summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2016-02-29 12:31:33 +0000
commit9496f70a8203592158275489519996476b2356af (patch)
treef0859d60d87717a800604739dc67e133cbcb1b4f /sshd.c
parent374db1757fc18bd6647539b80977e6907a2cecd4 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 5cd9129d0..d1dd711fc 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
129#include <Security/AuthSession.h> 129#include <Security/AuthSession.h>
130#endif 130#endif
131 131
132#ifdef LIBWRAP
133#include <tcpd.h>
134#include <syslog.h>
135int allow_severity;
136int deny_severity;
137#endif /* LIBWRAP */
138
132#ifndef O_NOCTTY 139#ifndef O_NOCTTY
133#define O_NOCTTY 0 140#define O_NOCTTY 0
134#endif 141#endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
2151#ifdef SSH_AUDIT_EVENTS 2158#ifdef SSH_AUDIT_EVENTS
2152 audit_connection_from(remote_ip, remote_port); 2159 audit_connection_from(remote_ip, remote_port);
2153#endif 2160#endif
2161#ifdef LIBWRAP
2162 allow_severity = options.log_facility|LOG_INFO;
2163 deny_severity = options.log_facility|LOG_WARNING;
2164 /* Check whether logins are denied from this host. */
2165 if (packet_connection_is_on_socket()) {
2166 struct request_info req;
2167
2168 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2169 fromhost(&req);
2170
2171 if (!hosts_access(&req)) {
2172 debug("Connection refused by tcp wrapper");
2173 refuse(&req);
2174 /* NOTREACHED */
2175 fatal("libwrap refuse returns");
2176 }
2177 }
2178#endif /* LIBWRAP */
2154 2179
2155 /* Log the connection. */ 2180 /* Log the connection. */
2156 laddr = get_local_ipaddr(sock_in); 2181 laddr = get_local_ipaddr(sock_in);