summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2015-08-19 17:09:55 +0100
commitace4bfab52b31a2833636a243ba150fdf0f48293 (patch)
tree5b6fc34d23d98e75196a515d35dd1dfeb9710db6 /sshd.c
parent5d3dc7ea4c96cab9483d5389a3b04163771fdee2 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 6b85e6c45..186ad5579 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
129#include <Security/AuthSession.h> 129#include <Security/AuthSession.h>
130#endif 130#endif
131 131
132#ifdef LIBWRAP
133#include <tcpd.h>
134#include <syslog.h>
135int allow_severity;
136int deny_severity;
137#endif /* LIBWRAP */
138
132#ifndef O_NOCTTY 139#ifndef O_NOCTTY
133#define O_NOCTTY 0 140#define O_NOCTTY 0
134#endif 141#endif
@@ -2141,6 +2148,24 @@ main(int ac, char **av)
2141#ifdef SSH_AUDIT_EVENTS 2148#ifdef SSH_AUDIT_EVENTS
2142 audit_connection_from(remote_ip, remote_port); 2149 audit_connection_from(remote_ip, remote_port);
2143#endif 2150#endif
2151#ifdef LIBWRAP
2152 allow_severity = options.log_facility|LOG_INFO;
2153 deny_severity = options.log_facility|LOG_WARNING;
2154 /* Check whether logins are denied from this host. */
2155 if (packet_connection_is_on_socket()) {
2156 struct request_info req;
2157
2158 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2159 fromhost(&req);
2160
2161 if (!hosts_access(&req)) {
2162 debug("Connection refused by tcp wrapper");
2163 refuse(&req);
2164 /* NOTREACHED */
2165 fatal("libwrap refuse returns");
2166 }
2167 }
2168#endif /* LIBWRAP */
2144 2169
2145 /* Log the connection. */ 2170 /* Log the connection. */
2146 laddr = get_local_ipaddr(sock_in); 2171 laddr = get_local_ipaddr(sock_in);