Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2018-08-24 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-08-24 17:49:07 +0100
commit: 84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (patch)
tree: 17f70696d827d4f3d3e54ee2b1bf4a6c2c93be80
parent: e6c7c11ac2576ac62334616bd4408bf64140bba7 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 82428b241..ebc10f51e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1526,6 +1526,62 @@ else
        AC_MSG_RESULT([no])
 fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5201,6 +5257,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index fb133c14b..57a7fd66b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 2e453cdf8..71c360da0 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2100,6 +2107,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-08-24 17:49:07 +0100
commit	84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (patch)
tree	17f70696d827d4f3d3e54ee2b1bf4a6c2c93be80
parent	e6c7c11ac2576ac62334616bd4408bf64140bba7 (diff)

diff --git a/configure.ac b/configure.ac index 82428b241..ebc10f51e 100644 --- a/configure.ac +++ b/configure.ac
@@ -1526,6 +1526,62 @@ else
1526	AC_MSG_RESULT([no])	1526	AC_MSG_RESULT([no])
1527	fi	1527	fi
1528		1528
		1529	# Check whether user wants TCP wrappers support
		1530	TCPW_MSG="no"
		1531	AC_ARG_WITH([tcp-wrappers],
		1532	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1533	[
		1534	if test "x$withval" != "xno" ; then
		1535	saved_LIBS="$LIBS"
		1536	saved_LDFLAGS="$LDFLAGS"
		1537	saved_CPPFLAGS="$CPPFLAGS"
		1538	if test -n "${withval}" && \
		1539	test "x${withval}" != "xyes"; then
		1540	if test -d "${withval}/lib"; then
		1541	if test -n "${need_dash_r}"; then
		1542	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1543	else
		1544	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1545	fi
		1546	else
		1547	if test -n "${need_dash_r}"; then
		1548	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1549	else
		1550	LDFLAGS="-L${withval} ${LDFLAGS}"
		1551	fi
		1552	fi
		1553	if test -d "${withval}/include"; then
		1554	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1555	else
		1556	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1557	fi
		1558	fi
		1559	LIBS="-lwrap $LIBS"
		1560	AC_MSG_CHECKING([for libwrap])
		1561	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1562	#include <sys/types.h>
		1563	#include <sys/socket.h>
		1564	#include <netinet/in.h>
		1565	#include <tcpd.h>
		1566	int deny_severity = 0, allow_severity = 0;
		1567	]], [[
		1568	hosts_access(0);
		1569	]])], [
		1570	AC_MSG_RESULT([yes])
		1571	AC_DEFINE([LIBWRAP], [1],
		1572	[Define if you want
		1573	TCP Wrappers support])
		1574	SSHDLIBS="$SSHDLIBS -lwrap"
		1575	TCPW_MSG="yes"
		1576	], [
		1577	AC_MSG_ERROR([*** libwrap missing])
		1578
		1579	])
		1580	LIBS="$saved_LIBS"
		1581	fi
		1582	]
		1583	)
		1584
1529	# Check whether user wants to use ldns	1585	# Check whether user wants to use ldns
1530	LDNS_MSG="no"	1586	LDNS_MSG="no"
1531	AC_ARG_WITH(ldns,	1587	AC_ARG_WITH(ldns,
@@ -5201,6 +5257,7 @@ echo " PAM support: $PAM_MSG"
5201	echo " OSF SIA support: $SIA_MSG"	5257	echo " OSF SIA support: $SIA_MSG"
5202	echo " KerberosV support: $KRB5_MSG"	5258	echo " KerberosV support: $KRB5_MSG"
5203	echo " SELinux support: $SELINUX_MSG"	5259	echo " SELinux support: $SELINUX_MSG"
		5260	echo " TCP Wrappers support: $TCPW_MSG"
5204	echo " MD5 password support: $MD5_MSG"	5261	echo " MD5 password support: $MD5_MSG"
5205	echo " libedit support: $LIBEDIT_MSG"	5262	echo " libedit support: $LIBEDIT_MSG"
5206	echo " libldns support: $LDNS_MSG"	5263	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index fb133c14b..57a7fd66b 100644 --- a/sshd.8 +++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
873	This file should be writable only by the user, and need not be	873	This file should be writable only by the user, and need not be
874	readable by anyone else.	874	readable by anyone else.
875	.Pp	875	.Pp
		876	.It Pa /etc/hosts.allow
		877	.It Pa /etc/hosts.deny
		878	Access controls that should be enforced by tcp-wrappers are defined here.
		879	Further details are described in
		880	.Xr hosts_access 5 .
		881	.Pp
876	.It Pa /etc/hosts.equiv	882	.It Pa /etc/hosts.equiv
877	This file is for host-based authentication (see	883	This file is for host-based authentication (see
878	.Xr ssh 1 ) .	884	.Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
975	.Xr ssh-keygen 1 ,	981	.Xr ssh-keygen 1 ,
976	.Xr ssh-keyscan 1 ,	982	.Xr ssh-keyscan 1 ,
977	.Xr chroot 2 ,	983	.Xr chroot 2 ,
		984	.Xr hosts_access 5 ,
978	.Xr login.conf 5 ,	985	.Xr login.conf 5 ,
979	.Xr moduli 5 ,	986	.Xr moduli 5 ,
980	.Xr sshd_config 5 ,	987	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 2e453cdf8..71c360da0 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2100,6 +2107,24 @@ main(int ac, char **av)
2100	#ifdef SSH_AUDIT_EVENTS	2107	#ifdef SSH_AUDIT_EVENTS
2101	audit_connection_from(remote_ip, remote_port);	2108	audit_connection_from(remote_ip, remote_port);
2102	#endif	2109	#endif
		2110	#ifdef LIBWRAP
		2111	allow_severity = options.log_facility\|LOG_INFO;
		2112	deny_severity = options.log_facility\|LOG_WARNING;
		2113	/* Check whether logins are denied from this host. */
		2114	if (packet_connection_is_on_socket()) {
		2115	struct request_info req;
		2116
		2117	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2118	fromhost(&req);
		2119
		2120	if (!hosts_access(&req)) {
		2121	debug("Connection refused by tcp wrapper");
		2122	refuse(&req);
		2123	/* NOTREACHED */
		2124	fatal("libwrap refuse returns");
		2125	}
		2126	}
		2127	#endif /* LIBWRAP */
2103		2128
2104	rdomain = ssh_packet_rdomain_in(ssh);	2129	rdomain = ssh_packet_rdomain_in(ssh);
2105		2130