Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-12-23 11:25:02 +0000
commit: 6a15c9b672c5833f21ed7e0cea3a25dd8de966c4 (patch)
tree: 4c4e57309c98718d979e1e5cdc644b557832888b /sshd.c
parent: 9f717de15a8e113f7c6a3db52d75ce0172885f95 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index ec2cf976d..4f791b92b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -1978,6 +1985,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-12-23 11:25:02 +0000
commit	6a15c9b672c5833f21ed7e0cea3a25dd8de966c4 (patch)
tree	4c4e57309c98718d979e1e5cdc644b557832888b /sshd.c
parent	9f717de15a8e113f7c6a3db52d75ce0172885f95 (diff)

diff --git a/sshd.c b/sshd.c index ec2cf976d..4f791b92b 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1978,6 +1985,24 @@ main(int ac, char **av)
1978	#ifdef SSH_AUDIT_EVENTS	1985	#ifdef SSH_AUDIT_EVENTS
1979	audit_connection_from(remote_ip, remote_port);	1986	audit_connection_from(remote_ip, remote_port);
1980	#endif	1987	#endif
		1988	#ifdef LIBWRAP
		1989	allow_severity = options.log_facility\|LOG_INFO;
		1990	deny_severity = options.log_facility\|LOG_WARNING;
		1991	/* Check whether logins are denied from this host. */
		1992	if (packet_connection_is_on_socket()) {
		1993	struct request_info req;
		1994
		1995	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		1996	fromhost(&req);
		1997
		1998	if (!hosts_access(&req)) {
		1999	debug("Connection refused by tcp wrapper");
		2000	refuse(&req);
		2001	/* NOTREACHED */
		2002	fatal("libwrap refuse returns");
		2003	}
		2004	}
		2005	#endif /* LIBWRAP */
1981		2006
1982	/* Log the connection. */	2007	/* Log the connection. */
1983	laddr = get_local_ipaddr(sock_in);	2008	laddr = get_local_ipaddr(sock_in);