Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2017-10-04 13:54:48 +0100
commit: cdd9076a145a95c21538eedb3f728a897480c5de (patch)
tree: d5a4d34835324b6f30d17b5eade02ba785c2e7ca
parent: 4e70490950e5c5134df48848affaf73685bf0284 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 84bfad8c5..3b30736b3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1503,6 +1503,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5133,6 +5189,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index a4201146b..2ed523a2c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -839,6 +839,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -943,6 +949,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 45e50fac3..a66e9ca6c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -126,6 +126,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -1987,6 +1994,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2017-10-04 13:54:48 +0100
commit	cdd9076a145a95c21538eedb3f728a897480c5de (patch)
tree	d5a4d34835324b6f30d17b5eade02ba785c2e7ca
parent	4e70490950e5c5134df48848affaf73685bf0284 (diff)

diff --git a/configure.ac b/configure.ac index 84bfad8c5..3b30736b3 100644 --- a/configure.ac +++ b/configure.ac
@@ -1503,6 +1503,62 @@ AC_ARG_WITH([skey],
1503	]	1503	]
1504	)	1504	)
1505		1505
		1506	# Check whether user wants TCP wrappers support
		1507	TCPW_MSG="no"
		1508	AC_ARG_WITH([tcp-wrappers],
		1509	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1510	[
		1511	if test "x$withval" != "xno" ; then
		1512	saved_LIBS="$LIBS"
		1513	saved_LDFLAGS="$LDFLAGS"
		1514	saved_CPPFLAGS="$CPPFLAGS"
		1515	if test -n "${withval}" && \
		1516	test "x${withval}" != "xyes"; then
		1517	if test -d "${withval}/lib"; then
		1518	if test -n "${need_dash_r}"; then
		1519	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1520	else
		1521	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1522	fi
		1523	else
		1524	if test -n "${need_dash_r}"; then
		1525	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1526	else
		1527	LDFLAGS="-L${withval} ${LDFLAGS}"
		1528	fi
		1529	fi
		1530	if test -d "${withval}/include"; then
		1531	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1532	else
		1533	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1534	fi
		1535	fi
		1536	LIBS="-lwrap $LIBS"
		1537	AC_MSG_CHECKING([for libwrap])
		1538	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1539	#include <sys/types.h>
		1540	#include <sys/socket.h>
		1541	#include <netinet/in.h>
		1542	#include <tcpd.h>
		1543	int deny_severity = 0, allow_severity = 0;
		1544	]], [[
		1545	hosts_access(0);
		1546	]])], [
		1547	AC_MSG_RESULT([yes])
		1548	AC_DEFINE([LIBWRAP], [1],
		1549	[Define if you want
		1550	TCP Wrappers support])
		1551	SSHDLIBS="$SSHDLIBS -lwrap"
		1552	TCPW_MSG="yes"
		1553	], [
		1554	AC_MSG_ERROR([*** libwrap missing])
		1555
		1556	])
		1557	LIBS="$saved_LIBS"
		1558	fi
		1559	]
		1560	)
		1561
1506	# Check whether user wants to use ldns	1562	# Check whether user wants to use ldns
1507	LDNS_MSG="no"	1563	LDNS_MSG="no"
1508	AC_ARG_WITH(ldns,	1564	AC_ARG_WITH(ldns,
@@ -5133,6 +5189,7 @@ echo " KerberosV support: $KRB5_MSG"
5133	echo " SELinux support: $SELINUX_MSG"	5189	echo " SELinux support: $SELINUX_MSG"
5134	echo " Smartcard support: $SCARD_MSG"	5190	echo " Smartcard support: $SCARD_MSG"
5135	echo " S/KEY support: $SKEY_MSG"	5191	echo " S/KEY support: $SKEY_MSG"
		5192	echo " TCP Wrappers support: $TCPW_MSG"
5136	echo " MD5 password support: $MD5_MSG"	5193	echo " MD5 password support: $MD5_MSG"
5137	echo " libedit support: $LIBEDIT_MSG"	5194	echo " libedit support: $LIBEDIT_MSG"
5138	echo " libldns support: $LDNS_MSG"	5195	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index a4201146b..2ed523a2c 100644 --- a/sshd.8 +++ b/sshd.8
@@ -839,6 +839,12 @@ the user's home directory becomes accessible.
839	This file should be writable only by the user, and need not be	839	This file should be writable only by the user, and need not be
840	readable by anyone else.	840	readable by anyone else.
841	.Pp	841	.Pp
		842	.It Pa /etc/hosts.allow
		843	.It Pa /etc/hosts.deny
		844	Access controls that should be enforced by tcp-wrappers are defined here.
		845	Further details are described in
		846	.Xr hosts_access 5 .
		847	.Pp
842	.It Pa /etc/hosts.equiv	848	.It Pa /etc/hosts.equiv
843	This file is for host-based authentication (see	849	This file is for host-based authentication (see
844	.Xr ssh 1 ) .	850	.Xr ssh 1 ) .
@@ -943,6 +949,7 @@ The content of this file is not sensitive; it can be world-readable.
943	.Xr ssh-keygen 1 ,	949	.Xr ssh-keygen 1 ,
944	.Xr ssh-keyscan 1 ,	950	.Xr ssh-keyscan 1 ,
945	.Xr chroot 2 ,	951	.Xr chroot 2 ,
		952	.Xr hosts_access 5 ,
946	.Xr login.conf 5 ,	953	.Xr login.conf 5 ,
947	.Xr moduli 5 ,	954	.Xr moduli 5 ,
948	.Xr sshd_config 5 ,	955	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 45e50fac3..a66e9ca6c 100644 --- a/sshd.c +++ b/sshd.c
@@ -126,6 +126,13 @@
126	#include <Security/AuthSession.h>	126	#include <Security/AuthSession.h>
127	#endif	127	#endif
128		128
		129	#ifdef LIBWRAP
		130	#include <tcpd.h>
		131	#include <syslog.h>
		132	int allow_severity;
		133	int deny_severity;
		134	#endif /* LIBWRAP */
		135
129	/* Re-exec fds */	136	/* Re-exec fds */
130	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	137	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
131	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	138	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1987,6 +1994,24 @@ main(int ac, char **av)
1987	#ifdef SSH_AUDIT_EVENTS	1994	#ifdef SSH_AUDIT_EVENTS
1988	audit_connection_from(remote_ip, remote_port);	1995	audit_connection_from(remote_ip, remote_port);
1989	#endif	1996	#endif
		1997	#ifdef LIBWRAP
		1998	allow_severity = options.log_facility\|LOG_INFO;
		1999	deny_severity = options.log_facility\|LOG_WARNING;
		2000	/* Check whether logins are denied from this host. */
		2001	if (packet_connection_is_on_socket()) {
		2002	struct request_info req;
		2003
		2004	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2005	fromhost(&req);
		2006
		2007	if (!hosts_access(&req)) {
		2008	debug("Connection refused by tcp wrapper");
		2009	refuse(&req);
		2010	/* NOTREACHED */
		2011	fatal("libwrap refuse returns");
		2012	}
		2013	}
		2014	#endif /* LIBWRAP */
1990		2015
1991	/* Log the connection. */	2016	/* Log the connection. */
1992	laddr = get_local_ipaddr(sock_in);	2017	laddr = get_local_ipaddr(sock_in);