Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-08-07 12:18:42 +0100
commit: c027de5eb3e6cb1718990841c2a9cbc89fd53151 (patch)
tree: dcbb7d53e5952bf02ef3dfe96dd0a184c8c307c2
parent: eecddf8b72fcad83ccca43b1badb03782704f6b7 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 894ec3b7b..f822fb31c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1510,6 +1510,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5059,6 +5115,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 6c521f23e..589841fcc 100644
--- a/sshd.8
+++ b/sshd.8
@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index ebb88c776..982e5455e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2207,6 +2214,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-08-07 12:18:42 +0100
commit	c027de5eb3e6cb1718990841c2a9cbc89fd53151 (patch)
tree	dcbb7d53e5952bf02ef3dfe96dd0a184c8c307c2
parent	eecddf8b72fcad83ccca43b1badb03782704f6b7 (diff)

diff --git a/configure.ac b/configure.ac index 894ec3b7b..f822fb31c 100644 --- a/configure.ac +++ b/configure.ac
@@ -1510,6 +1510,62 @@ AC_ARG_WITH([skey],
1510	]	1510	]
1511	)	1511	)
1512		1512
		1513	# Check whether user wants TCP wrappers support
		1514	TCPW_MSG="no"
		1515	AC_ARG_WITH([tcp-wrappers],
		1516	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1517	[
		1518	if test "x$withval" != "xno" ; then
		1519	saved_LIBS="$LIBS"
		1520	saved_LDFLAGS="$LDFLAGS"
		1521	saved_CPPFLAGS="$CPPFLAGS"
		1522	if test -n "${withval}" && \
		1523	test "x${withval}" != "xyes"; then
		1524	if test -d "${withval}/lib"; then
		1525	if test -n "${need_dash_r}"; then
		1526	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1527	else
		1528	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1529	fi
		1530	else
		1531	if test -n "${need_dash_r}"; then
		1532	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1533	else
		1534	LDFLAGS="-L${withval} ${LDFLAGS}"
		1535	fi
		1536	fi
		1537	if test -d "${withval}/include"; then
		1538	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1539	else
		1540	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1541	fi
		1542	fi
		1543	LIBS="-lwrap $LIBS"
		1544	AC_MSG_CHECKING([for libwrap])
		1545	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1546	#include <sys/types.h>
		1547	#include <sys/socket.h>
		1548	#include <netinet/in.h>
		1549	#include <tcpd.h>
		1550	int deny_severity = 0, allow_severity = 0;
		1551	]], [[
		1552	hosts_access(0);
		1553	]])], [
		1554	AC_MSG_RESULT([yes])
		1555	AC_DEFINE([LIBWRAP], [1],
		1556	[Define if you want
		1557	TCP Wrappers support])
		1558	SSHDLIBS="$SSHDLIBS -lwrap"
		1559	TCPW_MSG="yes"
		1560	], [
		1561	AC_MSG_ERROR([*** libwrap missing])
		1562
		1563	])
		1564	LIBS="$saved_LIBS"
		1565	fi
		1566	]
		1567	)
		1568
1513	# Check whether user wants to use ldns	1569	# Check whether user wants to use ldns
1514	LDNS_MSG="no"	1570	LDNS_MSG="no"
1515	AC_ARG_WITH(ldns,	1571	AC_ARG_WITH(ldns,
@@ -5059,6 +5115,7 @@ echo " KerberosV support: $KRB5_MSG"
5059	echo " SELinux support: $SELINUX_MSG"	5115	echo " SELinux support: $SELINUX_MSG"
5060	echo " Smartcard support: $SCARD_MSG"	5116	echo " Smartcard support: $SCARD_MSG"
5061	echo " S/KEY support: $SKEY_MSG"	5117	echo " S/KEY support: $SKEY_MSG"
		5118	echo " TCP Wrappers support: $TCPW_MSG"
5062	echo " MD5 password support: $MD5_MSG"	5119	echo " MD5 password support: $MD5_MSG"
5063	echo " libedit support: $LIBEDIT_MSG"	5120	echo " libedit support: $LIBEDIT_MSG"
5064	echo " Solaris process contract support: $SPC_MSG"	5121	echo " Solaris process contract support: $SPC_MSG"


diff --git a/sshd.8 b/sshd.8 index 6c521f23e..589841fcc 100644 --- a/sshd.8 +++ b/sshd.8
@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
880	This file should be writable only by the user, and need not be	880	This file should be writable only by the user, and need not be
881	readable by anyone else.	881	readable by anyone else.
882	.Pp	882	.Pp
		883	.It Pa /etc/hosts.allow
		884	.It Pa /etc/hosts.deny
		885	Access controls that should be enforced by tcp-wrappers are defined here.
		886	Further details are described in
		887	.Xr hosts_access 5 .
		888	.Pp
883	.It Pa /etc/hosts.equiv	889	.It Pa /etc/hosts.equiv
884	This file is for host-based authentication (see	890	This file is for host-based authentication (see
885	.Xr ssh 1 ) .	891	.Xr ssh 1 ) .
@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable.
986	.Xr ssh-keygen 1 ,	992	.Xr ssh-keygen 1 ,
987	.Xr ssh-keyscan 1 ,	993	.Xr ssh-keyscan 1 ,
988	.Xr chroot 2 ,	994	.Xr chroot 2 ,
		995	.Xr hosts_access 5 ,
989	.Xr login.conf 5 ,	996	.Xr login.conf 5 ,
990	.Xr moduli 5 ,	997	.Xr moduli 5 ,
991	.Xr sshd_config 5 ,	998	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index ebb88c776..982e5455e 100644 --- a/sshd.c +++ b/sshd.c
@@ -129,6 +129,13 @@
129	#include <Security/AuthSession.h>	129	#include <Security/AuthSession.h>
130	#endif	130	#endif
131		131
		132	#ifdef LIBWRAP
		133	#include <tcpd.h>
		134	#include <syslog.h>
		135	int allow_severity;
		136	int deny_severity;
		137	#endif /* LIBWRAP */
		138
132	#ifndef O_NOCTTY	139	#ifndef O_NOCTTY
133	#define O_NOCTTY 0	140	#define O_NOCTTY 0
134	#endif	141	#endif
@@ -2207,6 +2214,24 @@ main(int ac, char **av)
2207	#ifdef SSH_AUDIT_EVENTS	2214	#ifdef SSH_AUDIT_EVENTS
2208	audit_connection_from(remote_ip, remote_port);	2215	audit_connection_from(remote_ip, remote_port);
2209	#endif	2216	#endif
		2217	#ifdef LIBWRAP
		2218	allow_severity = options.log_facility\|LOG_INFO;
		2219	deny_severity = options.log_facility\|LOG_WARNING;
		2220	/* Check whether logins are denied from this host. */
		2221	if (packet_connection_is_on_socket()) {
		2222	struct request_info req;
		2223
		2224	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2225	fromhost(&req);
		2226
		2227	if (!hosts_access(&req)) {
		2228	debug("Connection refused by tcp wrapper");
		2229	refuse(&req);
		2230	/* NOTREACHED */
		2231	fatal("libwrap refuse returns");
		2232	}
		2233	}
		2234	#endif /* LIBWRAP */
2210		2235
2211	/* Log the connection. */	2236	/* Log the connection. */
2212	laddr = get_local_ipaddr(sock_in);	2237	laddr = get_local_ipaddr(sock_in);