summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2016-01-14 15:07:16 +0000
commitf1fe58341ea22a6f07e5e1de79aa0385c0ee0c6a (patch)
treeca8af2183f8b3c5fc96e79611c3857f712f0a3fc /sshd.c
parent6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index d659a6892..9275e0b7a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -130,6 +130,13 @@
130#include <Security/AuthSession.h> 130#include <Security/AuthSession.h>
131#endif 131#endif
132 132
133#ifdef LIBWRAP
134#include <tcpd.h>
135#include <syslog.h>
136int allow_severity;
137int deny_severity;
138#endif /* LIBWRAP */
139
133#ifndef O_NOCTTY 140#ifndef O_NOCTTY
134#define O_NOCTTY 0 141#define O_NOCTTY 0
135#endif 142#endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
2151#ifdef SSH_AUDIT_EVENTS 2158#ifdef SSH_AUDIT_EVENTS
2152 audit_connection_from(remote_ip, remote_port); 2159 audit_connection_from(remote_ip, remote_port);
2153#endif 2160#endif
2161#ifdef LIBWRAP
2162 allow_severity = options.log_facility|LOG_INFO;
2163 deny_severity = options.log_facility|LOG_WARNING;
2164 /* Check whether logins are denied from this host. */
2165 if (packet_connection_is_on_socket()) {
2166 struct request_info req;
2167
2168 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2169 fromhost(&req);
2170
2171 if (!hosts_access(&req)) {
2172 debug("Connection refused by tcp wrapper");
2173 refuse(&req);
2174 /* NOTREACHED */
2175 fatal("libwrap refuse returns");
2176 }
2177 }
2178#endif /* LIBWRAP */
2154 2179
2155 /* Log the connection. */ 2180 /* Log the connection. */
2156 laddr = get_local_ipaddr(sock_in); 2181 laddr = get_local_ipaddr(sock_in);