diff options
author | Colin Watson <cjwatson@debian.org> | 2014-10-07 13:22:41 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-01-16 15:02:53 +0000 |
commit | 5488e924267d7a845fb86a0b6b4db1e340799a5a (patch) | |
tree | 7f484696e03377bcf4adaec1a7a420c490181c84 /sshd.c | |
parent | 48fbb156bdc676fb6ba6817770e4e971fbf85b1f (diff) |
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: restore-tcp-wrappers.patch
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 25 |
1 files changed, 25 insertions, 0 deletions
@@ -127,6 +127,13 @@ | |||
127 | #include <Security/AuthSession.h> | 127 | #include <Security/AuthSession.h> |
128 | #endif | 128 | #endif |
129 | 129 | ||
130 | #ifdef LIBWRAP | ||
131 | #include <tcpd.h> | ||
132 | #include <syslog.h> | ||
133 | int allow_severity; | ||
134 | int deny_severity; | ||
135 | #endif /* LIBWRAP */ | ||
136 | |||
130 | /* Re-exec fds */ | 137 | /* Re-exec fds */ |
131 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 138 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
132 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 139 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
@@ -1978,6 +1985,24 @@ main(int ac, char **av) | |||
1978 | #ifdef SSH_AUDIT_EVENTS | 1985 | #ifdef SSH_AUDIT_EVENTS |
1979 | audit_connection_from(remote_ip, remote_port); | 1986 | audit_connection_from(remote_ip, remote_port); |
1980 | #endif | 1987 | #endif |
1988 | #ifdef LIBWRAP | ||
1989 | allow_severity = options.log_facility|LOG_INFO; | ||
1990 | deny_severity = options.log_facility|LOG_WARNING; | ||
1991 | /* Check whether logins are denied from this host. */ | ||
1992 | if (packet_connection_is_on_socket()) { | ||
1993 | struct request_info req; | ||
1994 | |||
1995 | request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
1996 | fromhost(&req); | ||
1997 | |||
1998 | if (!hosts_access(&req)) { | ||
1999 | debug("Connection refused by tcp wrapper"); | ||
2000 | refuse(&req); | ||
2001 | /* NOTREACHED */ | ||
2002 | fatal("libwrap refuse returns"); | ||
2003 | } | ||
2004 | } | ||
2005 | #endif /* LIBWRAP */ | ||
1981 | 2006 | ||
1982 | /* Log the connection. */ | 2007 | /* Log the connection. */ |
1983 | laddr = get_local_ipaddr(sock_in); | 2008 | laddr = get_local_ipaddr(sock_in); |