Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-12-28 20:05:04 +0000
commit: 10d7583287f2d589da0786819e62a0be5ec9847f (patch)
tree: 417ba0a3a1b0b1516c2715f4213293da02450ce5
parent: 40ab38b3f501f3e21662f0294eef06789605c5f8 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 5fdc696c8..4747ce4a5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5105,6 +5161,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 41fc5051a..c67846025 100644
--- a/sshd.8
+++ b/sshd.8
@@ -825,6 +825,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -929,6 +935,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 0970f2970..72d85de1c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -1978,6 +1985,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-12-28 20:05:04 +0000
commit	10d7583287f2d589da0786819e62a0be5ec9847f (patch)
tree	417ba0a3a1b0b1516c2715f4213293da02450ce5
parent	40ab38b3f501f3e21662f0294eef06789605c5f8 (diff)

diff --git a/configure.ac b/configure.ac index 5fdc696c8..4747ce4a5 100644 --- a/configure.ac +++ b/configure.ac
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
1491	]	1491	]
1492	)	1492	)
1493		1493
		1494	# Check whether user wants TCP wrappers support
		1495	TCPW_MSG="no"
		1496	AC_ARG_WITH([tcp-wrappers],
		1497	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1498	[
		1499	if test "x$withval" != "xno" ; then
		1500	saved_LIBS="$LIBS"
		1501	saved_LDFLAGS="$LDFLAGS"
		1502	saved_CPPFLAGS="$CPPFLAGS"
		1503	if test -n "${withval}" && \
		1504	test "x${withval}" != "xyes"; then
		1505	if test -d "${withval}/lib"; then
		1506	if test -n "${need_dash_r}"; then
		1507	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1508	else
		1509	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1510	fi
		1511	else
		1512	if test -n "${need_dash_r}"; then
		1513	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1514	else
		1515	LDFLAGS="-L${withval} ${LDFLAGS}"
		1516	fi
		1517	fi
		1518	if test -d "${withval}/include"; then
		1519	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1520	else
		1521	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1522	fi
		1523	fi
		1524	LIBS="-lwrap $LIBS"
		1525	AC_MSG_CHECKING([for libwrap])
		1526	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1527	#include <sys/types.h>
		1528	#include <sys/socket.h>
		1529	#include <netinet/in.h>
		1530	#include <tcpd.h>
		1531	int deny_severity = 0, allow_severity = 0;
		1532	]], [[
		1533	hosts_access(0);
		1534	]])], [
		1535	AC_MSG_RESULT([yes])
		1536	AC_DEFINE([LIBWRAP], [1],
		1537	[Define if you want
		1538	TCP Wrappers support])
		1539	SSHDLIBS="$SSHDLIBS -lwrap"
		1540	TCPW_MSG="yes"
		1541	], [
		1542	AC_MSG_ERROR([*** libwrap missing])
		1543
		1544	])
		1545	LIBS="$saved_LIBS"
		1546	fi
		1547	]
		1548	)
		1549
1494	# Check whether user wants to use ldns	1550	# Check whether user wants to use ldns
1495	LDNS_MSG="no"	1551	LDNS_MSG="no"
1496	AC_ARG_WITH(ldns,	1552	AC_ARG_WITH(ldns,
@@ -5105,6 +5161,7 @@ echo " KerberosV support: $KRB5_MSG"
5105	echo " SELinux support: $SELINUX_MSG"	5161	echo " SELinux support: $SELINUX_MSG"
5106	echo " Smartcard support: $SCARD_MSG"	5162	echo " Smartcard support: $SCARD_MSG"
5107	echo " S/KEY support: $SKEY_MSG"	5163	echo " S/KEY support: $SKEY_MSG"
		5164	echo " TCP Wrappers support: $TCPW_MSG"
5108	echo " MD5 password support: $MD5_MSG"	5165	echo " MD5 password support: $MD5_MSG"
5109	echo " libedit support: $LIBEDIT_MSG"	5166	echo " libedit support: $LIBEDIT_MSG"
5110	echo " Solaris process contract support: $SPC_MSG"	5167	echo " Solaris process contract support: $SPC_MSG"


diff --git a/sshd.8 b/sshd.8 index 41fc5051a..c67846025 100644 --- a/sshd.8 +++ b/sshd.8
@@ -825,6 +825,12 @@ the user's home directory becomes accessible.
825	This file should be writable only by the user, and need not be	825	This file should be writable only by the user, and need not be
826	readable by anyone else.	826	readable by anyone else.
827	.Pp	827	.Pp
		828	.It Pa /etc/hosts.allow
		829	.It Pa /etc/hosts.deny
		830	Access controls that should be enforced by tcp-wrappers are defined here.
		831	Further details are described in
		832	.Xr hosts_access 5 .
		833	.Pp
828	.It Pa /etc/hosts.equiv	834	.It Pa /etc/hosts.equiv
829	This file is for host-based authentication (see	835	This file is for host-based authentication (see
830	.Xr ssh 1 ) .	836	.Xr ssh 1 ) .
@@ -929,6 +935,7 @@ The content of this file is not sensitive; it can be world-readable.
929	.Xr ssh-keygen 1 ,	935	.Xr ssh-keygen 1 ,
930	.Xr ssh-keyscan 1 ,	936	.Xr ssh-keyscan 1 ,
931	.Xr chroot 2 ,	937	.Xr chroot 2 ,
		938	.Xr hosts_access 5 ,
932	.Xr login.conf 5 ,	939	.Xr login.conf 5 ,
933	.Xr moduli 5 ,	940	.Xr moduli 5 ,
934	.Xr sshd_config 5 ,	941	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 0970f2970..72d85de1c 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1978,6 +1985,24 @@ main(int ac, char **av)
1978	#ifdef SSH_AUDIT_EVENTS	1985	#ifdef SSH_AUDIT_EVENTS
1979	audit_connection_from(remote_ip, remote_port);	1986	audit_connection_from(remote_ip, remote_port);
1980	#endif	1987	#endif
		1988	#ifdef LIBWRAP
		1989	allow_severity = options.log_facility\|LOG_INFO;
		1990	deny_severity = options.log_facility\|LOG_WARNING;
		1991	/* Check whether logins are denied from this host. */
		1992	if (packet_connection_is_on_socket()) {
		1993	struct request_info req;
		1994
		1995	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		1996	fromhost(&req);
		1997
		1998	if (!hosts_access(&req)) {
		1999	debug("Connection refused by tcp wrapper");
		2000	refuse(&req);
		2001	/* NOTREACHED */
		2002	fatal("libwrap refuse returns");
		2003	}
		2004	}
		2005	#endif /* LIBWRAP */
1981		2006
1982	/* Log the connection. */	2007	/* Log the connection. */
1983	laddr = get_local_ipaddr(sock_in);	2008	laddr = get_local_ipaddr(sock_in);