Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2015-08-19 16:33:31 +0100
commit: 7df209aed8ded9a6cab34e704576998786bdc890 (patch)
tree: 766f31dee04424ad537c07e6ce8f927fc30d2b04
parent: 06879e71614170580ffa7568ec5c009f60a9d084 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 216a9fdab..5f606ea12 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -4920,6 +4976,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 3c53f7cd6..fc2154c45 100644
--- a/sshd.8
+++ b/sshd.8
@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index cf38baebf..9cbe8c4ae 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2133,6 +2140,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        verbose("Connection from %s port %d on %s port %d",
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2015-08-19 16:33:31 +0100
commit	7df209aed8ded9a6cab34e704576998786bdc890 (patch)
tree	766f31dee04424ad537c07e6ce8f927fc30d2b04
parent	06879e71614170580ffa7568ec5c009f60a9d084 (diff)

diff --git a/configure.ac b/configure.ac index 216a9fdab..5f606ea12 100644 --- a/configure.ac +++ b/configure.ac
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
1440	]	1440	]
1441	)	1441	)
1442		1442
		1443	# Check whether user wants TCP wrappers support
		1444	TCPW_MSG="no"
		1445	AC_ARG_WITH([tcp-wrappers],
		1446	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1447	[
		1448	if test "x$withval" != "xno" ; then
		1449	saved_LIBS="$LIBS"
		1450	saved_LDFLAGS="$LDFLAGS"
		1451	saved_CPPFLAGS="$CPPFLAGS"
		1452	if test -n "${withval}" && \
		1453	test "x${withval}" != "xyes"; then
		1454	if test -d "${withval}/lib"; then
		1455	if test -n "${need_dash_r}"; then
		1456	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1457	else
		1458	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1459	fi
		1460	else
		1461	if test -n "${need_dash_r}"; then
		1462	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1463	else
		1464	LDFLAGS="-L${withval} ${LDFLAGS}"
		1465	fi
		1466	fi
		1467	if test -d "${withval}/include"; then
		1468	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1469	else
		1470	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1471	fi
		1472	fi
		1473	LIBS="-lwrap $LIBS"
		1474	AC_MSG_CHECKING([for libwrap])
		1475	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1476	#include <sys/types.h>
		1477	#include <sys/socket.h>
		1478	#include <netinet/in.h>
		1479	#include <tcpd.h>
		1480	int deny_severity = 0, allow_severity = 0;
		1481	]], [[
		1482	hosts_access(0);
		1483	]])], [
		1484	AC_MSG_RESULT([yes])
		1485	AC_DEFINE([LIBWRAP], [1],
		1486	[Define if you want
		1487	TCP Wrappers support])
		1488	SSHDLIBS="$SSHDLIBS -lwrap"
		1489	TCPW_MSG="yes"
		1490	], [
		1491	AC_MSG_ERROR([*** libwrap missing])
		1492
		1493	])
		1494	LIBS="$saved_LIBS"
		1495	fi
		1496	]
		1497	)
		1498
1443	# Check whether user wants to use ldns	1499	# Check whether user wants to use ldns
1444	LDNS_MSG="no"	1500	LDNS_MSG="no"
1445	AC_ARG_WITH(ldns,	1501	AC_ARG_WITH(ldns,
@@ -4920,6 +4976,7 @@ echo " KerberosV support: $KRB5_MSG"
4920	echo " SELinux support: $SELINUX_MSG"	4976	echo " SELinux support: $SELINUX_MSG"
4921	echo " Smartcard support: $SCARD_MSG"	4977	echo " Smartcard support: $SCARD_MSG"
4922	echo " S/KEY support: $SKEY_MSG"	4978	echo " S/KEY support: $SKEY_MSG"
		4979	echo " TCP Wrappers support: $TCPW_MSG"
4923	echo " MD5 password support: $MD5_MSG"	4980	echo " MD5 password support: $MD5_MSG"
4924	echo " libedit support: $LIBEDIT_MSG"	4981	echo " libedit support: $LIBEDIT_MSG"
4925	echo " Solaris process contract support: $SPC_MSG"	4982	echo " Solaris process contract support: $SPC_MSG"


diff --git a/sshd.8 b/sshd.8 index 3c53f7cd6..fc2154c45 100644 --- a/sshd.8 +++ b/sshd.8
@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
851	This file should be writable only by the user, and need not be	851	This file should be writable only by the user, and need not be
852	readable by anyone else.	852	readable by anyone else.
853	.Pp	853	.Pp
		854	.It Pa /etc/hosts.allow
		855	.It Pa /etc/hosts.deny
		856	Access controls that should be enforced by tcp-wrappers are defined here.
		857	Further details are described in
		858	.Xr hosts_access 5 .
		859	.Pp
854	.It Pa /etc/hosts.equiv	860	.It Pa /etc/hosts.equiv
855	This file is for host-based authentication (see	861	This file is for host-based authentication (see
856	.Xr ssh 1 ) .	862	.Xr ssh 1 ) .
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
954	.Xr ssh-keygen 1 ,	960	.Xr ssh-keygen 1 ,
955	.Xr ssh-keyscan 1 ,	961	.Xr ssh-keyscan 1 ,
956	.Xr chroot 2 ,	962	.Xr chroot 2 ,
		963	.Xr hosts_access 5 ,
957	.Xr login.conf 5 ,	964	.Xr login.conf 5 ,
958	.Xr moduli 5 ,	965	.Xr moduli 5 ,
959	.Xr sshd_config 5 ,	966	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index cf38baebf..9cbe8c4ae 100644 --- a/sshd.c +++ b/sshd.c
@@ -129,6 +129,13 @@
129	#include <Security/AuthSession.h>	129	#include <Security/AuthSession.h>
130	#endif	130	#endif
131		131
		132	#ifdef LIBWRAP
		133	#include <tcpd.h>
		134	#include <syslog.h>
		135	int allow_severity;
		136	int deny_severity;
		137	#endif /* LIBWRAP */
		138
132	#ifndef O_NOCTTY	139	#ifndef O_NOCTTY
133	#define O_NOCTTY 0	140	#define O_NOCTTY 0
134	#endif	141	#endif
@@ -2133,6 +2140,24 @@ main(int ac, char **av)
2133	#ifdef SSH_AUDIT_EVENTS	2140	#ifdef SSH_AUDIT_EVENTS
2134	audit_connection_from(remote_ip, remote_port);	2141	audit_connection_from(remote_ip, remote_port);
2135	#endif	2142	#endif
		2143	#ifdef LIBWRAP
		2144	allow_severity = options.log_facility\|LOG_INFO;
		2145	deny_severity = options.log_facility\|LOG_WARNING;
		2146	/* Check whether logins are denied from this host. */
		2147	if (packet_connection_is_on_socket()) {
		2148	struct request_info req;
		2149
		2150	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2151	fromhost(&req);
		2152
		2153	if (!hosts_access(&req)) {
		2154	debug("Connection refused by tcp wrapper");
		2155	refuse(&req);
		2156	/* NOTREACHED */
		2157	fatal("libwrap refuse returns");
		2158	}
		2159	}
		2160	#endif /* LIBWRAP */
2136		2161
2137	/* Log the connection. */	2162	/* Log the connection. */
2138	verbose("Connection from %s port %d on %s port %d",	2163	verbose("Connection from %s port %d on %s port %d",