Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2018-08-24 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-08-24 17:49:07 +0100
commit: 84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (patch)
tree: 17f70696d827d4f3d3e54ee2b1bf4a6c2c93be80 /sshd.c
parent: e6c7c11ac2576ac62334616bd4408bf64140bba7 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 2e453cdf8..71c360da0 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2100,6 +2107,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-08-24 17:49:07 +0100
commit	84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (patch)
tree	17f70696d827d4f3d3e54ee2b1bf4a6c2c93be80 /sshd.c
parent	e6c7c11ac2576ac62334616bd4408bf64140bba7 (diff)

diff --git a/sshd.c b/sshd.c index 2e453cdf8..71c360da0 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2100,6 +2107,24 @@ main(int ac, char **av)
2100	#ifdef SSH_AUDIT_EVENTS	2107	#ifdef SSH_AUDIT_EVENTS
2101	audit_connection_from(remote_ip, remote_port);	2108	audit_connection_from(remote_ip, remote_port);
2102	#endif	2109	#endif
		2110	#ifdef LIBWRAP
		2111	allow_severity = options.log_facility\|LOG_INFO;
		2112	deny_severity = options.log_facility\|LOG_WARNING;
		2113	/* Check whether logins are denied from this host. */
		2114	if (packet_connection_is_on_socket()) {
		2115	struct request_info req;
		2116
		2117	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2118	fromhost(&req);
		2119
		2120	if (!hosts_access(&req)) {
		2121	debug("Connection refused by tcp wrapper");
		2122	refuse(&req);
		2123	/* NOTREACHED */
		2124	fatal("libwrap refuse returns");
		2125	}
		2126	}
		2127	#endif /* LIBWRAP */
2103		2128
2104	rdomain = ssh_packet_rdomain_in(ssh);	2129	rdomain = ssh_packet_rdomain_in(ssh);
2105		2130