summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2019-06-05 13:11:44 +0100
commit0f9f44654708e4fde2f52c52f717d061b5e458fa (patch)
tree9945102ae0162c28700e2d2b1c917a466f9fd587 /sshd.c
parent7ce79be85036c4b36937f1b1ba85f6094068412c (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 98680721b..46870d3b5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
127#include <Security/AuthSession.h> 127#include <Security/AuthSession.h>
128#endif 128#endif
129 129
130#ifdef LIBWRAP
131#include <tcpd.h>
132#include <syslog.h>
133int allow_severity;
134int deny_severity;
135#endif /* LIBWRAP */
136
130/* Re-exec fds */ 137/* Re-exec fds */
131#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 138#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 139#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2057,6 +2064,24 @@ main(int ac, char **av)
2057#ifdef SSH_AUDIT_EVENTS 2064#ifdef SSH_AUDIT_EVENTS
2058 audit_connection_from(remote_ip, remote_port); 2065 audit_connection_from(remote_ip, remote_port);
2059#endif 2066#endif
2067#ifdef LIBWRAP
2068 allow_severity = options.log_facility|LOG_INFO;
2069 deny_severity = options.log_facility|LOG_WARNING;
2070 /* Check whether logins are denied from this host. */
2071 if (ssh_packet_connection_is_on_socket(ssh)) {
2072 struct request_info req;
2073
2074 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2075 fromhost(&req);
2076
2077 if (!hosts_access(&req)) {
2078 debug("Connection refused by tcp wrapper");
2079 refuse(&req);
2080 /* NOTREACHED */
2081 fatal("libwrap refuse returns");
2082 }
2083 }
2084#endif /* LIBWRAP */
2060 2085
2061 rdomain = ssh_packet_rdomain_in(ssh); 2086 rdomain = ssh_packet_rdomain_in(ssh);
2062 2087