Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-10-18 12:04:32 +0100
commit: 6806b85f30244d186206004386a9faddc16b8738 (patch)
tree: 3ca4cb5a4f652a7d88c555decb81865f4d1fb91b /sshd.8
parent: d1b7918f9bce6e997c7952ac795e18d09192b2a6 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/sshd.8 b/sshd.8
index b2fad56d3..97d547ffa 100644
--- a/sshd.8
+++ b/sshd.8
@@ -900,6 +900,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -1002,6 +1008,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-10-18 12:04:32 +0100
commit	6806b85f30244d186206004386a9faddc16b8738 (patch)
tree	3ca4cb5a4f652a7d88c555decb81865f4d1fb91b /sshd.8
parent	d1b7918f9bce6e997c7952ac795e18d09192b2a6 (diff)

diff --git a/sshd.8 b/sshd.8 index b2fad56d3..97d547ffa 100644 --- a/sshd.8 +++ b/sshd.8
@@ -900,6 +900,12 @@ the user's home directory becomes accessible.
900	This file should be writable only by the user, and need not be	900	This file should be writable only by the user, and need not be
901	readable by anyone else.	901	readable by anyone else.
902	.Pp	902	.Pp
		903	.It Pa /etc/hosts.allow
		904	.It Pa /etc/hosts.deny
		905	Access controls that should be enforced by tcp-wrappers are defined here.
		906	Further details are described in
		907	.Xr hosts_access 5 .
		908	.Pp
903	.It Pa /etc/hosts.equiv	909	.It Pa /etc/hosts.equiv
904	This file is for host-based authentication (see	910	This file is for host-based authentication (see
905	.Xr ssh 1 ) .	911	.Xr ssh 1 ) .
@@ -1002,6 +1008,7 @@ The content of this file is not sensitive; it can be world-readable.
1002	.Xr ssh-keygen 1 ,	1008	.Xr ssh-keygen 1 ,
1003	.Xr ssh-keyscan 1 ,	1009	.Xr ssh-keyscan 1 ,
1004	.Xr chroot 2 ,	1010	.Xr chroot 2 ,
		1011	.Xr hosts_access 5 ,
1005	.Xr login.conf 5 ,	1012	.Xr login.conf 5 ,
1006	.Xr moduli 5 ,	1013	.Xr moduli 5 ,
1007	.Xr sshd_config 5 ,	1014	.Xr sshd_config 5 ,