Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-04-03 08:20:56 +0100
commit: 398af3d66bfe8dc7d436570026571e522a0a13a0 (patch)
tree: 07f383e8b6b6fcf04a2c8fd6e243825a15e0004f /sshd.c
parent: cb427e23bf78d65407c78d868c4ef525dbfaa68f (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index e88185efa..4ed0364f2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2042,6 +2049,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-04-03 08:20:56 +0100
commit	398af3d66bfe8dc7d436570026571e522a0a13a0 (patch)
tree	07f383e8b6b6fcf04a2c8fd6e243825a15e0004f /sshd.c
parent	cb427e23bf78d65407c78d868c4ef525dbfaa68f (diff)

diff --git a/sshd.c b/sshd.c index e88185efa..4ed0364f2 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2042,6 +2049,24 @@ main(int ac, char **av)
2042	#ifdef SSH_AUDIT_EVENTS	2049	#ifdef SSH_AUDIT_EVENTS
2043	audit_connection_from(remote_ip, remote_port);	2050	audit_connection_from(remote_ip, remote_port);
2044	#endif	2051	#endif
		2052	#ifdef LIBWRAP
		2053	allow_severity = options.log_facility\|LOG_INFO;
		2054	deny_severity = options.log_facility\|LOG_WARNING;
		2055	/* Check whether logins are denied from this host. */
		2056	if (packet_connection_is_on_socket()) {
		2057	struct request_info req;
		2058
		2059	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2060	fromhost(&req);
		2061
		2062	if (!hosts_access(&req)) {
		2063	debug("Connection refused by tcp wrapper");
		2064	refuse(&req);
		2065	/* NOTREACHED */
		2066	fatal("libwrap refuse returns");
		2067	}
		2068	}
		2069	#endif /* LIBWRAP */
2045		2070
2046	rdomain = ssh_packet_rdomain_in(ssh);	2071	rdomain = ssh_packet_rdomain_in(ssh);
2047		2072