Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-02-21 12:01:46 +0000
commit: 31d42cd8624f29508f772447e617ab043a6487d9 (patch)
tree: b79c77ea9386d2237a9886c719eb8dca5c3c7954 /sshd.c
parent: 34aff3aa136e5a65f441b25811dd466488fda087 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index d92f03aaf..62dc55cf2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
 #include "ssherr.h"
 #include "sk-api.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2138,6 +2145,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-02-21 12:01:46 +0000
commit	31d42cd8624f29508f772447e617ab043a6487d9 (patch)
tree	b79c77ea9386d2237a9886c719eb8dca5c3c7954 /sshd.c
parent	34aff3aa136e5a65f441b25811dd466488fda087 (diff)

diff --git a/sshd.c b/sshd.c index d92f03aaf..62dc55cf2 100644 --- a/sshd.c +++ b/sshd.c
@@ -124,6 +124,13 @@
124	#include "ssherr.h"	124	#include "ssherr.h"
125	#include "sk-api.h"	125	#include "sk-api.h"
126		126
		127	#ifdef LIBWRAP
		128	#include <tcpd.h>
		129	#include <syslog.h>
		130	int allow_severity;
		131	int deny_severity;
		132	#endif /* LIBWRAP */
		133
127	/* Re-exec fds */	134	/* Re-exec fds */
128	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	135	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
129	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	136	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2138,6 +2145,24 @@ main(int ac, char **av)
2138	#ifdef SSH_AUDIT_EVENTS	2145	#ifdef SSH_AUDIT_EVENTS
2139	audit_connection_from(remote_ip, remote_port);	2146	audit_connection_from(remote_ip, remote_port);
2140	#endif	2147	#endif
		2148	#ifdef LIBWRAP
		2149	allow_severity = options.log_facility\|LOG_INFO;
		2150	deny_severity = options.log_facility\|LOG_WARNING;
		2151	/* Check whether logins are denied from this host. */
		2152	if (ssh_packet_connection_is_on_socket(ssh)) {
		2153	struct request_info req;
		2154
		2155	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2156	fromhost(&req);
		2157
		2158	if (!hosts_access(&req)) {
		2159	debug("Connection refused by tcp wrapper");
		2160	refuse(&req);
		2161	/* NOTREACHED */
		2162	fatal("libwrap refuse returns");
		2163	}
		2164	}
		2165	#endif /* LIBWRAP */
2141		2166
2142	rdomain = ssh_packet_rdomain_in(ssh);	2167	rdomain = ssh_packet_rdomain_in(ssh);
2143		2168