summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2017-01-16 15:02:53 +0000
commit5488e924267d7a845fb86a0b6b4db1e340799a5a (patch)
tree7f484696e03377bcf4adaec1a7a420c490181c84 /sshd.c
parent48fbb156bdc676fb6ba6817770e4e971fbf85b1f (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 0970f2970..72d85de1c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
127#include <Security/AuthSession.h> 127#include <Security/AuthSession.h>
128#endif 128#endif
129 129
130#ifdef LIBWRAP
131#include <tcpd.h>
132#include <syslog.h>
133int allow_severity;
134int deny_severity;
135#endif /* LIBWRAP */
136
130/* Re-exec fds */ 137/* Re-exec fds */
131#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 138#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 139#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1978,6 +1985,24 @@ main(int ac, char **av)
1978#ifdef SSH_AUDIT_EVENTS 1985#ifdef SSH_AUDIT_EVENTS
1979 audit_connection_from(remote_ip, remote_port); 1986 audit_connection_from(remote_ip, remote_port);
1980#endif 1987#endif
1988#ifdef LIBWRAP
1989 allow_severity = options.log_facility|LOG_INFO;
1990 deny_severity = options.log_facility|LOG_WARNING;
1991 /* Check whether logins are denied from this host. */
1992 if (packet_connection_is_on_socket()) {
1993 struct request_info req;
1994
1995 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
1996 fromhost(&req);
1997
1998 if (!hosts_access(&req)) {
1999 debug("Connection refused by tcp wrapper");
2000 refuse(&req);
2001 /* NOTREACHED */
2002 fatal("libwrap refuse returns");
2003 }
2004 }
2005#endif /* LIBWRAP */
1981 2006
1982 /* Log the connection. */ 2007 /* Log the connection. */
1983 laddr = get_local_ipaddr(sock_in); 2008 laddr = get_local_ipaddr(sock_in);