Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2019-06-05 13:11:44 +0100
commit: 0f9f44654708e4fde2f52c52f717d061b5e458fa (patch)
tree: 9945102ae0162c28700e2d2b1c917a466f9fd587 /sshd.c
parent: 7ce79be85036c4b36937f1b1ba85f6094068412c (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 98680721b..46870d3b5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2057,6 +2064,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2019-06-05 13:11:44 +0100
commit	0f9f44654708e4fde2f52c52f717d061b5e458fa (patch)
tree	9945102ae0162c28700e2d2b1c917a466f9fd587 /sshd.c
parent	7ce79be85036c4b36937f1b1ba85f6094068412c (diff)

diff --git a/sshd.c b/sshd.c index 98680721b..46870d3b5 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2057,6 +2064,24 @@ main(int ac, char **av)
2057	#ifdef SSH_AUDIT_EVENTS	2064	#ifdef SSH_AUDIT_EVENTS
2058	audit_connection_from(remote_ip, remote_port);	2065	audit_connection_from(remote_ip, remote_port);
2059	#endif	2066	#endif
		2067	#ifdef LIBWRAP
		2068	allow_severity = options.log_facility\|LOG_INFO;
		2069	deny_severity = options.log_facility\|LOG_WARNING;
		2070	/* Check whether logins are denied from this host. */
		2071	if (ssh_packet_connection_is_on_socket(ssh)) {
		2072	struct request_info req;
		2073
		2074	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2075	fromhost(&req);
		2076
		2077	if (!hosts_access(&req)) {
		2078	debug("Connection refused by tcp wrapper");
		2079	refuse(&req);
		2080	/* NOTREACHED */
		2081	fatal("libwrap refuse returns");
		2082	}
		2083	}
		2084	#endif /* LIBWRAP */
2060		2085
2061	rdomain = ssh_packet_rdomain_in(ssh);	2086	rdomain = ssh_packet_rdomain_in(ssh);
2062		2087