Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2018-08-24 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-10-20 22:54:09 +0100
commit: 389e16d0109d8c49a761cd7c267438b05c9ab984 (patch)
tree: a7dfff07f60a4896c9c2ab4adcbd9f5e72143da7 /sshd.c
parent: 72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 539a000fd..673db87f6 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2099,6 +2106,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-10-20 22:54:09 +0100
commit	389e16d0109d8c49a761cd7c267438b05c9ab984 (patch)
tree	a7dfff07f60a4896c9c2ab4adcbd9f5e72143da7 /sshd.c
parent	72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 (diff)

diff --git a/sshd.c b/sshd.c index 539a000fd..673db87f6 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2099,6 +2106,24 @@ main(int ac, char **av)
2099	#ifdef SSH_AUDIT_EVENTS	2106	#ifdef SSH_AUDIT_EVENTS
2100	audit_connection_from(remote_ip, remote_port);	2107	audit_connection_from(remote_ip, remote_port);
2101	#endif	2108	#endif
		2109	#ifdef LIBWRAP
		2110	allow_severity = options.log_facility\|LOG_INFO;
		2111	deny_severity = options.log_facility\|LOG_WARNING;
		2112	/* Check whether logins are denied from this host. */
		2113	if (packet_connection_is_on_socket()) {
		2114	struct request_info req;
		2115
		2116	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2117	fromhost(&req);
		2118
		2119	if (!hosts_access(&req)) {
		2120	debug("Connection refused by tcp wrapper");
		2121	refuse(&req);
		2122	/* NOTREACHED */
		2123	fatal("libwrap refuse returns");
		2124	}
		2125	}
		2126	#endif /* LIBWRAP */
2102		2127
2103	rdomain = ssh_packet_rdomain_in(ssh);	2128	rdomain = ssh_packet_rdomain_in(ssh);
2104		2129