Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-10-18 12:04:32 +0100
commit: 6806b85f30244d186206004386a9faddc16b8738 (patch)
tree: 3ca4cb5a4f652a7d88c555decb81865f4d1fb91b /sshd.c
parent: d1b7918f9bce6e997c7952ac795e18d09192b2a6 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 8c5d5822e..a50ec3584 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
 #include "ssherr.h"
 #include "sk-api.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2183,6 +2190,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-10-18 12:04:32 +0100
commit	6806b85f30244d186206004386a9faddc16b8738 (patch)
tree	3ca4cb5a4f652a7d88c555decb81865f4d1fb91b /sshd.c
parent	d1b7918f9bce6e997c7952ac795e18d09192b2a6 (diff)

diff --git a/sshd.c b/sshd.c index 8c5d5822e..a50ec3584 100644 --- a/sshd.c +++ b/sshd.c
@@ -124,6 +124,13 @@
124	#include "ssherr.h"	124	#include "ssherr.h"
125	#include "sk-api.h"	125	#include "sk-api.h"
126		126
		127	#ifdef LIBWRAP
		128	#include <tcpd.h>
		129	#include <syslog.h>
		130	int allow_severity;
		131	int deny_severity;
		132	#endif /* LIBWRAP */
		133
127	/* Re-exec fds */	134	/* Re-exec fds */
128	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	135	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
129	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	136	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2183,6 +2190,24 @@ main(int ac, char **av)
2183	#ifdef SSH_AUDIT_EVENTS	2190	#ifdef SSH_AUDIT_EVENTS
2184	audit_connection_from(remote_ip, remote_port);	2191	audit_connection_from(remote_ip, remote_port);
2185	#endif	2192	#endif
		2193	#ifdef LIBWRAP
		2194	allow_severity = options.log_facility\|LOG_INFO;
		2195	deny_severity = options.log_facility\|LOG_WARNING;
		2196	/* Check whether logins are denied from this host. */
		2197	if (ssh_packet_connection_is_on_socket(ssh)) {
		2198	struct request_info req;
		2199
		2200	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2201	fromhost(&req);
		2202
		2203	if (!hosts_access(&req)) {
		2204	debug("Connection refused by tcp wrapper");
		2205	refuse(&req);
		2206	/* NOTREACHED */
		2207	fatal("libwrap refuse returns");
		2208	}
		2209	}
		2210	#endif /* LIBWRAP */
2186		2211
2187	rdomain = ssh_packet_rdomain_in(ssh);	2212	rdomain = ssh_packet_rdomain_in(ssh);
2188		2213