severity = options.log_facility\|LOG_INFO;
		2111	deny_severity = options.log_facility\|LOG_WARNING;
		2112	/* Check whether logins are denied from this host. */
		2113	if (packet_connection_is_on_socket()) {
		2114	struct request_info req;
		2115
		2116	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2117	fromhost(&req);
		2118
		2119	if (!hosts_access(&req)) {
		2120	debug("Connection refused by tcp wrapper");
		2121	refuse(&req);
		2122	/* NOTREACHED */
		2123	fatal("libwrap refuse returns");
		2124	}
		2125	}
		2126	#endif /* LIBWRAP */
2102		2127
2103	rdomain = ssh_packet_rdomain_in(ssh);	2128	rdomain = ssh_packet_rdomain_in(ssh);
2104		2129