summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2014-10-07 14:26:47 +0100
commitb25d6dd3b6b5a2cb93723586c56d6fa0277ea56a (patch)
tree4d1529682d4c22a5a7382b1f7d71334c0434f959 /sshd.c
parent1c1b6fa17982eb622e2c4e8f4a279f2113f57413 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index e6706a886..3a6be65ab 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
127#include <Security/AuthSession.h> 127#include <Security/AuthSession.h>
128#endif 128#endif
129 129
130#ifdef LIBWRAP
131#include <tcpd.h>
132#include <syslog.h>
133int allow_severity;
134int deny_severity;
135#endif /* LIBWRAP */
136
130#ifndef O_NOCTTY 137#ifndef O_NOCTTY
131#define O_NOCTTY 0 138#define O_NOCTTY 0
132#endif 139#endif
@@ -2061,6 +2068,24 @@ main(int ac, char **av)
2061#ifdef SSH_AUDIT_EVENTS 2068#ifdef SSH_AUDIT_EVENTS
2062 audit_connection_from(remote_ip, remote_port); 2069 audit_connection_from(remote_ip, remote_port);
2063#endif 2070#endif
2071#ifdef LIBWRAP
2072 allow_severity = options.log_facility|LOG_INFO;
2073 deny_severity = options.log_facility|LOG_WARNING;
2074 /* Check whether logins are denied from this host. */
2075 if (packet_connection_is_on_socket()) {
2076 struct request_info req;
2077
2078 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2079 fromhost(&req);
2080
2081 if (!hosts_access(&req)) {
2082 debug("Connection refused by tcp wrapper");
2083 refuse(&req);
2084 /* NOTREACHED */
2085 fatal("libwrap refuse returns");
2086 }
2087 }
2088#endif /* LIBWRAP */
2064 2089
2065 /* Log the connection. */ 2090 /* Log the connection. */
2066 verbose("Connection from %s port %d on %s port %d", 2091 verbose("Connection from %s port %d on %s port %d",