summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2015-08-19 17:09:55 +0100
commitace4bfab52b31a2833636a243ba150fdf0f48293 (patch)
tree5b6fc34d23d98e75196a515d35dd1dfeb9710db6
parent5d3dc7ea4c96cab9483d5389a3b04163771fdee2 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index df2169375..4d55c46fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
1448 ] 1448 ]
1449) 1449)
1450 1450
1451# Check whether user wants TCP wrappers support
1452TCPW_MSG="no"
1453AC_ARG_WITH([tcp-wrappers],
1454 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1455 [
1456 if test "x$withval" != "xno" ; then
1457 saved_LIBS="$LIBS"
1458 saved_LDFLAGS="$LDFLAGS"
1459 saved_CPPFLAGS="$CPPFLAGS"
1460 if test -n "${withval}" && \
1461 test "x${withval}" != "xyes"; then
1462 if test -d "${withval}/lib"; then
1463 if test -n "${need_dash_r}"; then
1464 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1465 else
1466 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1467 fi
1468 else
1469 if test -n "${need_dash_r}"; then
1470 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1471 else
1472 LDFLAGS="-L${withval} ${LDFLAGS}"
1473 fi
1474 fi
1475 if test -d "${withval}/include"; then
1476 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1477 else
1478 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1479 fi
1480 fi
1481 LIBS="-lwrap $LIBS"
1482 AC_MSG_CHECKING([for libwrap])
1483 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1484#include <sys/types.h>
1485#include <sys/socket.h>
1486#include <netinet/in.h>
1487#include <tcpd.h>
1488int deny_severity = 0, allow_severity = 0;
1489 ]], [[
1490 hosts_access(0);
1491 ]])], [
1492 AC_MSG_RESULT([yes])
1493 AC_DEFINE([LIBWRAP], [1],
1494 [Define if you want
1495 TCP Wrappers support])
1496 SSHDLIBS="$SSHDLIBS -lwrap"
1497 TCPW_MSG="yes"
1498 ], [
1499 AC_MSG_ERROR([*** libwrap missing])
1500
1501 ])
1502 LIBS="$saved_LIBS"
1503 fi
1504 ]
1505)
1506
1451# Check whether user wants to use ldns 1507# Check whether user wants to use ldns
1452LDNS_MSG="no" 1508LDNS_MSG="no"
1453AC_ARG_WITH(ldns, 1509AC_ARG_WITH(ldns,
@@ -4928,6 +4984,7 @@ echo " KerberosV support: $KRB5_MSG"
4928echo " SELinux support: $SELINUX_MSG" 4984echo " SELinux support: $SELINUX_MSG"
4929echo " Smartcard support: $SCARD_MSG" 4985echo " Smartcard support: $SCARD_MSG"
4930echo " S/KEY support: $SKEY_MSG" 4986echo " S/KEY support: $SKEY_MSG"
4987echo " TCP Wrappers support: $TCPW_MSG"
4931echo " MD5 password support: $MD5_MSG" 4988echo " MD5 password support: $MD5_MSG"
4932echo " libedit support: $LIBEDIT_MSG" 4989echo " libedit support: $LIBEDIT_MSG"
4933echo " Solaris process contract support: $SPC_MSG" 4990echo " Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index dcf20f0ea..5afd10f27 100644
--- a/sshd.8
+++ b/sshd.8
@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
853This file should be writable only by the user, and need not be 853This file should be writable only by the user, and need not be
854readable by anyone else. 854readable by anyone else.
855.Pp 855.Pp
856.It Pa /etc/hosts.allow
857.It Pa /etc/hosts.deny
858Access controls that should be enforced by tcp-wrappers are defined here.
859Further details are described in
860.Xr hosts_access 5 .
861.Pp
856.It Pa /etc/hosts.equiv 862.It Pa /etc/hosts.equiv
857This file is for host-based authentication (see 863This file is for host-based authentication (see
858.Xr ssh 1 ) . 864.Xr ssh 1 ) .
@@ -956,6 +962,7 @@ The content of this file is not sensitive; it can be world-readable.
956.Xr ssh-keygen 1 , 962.Xr ssh-keygen 1 ,
957.Xr ssh-keyscan 1 , 963.Xr ssh-keyscan 1 ,
958.Xr chroot 2 , 964.Xr chroot 2 ,
965.Xr hosts_access 5 ,
959.Xr login.conf 5 , 966.Xr login.conf 5 ,
960.Xr moduli 5 , 967.Xr moduli 5 ,
961.Xr sshd_config 5 , 968.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 6b85e6c45..186ad5579 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
129#include <Security/AuthSession.h> 129#include <Security/AuthSession.h>
130#endif 130#endif
131 131
132#ifdef LIBWRAP
133#include <tcpd.h>
134#include <syslog.h>
135int allow_severity;
136int deny_severity;
137#endif /* LIBWRAP */
138
132#ifndef O_NOCTTY 139#ifndef O_NOCTTY
133#define O_NOCTTY 0 140#define O_NOCTTY 0
134#endif 141#endif
@@ -2141,6 +2148,24 @@ main(int ac, char **av)
2141#ifdef SSH_AUDIT_EVENTS 2148#ifdef SSH_AUDIT_EVENTS
2142 audit_connection_from(remote_ip, remote_port); 2149 audit_connection_from(remote_ip, remote_port);
2143#endif 2150#endif
2151#ifdef LIBWRAP
2152 allow_severity = options.log_facility|LOG_INFO;
2153 deny_severity = options.log_facility|LOG_WARNING;
2154 /* Check whether logins are denied from this host. */
2155 if (packet_connection_is_on_socket()) {
2156 struct request_info req;
2157
2158 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2159 fromhost(&req);
2160
2161 if (!hosts_access(&req)) {
2162 debug("Connection refused by tcp wrapper");
2163 refuse(&req);
2164 /* NOTREACHED */
2165 fatal("libwrap refuse returns");
2166 }
2167 }
2168#endif /* LIBWRAP */
2144 2169
2145 /* Log the connection. */ 2170 /* Log the connection. */
2146 laddr = get_local_ipaddr(sock_in); 2171 laddr = get_local_ipaddr(sock_in);