Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-03-10 13:00:39 +0000
commit: 1b820bd5376b5b04403f0489b2e135566cedd4e6 (patch)
tree: e325b0ba42511128e8ba42ebefd391782be226b1
parent: 6dfd41bb6858c6446c1da47449e2108fbabf220e (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 5f1ff740f..5d720f77a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1481,6 +1481,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5003,6 +5059,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 6c521f23e..589841fcc 100644
--- a/sshd.8
+++ b/sshd.8
@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 5cd9129d0..d1dd711fc 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-03-10 13:00:39 +0000
commit	1b820bd5376b5b04403f0489b2e135566cedd4e6 (patch)
tree	e325b0ba42511128e8ba42ebefd391782be226b1
parent	6dfd41bb6858c6446c1da47449e2108fbabf220e (diff)

diff --git a/configure.ac b/configure.ac index 5f1ff740f..5d720f77a 100644 --- a/configure.ac +++ b/configure.ac
@@ -1481,6 +1481,62 @@ AC_ARG_WITH([skey],
1481	]	1481	]
1482	)	1482	)
1483		1483
		1484	# Check whether user wants TCP wrappers support
		1485	TCPW_MSG="no"
		1486	AC_ARG_WITH([tcp-wrappers],
		1487	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1488	[
		1489	if test "x$withval" != "xno" ; then
		1490	saved_LIBS="$LIBS"
		1491	saved_LDFLAGS="$LDFLAGS"
		1492	saved_CPPFLAGS="$CPPFLAGS"
		1493	if test -n "${withval}" && \
		1494	test "x${withval}" != "xyes"; then
		1495	if test -d "${withval}/lib"; then
		1496	if test -n "${need_dash_r}"; then
		1497	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1498	else
		1499	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1500	fi
		1501	else
		1502	if test -n "${need_dash_r}"; then
		1503	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1504	else
		1505	LDFLAGS="-L${withval} ${LDFLAGS}"
		1506	fi
		1507	fi
		1508	if test -d "${withval}/include"; then
		1509	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1510	else
		1511	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1512	fi
		1513	fi
		1514	LIBS="-lwrap $LIBS"
		1515	AC_MSG_CHECKING([for libwrap])
		1516	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1517	#include <sys/types.h>
		1518	#include <sys/socket.h>
		1519	#include <netinet/in.h>
		1520	#include <tcpd.h>
		1521	int deny_severity = 0, allow_severity = 0;
		1522	]], [[
		1523	hosts_access(0);
		1524	]])], [
		1525	AC_MSG_RESULT([yes])
		1526	AC_DEFINE([LIBWRAP], [1],
		1527	[Define if you want
		1528	TCP Wrappers support])
		1529	SSHDLIBS="$SSHDLIBS -lwrap"
		1530	TCPW_MSG="yes"
		1531	], [
		1532	AC_MSG_ERROR([*** libwrap missing])
		1533
		1534	])
		1535	LIBS="$saved_LIBS"
		1536	fi
		1537	]
		1538	)
		1539
1484	# Check whether user wants to use ldns	1540	# Check whether user wants to use ldns
1485	LDNS_MSG="no"	1541	LDNS_MSG="no"
1486	AC_ARG_WITH(ldns,	1542	AC_ARG_WITH(ldns,
@@ -5003,6 +5059,7 @@ echo " KerberosV support: $KRB5_MSG"
5003	echo " SELinux support: $SELINUX_MSG"	5059	echo " SELinux support: $SELINUX_MSG"
5004	echo " Smartcard support: $SCARD_MSG"	5060	echo " Smartcard support: $SCARD_MSG"
5005	echo " S/KEY support: $SKEY_MSG"	5061	echo " S/KEY support: $SKEY_MSG"
		5062	echo " TCP Wrappers support: $TCPW_MSG"
5006	echo " MD5 password support: $MD5_MSG"	5063	echo " MD5 password support: $MD5_MSG"
5007	echo " libedit support: $LIBEDIT_MSG"	5064	echo " libedit support: $LIBEDIT_MSG"
5008	echo " Solaris process contract support: $SPC_MSG"	5065	echo " Solaris process contract support: $SPC_MSG"


diff --git a/sshd.8 b/sshd.8 index 6c521f23e..589841fcc 100644 --- a/sshd.8 +++ b/sshd.8
@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
880	This file should be writable only by the user, and need not be	880	This file should be writable only by the user, and need not be
881	readable by anyone else.	881	readable by anyone else.
882	.Pp	882	.Pp
		883	.It Pa /etc/hosts.allow
		884	.It Pa /etc/hosts.deny
		885	Access controls that should be enforced by tcp-wrappers are defined here.
		886	Further details are described in
		887	.Xr hosts_access 5 .
		888	.Pp
883	.It Pa /etc/hosts.equiv	889	.It Pa /etc/hosts.equiv
884	This file is for host-based authentication (see	890	This file is for host-based authentication (see
885	.Xr ssh 1 ) .	891	.Xr ssh 1 ) .
@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable.
986	.Xr ssh-keygen 1 ,	992	.Xr ssh-keygen 1 ,
987	.Xr ssh-keyscan 1 ,	993	.Xr ssh-keyscan 1 ,
988	.Xr chroot 2 ,	994	.Xr chroot 2 ,
		995	.Xr hosts_access 5 ,
989	.Xr login.conf 5 ,	996	.Xr login.conf 5 ,
990	.Xr moduli 5 ,	997	.Xr moduli 5 ,
991	.Xr sshd_config 5 ,	998	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 5cd9129d0..d1dd711fc 100644 --- a/sshd.c +++ b/sshd.c
@@ -129,6 +129,13 @@
129	#include <Security/AuthSession.h>	129	#include <Security/AuthSession.h>
130	#endif	130	#endif
131		131
		132	#ifdef LIBWRAP
		133	#include <tcpd.h>
		134	#include <syslog.h>
		135	int allow_severity;
		136	int deny_severity;
		137	#endif /* LIBWRAP */
		138
132	#ifndef O_NOCTTY	139	#ifndef O_NOCTTY
133	#define O_NOCTTY 0	140	#define O_NOCTTY 0
134	#endif	141	#endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
2151	#ifdef SSH_AUDIT_EVENTS	2158	#ifdef SSH_AUDIT_EVENTS
2152	audit_connection_from(remote_ip, remote_port);	2159	audit_connection_from(remote_ip, remote_port);
2153	#endif	2160	#endif
		2161	#ifdef LIBWRAP
		2162	allow_severity = options.log_facility\|LOG_INFO;
		2163	deny_severity = options.log_facility\|LOG_WARNING;
		2164	/* Check whether logins are denied from this host. */
		2165	if (packet_connection_is_on_socket()) {
		2166	struct request_info req;
		2167
		2168	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2169	fromhost(&req);
		2170
		2171	if (!hosts_access(&req)) {
		2172	debug("Connection refused by tcp wrapper");
		2173	refuse(&req);
		2174	/* NOTREACHED */
		2175	fatal("libwrap refuse returns");
		2176	}
		2177	}
		2178	#endif /* LIBWRAP */
2154		2179
2155	/* Log the connection. */	2180	/* Log the connection. */
2156	laddr = get_local_ipaddr(sock_in);	2181	laddr = get_local_ipaddr(sock_in);