Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-02-21 12:01:46 +0000
commit: 31d42cd8624f29508f772447e617ab043a6487d9 (patch)
tree: b79c77ea9386d2237a9886c719eb8dca5c3c7954
parent: 34aff3aa136e5a65f441b25811dd466488fda087 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index efafb6bd8..cee7cbc51 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1556,6 +1556,62 @@ else
        AC_MSG_RESULT([no])
 fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5413,6 +5469,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index c5f8987d2..730520231 100644
--- a/sshd.8
+++ b/sshd.8
@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index d92f03aaf..62dc55cf2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
 #include "ssherr.h"
 #include "sk-api.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2138,6 +2145,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-02-21 12:01:46 +0000
commit	31d42cd8624f29508f772447e617ab043a6487d9 (patch)
tree	b79c77ea9386d2237a9886c719eb8dca5c3c7954
parent	34aff3aa136e5a65f441b25811dd466488fda087 (diff)

diff --git a/configure.ac b/configure.ac index efafb6bd8..cee7cbc51 100644 --- a/configure.ac +++ b/configure.ac
@@ -1556,6 +1556,62 @@ else
1556	AC_MSG_RESULT([no])	1556	AC_MSG_RESULT([no])
1557	fi	1557	fi
1558		1558
		1559	# Check whether user wants TCP wrappers support
		1560	TCPW_MSG="no"
		1561	AC_ARG_WITH([tcp-wrappers],
		1562	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1563	[
		1564	if test "x$withval" != "xno" ; then
		1565	saved_LIBS="$LIBS"
		1566	saved_LDFLAGS="$LDFLAGS"
		1567	saved_CPPFLAGS="$CPPFLAGS"
		1568	if test -n "${withval}" && \
		1569	test "x${withval}" != "xyes"; then
		1570	if test -d "${withval}/lib"; then
		1571	if test -n "${need_dash_r}"; then
		1572	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1573	else
		1574	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1575	fi
		1576	else
		1577	if test -n "${need_dash_r}"; then
		1578	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1579	else
		1580	LDFLAGS="-L${withval} ${LDFLAGS}"
		1581	fi
		1582	fi
		1583	if test -d "${withval}/include"; then
		1584	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1585	else
		1586	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1587	fi
		1588	fi
		1589	LIBS="-lwrap $LIBS"
		1590	AC_MSG_CHECKING([for libwrap])
		1591	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1592	#include <sys/types.h>
		1593	#include <sys/socket.h>
		1594	#include <netinet/in.h>
		1595	#include <tcpd.h>
		1596	int deny_severity = 0, allow_severity = 0;
		1597	]], [[
		1598	hosts_access(0);
		1599	]])], [
		1600	AC_MSG_RESULT([yes])
		1601	AC_DEFINE([LIBWRAP], [1],
		1602	[Define if you want
		1603	TCP Wrappers support])
		1604	SSHDLIBS="$SSHDLIBS -lwrap"
		1605	TCPW_MSG="yes"
		1606	], [
		1607	AC_MSG_ERROR([*** libwrap missing])
		1608
		1609	])
		1610	LIBS="$saved_LIBS"
		1611	fi
		1612	]
		1613	)
		1614
1559	# Check whether user wants to use ldns	1615	# Check whether user wants to use ldns
1560	LDNS_MSG="no"	1616	LDNS_MSG="no"
1561	AC_ARG_WITH(ldns,	1617	AC_ARG_WITH(ldns,
@@ -5413,6 +5469,7 @@ echo " PAM support: $PAM_MSG"
5413	echo " OSF SIA support: $SIA_MSG"	5469	echo " OSF SIA support: $SIA_MSG"
5414	echo " KerberosV support: $KRB5_MSG"	5470	echo " KerberosV support: $KRB5_MSG"
5415	echo " SELinux support: $SELINUX_MSG"	5471	echo " SELinux support: $SELINUX_MSG"
		5472	echo " TCP Wrappers support: $TCPW_MSG"
5416	echo " MD5 password support: $MD5_MSG"	5473	echo " MD5 password support: $MD5_MSG"
5417	echo " libedit support: $LIBEDIT_MSG"	5474	echo " libedit support: $LIBEDIT_MSG"
5418	echo " libldns support: $LDNS_MSG"	5475	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index c5f8987d2..730520231 100644 --- a/sshd.8 +++ b/sshd.8
@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
893	This file should be writable only by the user, and need not be	893	This file should be writable only by the user, and need not be
894	readable by anyone else.	894	readable by anyone else.
895	.Pp	895	.Pp
		896	.It Pa /etc/hosts.allow
		897	.It Pa /etc/hosts.deny
		898	Access controls that should be enforced by tcp-wrappers are defined here.
		899	Further details are described in
		900	.Xr hosts_access 5 .
		901	.Pp
896	.It Pa /etc/hosts.equiv	902	.It Pa /etc/hosts.equiv
897	This file is for host-based authentication (see	903	This file is for host-based authentication (see
898	.Xr ssh 1 ) .	904	.Xr ssh 1 ) .
@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
995	.Xr ssh-keygen 1 ,	1001	.Xr ssh-keygen 1 ,
996	.Xr ssh-keyscan 1 ,	1002	.Xr ssh-keyscan 1 ,
997	.Xr chroot 2 ,	1003	.Xr chroot 2 ,
		1004	.Xr hosts_access 5 ,
998	.Xr login.conf 5 ,	1005	.Xr login.conf 5 ,
999	.Xr moduli 5 ,	1006	.Xr moduli 5 ,
1000	.Xr sshd_config 5 ,	1007	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index d92f03aaf..62dc55cf2 100644 --- a/sshd.c +++ b/sshd.c
@@ -124,6 +124,13 @@
124	#include "ssherr.h"	124	#include "ssherr.h"
125	#include "sk-api.h"	125	#include "sk-api.h"
126		126
		127	#ifdef LIBWRAP
		128	#include <tcpd.h>
		129	#include <syslog.h>
		130	int allow_severity;
		131	int deny_severity;
		132	#endif /* LIBWRAP */
		133
127	/* Re-exec fds */	134	/* Re-exec fds */
128	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	135	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
129	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	136	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2138,6 +2145,24 @@ main(int ac, char **av)
2138	#ifdef SSH_AUDIT_EVENTS	2145	#ifdef SSH_AUDIT_EVENTS
2139	audit_connection_from(remote_ip, remote_port);	2146	audit_connection_from(remote_ip, remote_port);
2140	#endif	2147	#endif
		2148	#ifdef LIBWRAP
		2149	allow_severity = options.log_facility\|LOG_INFO;
		2150	deny_severity = options.log_facility\|LOG_WARNING;
		2151	/* Check whether logins are denied from this host. */
		2152	if (ssh_packet_connection_is_on_socket(ssh)) {
		2153	struct request_info req;
		2154
		2155	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2156	fromhost(&req);
		2157
		2158	if (!hosts_access(&req)) {
		2159	debug("Connection refused by tcp wrapper");
		2160	refuse(&req);
		2161	/* NOTREACHED */
		2162	fatal("libwrap refuse returns");
		2163	}
		2164	}
		2165	#endif /* LIBWRAP */
2141		2166
2142	rdomain = ssh_packet_rdomain_in(ssh);	2167	rdomain = ssh_packet_rdomain_in(ssh);
2143		2168